TRINSIC ONLINE DATA PROCESSING AGREEMENT
APPLICABILITY
THIS DPA SHALL NOT APPLY TO THE EXTENT THAT CUSTOMERS WHO ACCESS AND USE THE SERVICES HAVE ESTABLISHED A SEPARATE, WRITTEN DATA PROTECTION AGREEMENT WHICH IS (I) CURRENT, (II) COMPLIANT WITH APPLICABLE REGULATIONS, AND (III) COVERS THE SPECIFIC PERSONAL DATA PROCESSING ACTIVITIES IN QUESTION.
This Data Processing Agreement is incorporated by reference into, and forms part of, the principal agreement that governs Customer’s access to and use of the Services, including but not limited to the Terms of Service, a separate Master Services Agreement, or Service-specific Participation Agreement (the “Main Agreement”) between Trinsic Technologies, Inc., a Delaware corporation (“Trinsic”), and the Customer agreeing to the Agreement. (“Customer”, or “you”).
RECITALS
WHEREAS, Trinsic provides services (the “Services”) under the Main Agreement that involve the processing of End User Data (defined below) provided by or on behalf of the Customer and that are subject to applicable data protection laws.
WHEREAS, this DPA supplements the Main Agreement and establishes additional terms governing Trinsic’s processing of End User Data.
NOW, THEREFORE, in consideration of the foregoing and the mutual covenants set forth herein, the parties agree as follows:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions. The capitalized terms used in this DPA shall have the meanings set forth in this Section or the Main Agreement. Key defined terms include, but are not limited to:
- “Business Purpose” means the Services as described in the Main Agreement and any additional purposes set forth in Annex A.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations as amended by the California Privacy Rights Act of 2020 (“CPRA”).
- “Data Protection Laws and Regulations” means all laws and regulations applicable to the processing of End User Data under the Main Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, Brazil, and the United States and its states, and where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
- “End User” means a natural person with whom the Customer engages in connection with the Customer’s use of the Services.
- “End User Data” means any data or information relating to an End User that is collected, processed, transmitted, or stored in service of the Business Purpose that could directly or indirectly identify an End User. This includes, but is not limited to, personal data as defined under applicable Data Protection Laws and Regulations such as identifiers, names, dates of birth, and individual identity attributes. For purposes of this DPA, End User Data shall exclude anonymized or aggregated data that cannot reasonably be used to identify an individual.
- “EU GDPR” means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of End User Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “LGPD” means Brazil’s General Data Protection Law No. 13,709/2018 and applicable regulations.
- “Security Breach” means any act or omission that compromises the security, confidentiality, integrity, or availability of End User Data or that compromises the physical, technical, administrative, or organizational safeguards put in place to protect it.
- “Standard Contractual Clauses (SCCs)” means the relevant Data Protection Laws and Regulations’ approved data transfer clauses.
- “Sub-Processor” means any third party engaged by Trinsic to process personal data on behalf of the Customer in connection with the provision of the Services under this DPA.
- “Swiss DP Laws” means the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances. In this DPA, in circumstances where and solely to the extent that the Swiss DP Laws apply, references to the EU GDPR and its provisions shall be construed as references to the Swiss DP Laws and their corresponding provisions.
- “Transfer” means any transmission, access, or other form of processing of End User Data to a country outside the European Economic Area (EEA), the United Kingdom, and/or Switzerland that is not the subject of an adequacy decision under the relevant Data Protection Laws and Regulations.
- “UK GDPR” means the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the EU GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.
- “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
1.2 Other Terms. Terms such as “controller,” “data subject,” “personal data”, “processor,” and “processing” or similar terms shall be construed according to applicable Data Protection Laws and Regulations or, in the absence thereof, the EU GDPR.
1.3 Interpretation. This DPA is incorporated by reference into, and forms part of the Main Agreement. Interpretations and defined terms set forth in the Main Agreement apply to the interpretation of this DPA.
