Data Processing Addendum
This Data Processing Addendum, including the recitals, Appendixes, and any documents incorporated herein by reference, including the Standard Contractual Clauses and ICO Addendum, as applicable (this “DPA”) is entered into by and between Voyage AI Innovations Inc. (“Voyage AI”) and the customer who is party to the Agreement (as defined below) (“Customer”) (each referred to individually as a “Party” and collectively as the “Parties”). This DPA is incorporated into and is made part of Voyage AI’s Terms of Service, Voyage AI Service Agreement, or other applicable service or subscription agreement, including any amendments, and any documents incorporated therein by reference, by and between Voyage AI and Customer (collectively, the “Agreement”). This DPA is effective on the effective date of the Agreement.
RECITALS
WHEREAS, the Parties have entered into the Agreement, which involves the processing of Personal Data;
WHEREAS, the Parties seek to implement a data processing addendum that complies with the requirements of applicable legal frameworks in relation to the processing of Personal Data; and
WHEREAS, the Parties wish to set forth their rights and obligations herein.
NOW THEREFORE, in consideration of the mutual covenants and agreements of the Parties as set forth in this DPA, the Parties agree as follows:
DEFINITIONS
1. Defined Terms. All defined terms used in this DPA with initial capital letters have the meaning as set forth in Appendix A, unless defined elsewhere in this DPA or as otherwise set forth in this Section 1. “Section” and “Appendix” means a section and appendix of this DPA. The singular meaning of a defined term shall have the same meaning as the plural meaning and vice versa.
2. Additional Defined Terms. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” used in this DPA will have the same meaning as set forth in the Data Protection Laws and their cognate (related) terms shall be construed accordingly.
3. Terms without Definition. Capitalized terms used without definition in this DPA will have the same meaning as set forth in the Agreement, the Standard Contractual Clauses and the ICO Addendum.
PROCESSING OF CUSTOMER PERSONAL DATA
4. The Parties’ Roles. The processing of Customer Personal Data may occur in one or more of the following forms:
a. Customer is a Controller and Voyage AI is a Processor; and
b. Customer is a Processor and Voyage AI is a Subprocessor.
5. Data Processing. Customer is allowing the Voyage AI to perform data processing activities as specified in Appendix B. Appendix B describes the subject matter, purpose, and nature of the Customer Personal Data processing, its duration, the categories of Customer Personal Data, and types of Customer Personal Data processed.
6. Instructions. Voyage AI agrees to comply with Data Protection Laws in the processing of Customer Personal Data and not process Customer Personal Data other than based upon Customer’s instructions as set forth in this DPA, Voyage AI’s business obligations, or as otherwise agreed by the Parties. Further, unless otherwise instructed by Customer or otherwise set forth in the Agreement, Voyage AI will not (a) retain, use, or disclose Customer Personal Data for any purpose, including any commercial purposes; (b) retain, use, or disclose Customer Personal Data outside the direct business relationship between Voyage AI and Customer; (c) combine Customer Personal Data with any information received from or on behalf of any other person or entity; or (d) sell or share Customer Personal Data.
VOYAGE AI’S PERSONNEL
7. Access to Customer Personal Data. Voyage AI agrees to take reasonable steps to ensure the reliability of any of their Personnel who may have access to Customer Personal Data, ensuring in each case that (a) access is limited to those Personnel who have a need to know Customer Personal Data, as necessary for the purposes of the Agreement, and (b) all such Personnel are subject to and comply with obligations of confidentiality.
SECURITY
8. Security Implementation. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as, the risk of varying likelihood and severity for the rights and freedoms of natural persons, Voyage AI agrees to, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Data Protection Laws.
9. Appropriate Levels of Security. In assessing the appropriate level of security, Voyage AI will take into account the risks that are presented by processing Customer Personal Data, in particular from a Personal Data Breach affecting Customer Personal Data.
SUBPROCESSORS
10. Engaging with Subprocessors. To the extent that Subprocessors are applicable, Customer acknowledges and agrees that Voyage AI may engage Subprocessors in connection with the fulfillment of their obligations under the Agreement; provided, that Voyage AI agrees to (a) restrict Subprocessors’ access to Customer Personal Data only to the extent necessary to fulfill Voyage AI’s obligations under the Agreement; and (b) enter into a written agreement with each Subprocessor containing data protection obligations at least as protective as those set forth in this DPA with respect to the protection of Customer Personal Data.
11. List of Subprocessors. Upon written request from Customer, Voyage AI will provide a list of their Subprocessors or provide information about where the list of Subprocessors can be found on Voyage AI’s website or on another website designated by Voyage AI. Within ten (10) business days of receipt of any request from Customer for a list of Voyage AI’s list of Subprocessors, Voyage AI agrees to provide such list of Subprocessors or information on where the list of Subprocessors can be found on Voyage AI’s website or another website designated by Voyage AI. At least thirty (30) days before engaging with new Subprocessor(s), Voyage AI agrees to provide Customer with a list of any new Subprocessor(s) or provide Customer with information about where the modified list of Subprocessors can be found on Voyage AI’s website or another website designated by Voyage AI.