1.4 Conflict. In the case of conflict or ambiguity between: (a) any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail; (b) any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail; and (c) the LGPD (or regulations issued by ANPD) and this DPA, the legal provisions of LGPD and ANPD regulations shall prevail.
1.5 Scope. Notwithstanding any term or condition of the DPA, the DPA does not apply to any End User Data or information that does not relate to one or more identifiable individuals, that has been aggregated or de-identified in accordance with Data Protection Laws and Regulations, or to the extent that Trinsic and Customer have entered separate data processing terms that address the subject matter hereof.
2. PROCESSING OF END USER’ S PERSONAL INFORMATION
2.1 Role of the Parties. The roles of the parties are outlined in Annex A of this DPA. In any case, Trinsic is a processor acting under the Customer’s instruction in order to provide the Services.
2.2 Authorization to Process. Trinsic is authorized by the Customer to process End User Data solely:
(a) as necessary to provide the Services in accordance with the Main Agreement and to comply with Data Protection Laws and Regulations;
(b) to transfer End User Data to sub-processors and services providers as required and allowed in this DPA;
(c) As reasonably necessary to comply with any other directions or instructions provided by Customer.
2.3 Categories of Data. Annex A outlines the categories of data subjects and the End User Data processed.
3. TERM
3.1 Term. This DPA becomes effective on the date the Customer agrees to the Main Agreement and shall remain in force until the expiration or termination of the Main Agreement. (“Term”).
4. TRINSIC’S OBLIGATIONS
4.1 Processing Limitations. Trinsic will only process End User Data as necessary to provide the Services and in accordance with the Customer’s instructions, this DPA and Data Protection Laws and Regulations.
4.2 Cooperation. Trinsic will, to the extent required by Data Protection Laws and Regulations, comply with any reasonable request or instruction from Customer requiring Trinsic to amend, transfer, or delete the End User Data, or to stop, mitigate, or remedy any unauthorized processing.
4.3 Confidentiality. Trinsic will maintain the confidentiality of all End User Data and will not disclose End User Data to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Trinsic to process or disclose End User Data, Trinsic will inform the Customer of the legal requirement and allow the Customer to object or challenge the requirement, unless the law prohibits such notice.
4.4 Assistance. Trinsic will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Laws and Regulations while also considering the nature of Trinsic’s processing and the information available to Trinsic. Trinsic will notify the Customer if it receives a request from a data subject for access to their End User Data or a similar request to exercise one of the data subject’s personal data rights.
4.5 Sub-Processors.
- Trinsic will ensure that when engaging with Sub-Processors for the purposes of delivering the Services, there is a written contract in place that will provide at least the same level of protection for End User Data as set out in this DPA (to the extent applicable by relevant regulations and to the nature of the Services provided by the relevant Sub-Processor).
- Trinsic uses Sub-Processors to support the delivery of the Services. A current list of platform Sub-Processors is published by Trinsic at this link. Trinsic may add or replace Sub-Processors from time to time and will notify Customer of any such changes. Continued use of the Services after such notice constitutes acceptance of the new Sub-Processor.
- Certain Sub-Processors used by Trinsic in connection with specific ID Providers available through the Services are not listed publicly for security and confidentiality reasons and may differ depending on Customer’s use of the Services. A current list of such Sub-Processors will be provided upon request by emailing [email protected].
4.6 Security. Trinsic shall implement and maintain appropriate technical and organizational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons. A description of the current measures published at this link or on our security page. Trinsic may update such measures from time to time, provided that the updates do not materially reduce the overall level of security.
4.7 Audit Rights. Upon written request, Trinsic shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and, where required by Data Protection Laws and Regulations, allow for (and contribute to) audits, including inspections conducted by Customer or another auditor under the instruction of the Customer for the same purposes of demonstrating compliance with obligations set out in this DPA. Such audit shall be at Customer’s sole expense, conducted during normal business hours, and in a manner that does not disrupt Trinsic’s business operations.
5. CUSTOMER OBLIGATIONS
5.1 Compliance Obligations The Customer acknowledges and agrees that: (i) it shall comply with its obligations under applicable Data Protection Laws and Regulations in respect of its Processing of End User Data and its use of the Services, taking into account its role as specified under Annex A; (ii) all instructions it provides to Trinsic for the processing of End User Data are lawful and shall comply in all material respects with Data Protection Laws and Regulations; (iii) it is responsible for the accuracy, quality, and legality of the End User Data it provides to Trinsic, and for ensuring that a valid legal basis exists for Trinsic’s processing of such data, including where such basis is established by another party on whose behalf the Customer acts; and (iv) it has ensured that all required notices have been provided to data subjects and any required consents and authorizations have been obtained as required under Data Protection Laws and Regulations in connection with the Processing.
6. SECURITY BREACH
6.1 Notification. Trinsic shall notify Customer without undue delay upon Trinsic becoming aware of an actual Security Breach affecting End User Data, providing Customer with sufficient information and reasonable assistance to allow Customer to meet its obligations under Data Protection Laws and Regulations.
6.2 Costs. To the extent that a Security Breach was caused by Customer, Customer shall be responsible for the costs arising from Trinsic’s provision of assistance under this section.
7. CROSS-BORDER TRANSFERS FOR EU, UK, AND SWITZERLAND
7.1 GDPR Compliance. In the event the End User Data is subject to the EU GDPR, UK GDPR, or the Swiss DP Laws, the terms of this Section 7 will apply.
7.2 Transfers. Customer acknowledges that Trinsic is based in the United States and provides a global service offering. In order to perform the Services under this DPA, Trinsic may transfer or store personal data outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, including to jurisdictions that may not provide an equivalent level of data protection.
7.3 Transfer Mechanisms. Trinsic shall ensure that an appropriate transfer mechanism under the EU GDPR is in place for any Transfer of personal data from the EEA to a third country. Such mechanisms may include the execution of the EU SCCs, or the reliance on another legally recognized safeguard under the EU GDPR, such as an adequacy decision.
7.3.1 Data Privacy Framework. Trinsic is certified under the EU-U.S. Data Privacy Framework (“DPF”). Any Transfers to the US are covered by the EU-U.S., UK Extension to the EU-U.S. or the Swiss-U.S. Data Privacy Framework, as applicable. In the event that the DPF is invalidated, unavailable, or otherwise not applicable to a specific Transfer, or Trinsic’s certification is not maintained for the duration of processing activities, Trinsic shall implement an alternative lawful transfer mechanism under the applicable Data Protection Laws and Regulations. Such mechanisms may include the execution of the EU SCCs, as detailed below, or reliance on another legally recognized safeguard.
7.3.2 EU SCCs. Where EU SCCs are used, the applicable module shall be incorporated by reference to this DPA, and the following shall apply:
- Annex A to this DPA shall be deemed Annex I to the EU SCCs; the Technical and Organizational measures published here shall be deemed Annex II; and the List of Sub-Processors published here shall be deemed Annex III.
- By agreeing to the Main Agreement, each party is deemed to have executed the SCCs (including their annexes and appendices) as of the date the Customer agreed to the Main Agreement;
- Clauses 7 (Docking clause) and 9(a) of the EU SCCs covering authorization for sub-processors are included into the incorporated EU SCCs to this DPA;
- For the purposes of Clause 13 of the EU SCCs, the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which the data exporter is established; and
- For the purposes of Clauses 17 and 18 of the EU SCCs, where applicable, to the extent that the governing law and jurisdiction provisions in the Main Agreement do not satisfy the requirements of the EU SCCs:
- The parties select Option 2 of Clause 17 and agree that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established;
- If such law does not allow for third-party beneficiary rights, the governing law of the EU SCCs shall be the laws of Ireland.
- Pursuant to Clause 18, any dispute arising under the EU SCCs shall be resolved by the courts of Ireland, and the parties submit to the jurisdiction of such courts.
7.3.3 UK Addendum. Where the Transfer is subject to the UK GDPR, the EU SCCs, together with the Annexes defined in Section 7.3.2 (a), shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK Addendum. For the purposes of Table 4 in Part 1 (Tables) of the UK Addendum, the Parties select the “neither party” option. Otherwise, the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK Addendum is set out in the Annexes to the SCCs, as defined above.
7.3.4 Swiss DP Laws. Where the Transfer is subject to the Swiss DP Laws, the EU SCCs, together with the Annexes defined in Section 7.3.2 (a), shall be read in accordance with this Section. To the extent the Swiss DP Laws are applicable to a data export under the EU SCCs set forth in this DPA, the Parties agree on the following amendments to the EU SCCs and Annexes.
(a) The term “Member State” according to Clause 18 (c) of the EU SCCs shall not be interpreted in a such a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence;
(b) The supervisory authority pursuant to Clause 13 of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner;
(c) The law applicable to the EU SCCs pursuant to Clause 17 of the EU SCCs shall be Swiss DP Laws;
(d) The place of jurisdiction under Clause 18 (b) of the EU SCCs shall be the courts of the city of Zurich; and
(e) Where the EU SCCs include references to the EU GDPR, such references shall be understood as references to the Swiss DP Laws.
8. CALIFORNIA REQUIREMENTS
8.1 CCPA Applicability. In the event the End User Data is subject to the CCPA, the terms of this Section 8 will apply.
8.2 Restrictions on Data Use. Except as permitted by the CCPA, Trinsic will not sell or share End User Data or retain, use, or disclose End User Data (i) for any purpose other than as necessary to fulfill the business purposes set forth in the Main Agreement, or (ii) outside of the direct business relationship between Trinsic and Customer;
8.3 Prohibition on Data Combination. No party will combine the End User Data with personal information that it receives from or on behalf of any other person(s) or entity(ies), or collects from its own interaction with an individual, except as otherwise permitted by the CCPA;
8.4 Permitted Use and Exceptions. Notwithstanding the above, Trinsic may retain, use or disclose End User Data as permitted under the CCPA, including: (i) to retain and employ another service provider or contractor as a Sub-Processor in accordance with the DPA and any other applicable terms of the Main Agreement where the Sub-Processor meets the requirements for a Service Provider or Contractor under CCPA; (ii) for its internal use to build or improve the quality of the Services, provided that Trinsic does not use the End User Data to perform services on behalf of another person; (iii) to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity; (iv) for the purposes enumerated in California Civil Code § 1798.145(a)(1) through §1798.145(a)(7); or (v) For any other purpose expressly contemplated or permitted by CCPA or other applicable law.
9. BRAZIL REQUIREMENTS
9.1 LGPD Compliance. In the event the End User Data is subject to the LGPD, the terms of this Section 9 will apply.
9.2 Lawfulness of Data and Instructions. Customer shall ensure that all End User Data provided to Trinsic has been collected and will be processed by Trinsic in compliance with the LGPD and other applicable laws, including that a valid legal basis (as per LGPD Art. 7 or other applicable provisions) has been established.
9.3 Onward Transfers. Trinsic shall not transfer or disclose End User Data to any third party (except authorized sub-processors, or as may be required by law) without Customer’s instruction or consent. The parties agree that any cross-border transfer of End User Data from Brazil to another country shall be governed by an approved transfer mechanism under LGPD Art. 33, namely:
(a) An adequacy decision by ANPD recognizing the destination country as having an adequate level of protection (LGPD Art. 33(I)), or
(b) The SCCs attached hereto as Annex B which, if relied on as the approved transfer mechanism, form an integral part of this DPA. In accordance with ANPD Resolution CD/ANPD No. 4/2023 and the ANPD’s International Transfer Regulation, the SCCs shall be executed without modification.
9.4 Scope of SCCs. If Trinsic engages sub-processors located outside Brazil, it shall ensure that those sub-processors accede to the SCCs either through a “docking” mechanism (SCC Clause 9) or by signing equivalent contractual clauses approved by ANPD. Trinsic agrees that data subjects are third-party beneficiaries of the SCCs and can enforce their rights as provided therein. Customer acknowledges that Trinsic is acting at its direction, and that it remains ultimately responsible under LGPD for compliance, for responding to the ANPD, and for ensuring data subject rights are respected, even when the SCCs designate certain tasks to Trinsic.
9.5 Additional Measures. In addition to the SCCs, Trinsic shall adopt any supplementary measures necessary to ensure that the transferred End User Data receives a level of protection essentially equivalent to that guaranteed by LGPD in Brazil. This may include technical protections, policy measures, or transparency measures as appropriate and as outlined in Annex C of this DPA. Trinsic will promptly inform Customer if it becomes aware of any legal barriers in the destination country that could prevent it from fulfilling its obligations under the SCCs or this DPA (for example, if local laws or government access requests risk a conflict with LGPD protections).
10. INDEMNIFICATION
Any indemnification obligations between the parties are as set forth in the Main Agreement.
11. GOVERNING LAW
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions set forth in the Main Agreement, unless otherwise required by applicable Data Protection Laws and Regulations.
12. DELETION
Upon expiration or termination of the Main Agreement, Trinsic will delete End User Data in accordance with its standard retention schedule unless storage is required by applicable law or contracts.
13. NOTICES
Any notice or other communication given to a party under or in connection with this DPA must be in writing and in compliance with the Main Agreement.
ANNEX A — DESCRIPTION OF PROCESSING
Business Purpose: As outlined in the Main Agreement and any Order.
The applicable description of Processing below will depend on whether the Customer is acting as a Controller or a Processor in relation to End User Data. Both roles are described for completeness, and the relevant table shall apply based on the Customer’s role under the Agreement. Only the applicable table shall have contractual effect.
[THIS TABLE IS APPLICABLE IF CUSTOMER IS A DATA CONTROLLER]
| Data Controller | The Customer specified in the Main Agreement and DPA |
| Data Processor | Trinsic |
| Import/Export | Customer is the Data Exporter. Trinsic is the Data Importer. |
| Categories of data subjects | End Users of Customer |
| Categories of personal data | Name, contact details (phone number, email address), date of birth, full address, document or ID number (e.g. driver’s license, voter ID, passport, national ID numbers), selfie |
| Nature and purpose of processing | Data is processed solely to deliver the Services contemplated in the Main Agreement and any Order, namely to verify and/or enrich the personal data transferred to Trinsic using an ID Provider. Processing may include transfer, transformation, storage, and deletion of data. |
| Frequency of processing | Continuous |
| Duration of processing | Personal data will be retained in accordance with Trinsic’s retention policies (which are configured by Customer through Trinsic’s Services), and in any case for only as long as is required to meet Trinsic’s legal, regulatory and operational requirements and as necessary to perform services. |
| Competent supervisory authority | The competent supervisory authority/ies applicable to Data Exporter as notified to Data Importer in accordance with Section 11 (Governing Law) of this DPA. |
[THIS TABLE IS APPLICABLE IF CUSTOMER IS A DATA PROCESSOR]
| Data Processor | The Customer specified in the Main Agreement and DPA |
| Sub-Processor | Trinsic |
| Import/Export | Customer is the Data Exporter. Trinsic is the Data Importer. |
| Categories of data subjects | Data subjects are End Users who are engaging with an End Customer who requires the End User to verify certain personal data through the Services. |
| Categories of personal data | Name, contact details (phone number, email address), date of birth, full address, document or ID number (e.g. driver’s license, voter ID, passport, national ID numbers), selfie |
| Nature and purpose of processing | Data is processed solely to deliver the Services contemplated in the Main Agreement and any Order, namely, to verify and/or enrich the personal data transferred to Trinsic using an ID Provider. Processing may include transfer, transformation, storage, and deletion of data. |
| Frequency of processing | Continuous |
| Duration of processing | Personal data will be retained in accordance with Trinsic’s retention policies (which are configured by Customer through Trinsic’s Services), and in any case for only as long as is required to meet Trinsic’s legal, regulatory and operational requirements and as necessary to perform services. |
| Competent supervisory authority | The competent supervisory authority/ies applicable to Data Exporter as notified to Data Importer in accordance with Section 11 (Governing Law) of this DPA. |
ANNEX B — LGPD STANDARD CONTRACTUAL CLAUSES
SECTION I – GENERAL INFORMATION
CLAUSE 1. Identification of the Parties
1.1. By this agreement, the Data Exporter and the Data Importer (hereinafter, jointly “Parties” and individually “Party”), identified below, agree to these Standard Contractual Clauses (hereinafter, “Clauses”) approved by the National Data Protection Authority (ANPD) to govern the international transfer of personal data described in Clause 2, in accordance with the provisions of the National Legislation (as defined in Clause 6.1).
Data Exporter:
| Name | The Customer specified in the Main Agreement and DPA |
| Qualification | |
| Main Address | The address associated with the Customer specified in the Main Agreement and DPA. |
| Email Address | The email associated with the Customer specified in the Main Agreement and DPA. |
| Contact for the Data Subject | The representative associated with the Customer specified in the Main Agreement and DPA. |
| Other Information |
Data Importer:
| Name | Trinsic Technologies, Inc. |
| Qualification | EIN: 84-2221672 |
| Main Address | 881 Baxter Dr. STE 100 South Jordan, UT 84095 |
| Email Address | [email protected] |
| Contact for the Data Subject | https://trinsic.id/contact |
| Other Information |
CLAUSE 2. Object and Scope of Application
2.1. These Clauses shall apply to the International Transfers of Personal Data between the Data Exporter and Data Importer, as described below:
| Main Purposes of the Transfer | The main purpose of the transfer of Personal Data is to authenticate an End User, or verify the identity of an End User, as more fully explained in Annex A of this DPA. |
| Categories of Personal Data Transferred | Categories of Personal Data transferred can be found in Annex A of this DPA. |
| Period of data storage | Period of data storage of transferred data can be found in Annex A of this DPA. |
| Other Information |
CLAUSE 3. Onward Transfers Allowed Under the Following Conditions:
3.1. The Importer may carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses, in the cases and according to the conditions described below and the provisions of CLAUSE 18.
(a) Onward transfers to an authorized sub-processor
| Main purposes of the transfer | The parties may transfer Personal Data onward to their sub-processors which are approved under the terms of this agreement. |
| Categories of personal data transferred | Categories outlined in Annex A of this DPA. |
| Period of data storage | Retention periods are specified in Annex A of this DPA. |
| Other information |
(b) Onward transfers to an End Customer under this DPA and the Main Agreement
| Main purposes of the transfer | Customer may transfer Personal Data onward to its End Customers, if applicable, provided such transfer complies with the terms of this DPA and these SCCs. |
| Categories of personal data transferred | Categories outlined in Annex A of this DPA. |
| Period of data storage | Retention periods are specified in Annex A of this DPA. |
| Other information |
CLAUSE 4. Responsibilities of the Parties
If Customer is identified in Annex A of this DPA as a Data Controller, Option A. 4.1 will apply, otherwise Option B. 4.1 will apply.
Option A.
4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, as Controller, shall be responsible for complying with the following obligations set out in these Clauses:
a) Responsible for publishing the document provided in CLAUSE 14:
( X ) Exporter ( ) Importer
b) Responsible for responding to requests from Data Subjects dealt with in CLAUSE 15:
( X ) Exporter ( ) Importer
c) Responsible for notifying the security incident provided in CLAUSE 16:
( X ) Exporter ( ) Importer
4.2. For the purposes of these Clauses, if the Designated Party pursuant to item 4.1. is the Processor, the Controller remains responsible for:
a) compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions established in the National Legislation, especially in case of omission or non-compliance with the obligations by the Designated Party;
b) compliance with ANPD’s determinations; and
c) guaranteeing the Data Subjects’ rights and repairing damages caused, subject to the provisions of Clause 17.
Option B
4.1 Considering that both Parties act exclusively as Processors within the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out in accordance with the written instructions provided by the Third-Party Controller identified in the chart below.
Identification information of the Third-Party Controller:
| Name | Identification information for each Third-Party Controller, including name, is maintained by Trinsic and is available upon request. |
| Qualification | Identification information for each Third-Party Controller, including qualifying identifying details, is maintained by Trinsic and is available upon request. |
| Main Address | Identification information for each Third-Party Controller, including address, is maintained by Trinsic and is available upon request. |
| Email Address | Contact information for each Third-Party Controller, including email address, is maintained by Trinsic and is available upon request. |
| Contact for the Data Subject | Contact information for each Third-Party Controller, including a contact for data subjects, is maintained by Trinsic and is available upon request. |
| Information on Related Contract | Identification information for each Third-Party Controller, including the name of its contract with Data Importer, is maintained by Trinsic and is available upon request. |
4.2. The Exporter shall be jointly liable for the damage caused by the International Data Transfer if it is carried out in breach of the obligations of the National Legislation or the lawful instructions of the Third-Party Controller, in which case the Exporter shall be deemed to be the Controller, subject to the provisions of Clause 17.
4.3 In the event of being deemed a Controlling Party as referred to in item 4.2, the Exporter shall be responsible for complying with the obligations set out in Clauses 14, 15 and 16.
4.4 With the exception of the provisions of items 4.2 and 4.3, the provisions of Clauses 14, 15 and 16 shall not apply to the Parties as Processors.
4.5. The Parties shall, in any event, provide all the information at their disposal that proves necessary for the Third-Party Controller to comply with ANPD’s determinations and to adequately fulfill the obligations provided for in the National Legislation relating to transparency, compliance with the rights of data subjets and the reporting of security incidents to ANPD.
4.6. The Parties shall promote mutual assistance in order to meet the requests of the Data Subject.
4.7 In the event of receiving a request from a Data Subject, the Party shall:
a) respond to the request when it has the necessary information;
b) inform the Data Subject of the service channel provided by the Third-Party Controller; or
c) forward the request to the Third-Party Controller as soon as possible, to enable a response within the period provided for in the National Legislation.
4.8. The Parties must keep a record of security incidents involving personal data, in accordance with national legislation.
SECTION II – MANDATORY CLAUSES
The Parties hereby incorporate by reference Clauses 5–22 of the most recent English-language Brazilian Standard Contractual Clauses for International Transfers, as published and updated from time to time on the Brazilian National Data Protection Authority’s “International Affairs” webpage (https://www.gov.br/anpd/pt-br/assuntos/assuntos-internacionais/international-affairs) or its successor, which shall form an integral, binding, and prevailing part of this Data Processing Addendum without further action by the Parties.
SECTION III – SECURITY MEASURES
Data Importer shall implement and maintain for the duration of this DPA the technical, administrative, and organizational safeguards available here. These safeguards include, at a minimum:
a) Governance and oversight of internal processes, including documented security policies, assignment of security responsibilities, and periodic risk assessments; and
b) Logical, physical, and procedural controls designed to ensure the confidentiality, integrity, availability, and resilience of Personal Data during its collection, transmission, processing, and storage.
Such measures satisfy the requirements of Article 46 of the LGPD and the Brazilian SCCs, and they apply equally to all categories of Personal Data, including Sensitive Personal Data and data relating to children and adolescents. Given the scope and depth of the safeguards in Annex B, the Parties agree that no additional safeguards applicable exclusively to minors’ data shall be required.
The Data Importer will periodically review and, where appropriate, enhance these measures to ensure they continue to provide a level of protection consistent with applicable law and these Clauses.