12. Responsibility for Subprocessors. Voyage AI will remain responsible for any acts or omissions of their Subprocessors that cause Voyage AI to breach any of Voyage AI’s obligations under this DPA to the extent required by Data Protection Laws.
DATA SUBJECT RIGHTS
13. Requests from Data Subjects. Voyage AI agrees to promptly notify Customer if it receives a request from a data subject in respect to their Personal Data and protected under any Data Protection Laws. Voyage AI agrees that they will not respond to any such requests, except on the written instructions of Customer.
PERSONAL DATA BREACH
14. Notice of Personal Data Breach. Voyage AI agrees to notify Customer without undue delay upon Voyage AI becoming aware of a Personal Data Breach affecting Customer Personal Data. Further, Voyage AI agrees to provide Customer with sufficient information to allow Customer to meet any obligations under Data Protection Laws, taking into consideration the extent of information available to Voyage AI.
15. Cooperation. Voyage AI agrees to cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach affecting Customer Personal Data.
DATA PROTECTION IMPACT ASSESSMENT AND CONSULTATION
16. Reasonable Assistance. Voyage AI agrees to provide reasonable assistance to Customer with any data protection impact assessments and consultations with supervising authorities or other competent data protection authorities, which Customer reasonably considers to be required by Data Protection Laws, if applicable, in each case solely in relation to processing of the Customer Personal Data by, and taking into account the nature of the processing and information available to, Voyage AI.
DELETION OR RETURN OF CUSTOMER PERSONAL DATA
17. Deletion of Customer Personal Data. Upon the date of termination of the Agreement involving the processing of Customer Personal Data, Voyage AI will promptly delete and procure the deletion of all copies of Customer Personal Data. Further, Voyage AI may retain Customer Personal Data to the extent required by applicable laws, but only to the extent and for the period of time required by such applicable laws.
AUDIT RIGHTS
18. Compliance. Voyage AI will make available to Customer, upon written request, information necessary to demonstrate compliance with this DPA and Data Protection Laws.
19. Audit Process. Upon request, and subject to the confidentiality obligations under the Agreement, Voyage AI will make available to Customer (or Customer's independent, third-party auditor) information regarding Voyage AI's compliance with the security obligations set forth in this DPA in the form of third-party certifications and audits. If that information is not sufficient to demonstrate Voyage AI's compliance with the security obligations in the DPA, Customer may contact Voyage AI in accordance with the notice provision of the Agreement to request an audit, but only to the extent required under Data Protection Laws. Customer will reimburse Voyage AI for its reasonable costs associated with any such audit. Before the commencement of any such audit, Customer and Voyage AI will mutually agree on the scope, timing, and duration of the audit.
DATA TRANSFER
20. Transfer of Customer Personal Data. When required by Data Protection Laws, to the extent that the Customer Personal Data from Customer and their users that are located in the European Economic Area, Switzerland or the United Kingdom and such Customer Personal Data is being processed and transferred to Inadequacy Decision Countries, Voyage AI agrees to process that Customer Personal Data in compliance with the provisions set out in Appendix C below, which forms an integral part of this DPA.
CCPA
21. CCPA Obligations. For purposes of this Section 21, Customer Personal Data shall include “personal information” (as that term is defined under CCPA) that is processed by Voyage AI in connection with the Services. Voyage AI is a “service provider” as defined in CCPA.
a. Voyage AI will not:
i. retain, use, or disclose Customer Personal Data for any purpose other than providing the Services;
ii. retain, use, or disclose Customer Personal Data outside of the direct business relationship between Voyage AI and Customer;
iii. sell or share Customer Personal Data (as the terms “sell” and “share” are defined in CCPA); or
iv. combine Customer Personal Data with personal information that Voyage AI has received from another Voyage AI customer, except as permitted under CCPA.
b. Voyage AI will notify Customer if it determines that it can no longer comply with its obligations as a service provider under CCPA.
c. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information that is protected under CCPA.
TERM AND TERMINATION
22. Term of this DPA. This DPA will remain in effect until terminated in accordance with its terms.
23. Material Breach. If Customer determines that Voyage AI has violated or breached a material term and/or condition of this DPA or Voyage AI can no longer meet its obligations under this DPA, then Customer may terminate this DPA in accordance with its terms.
24. Termination in Connection with Subprocessors. In the event that Customer does not agree with Voyage AI's new Subprocessor(s) provided on Voyage AI's updated list of Subprocessors, then Customer will have the right, as its sole and exclusive remedy, to terminate this DPA by providing written notice to Voyage AI in accordance with the Agreement.
25. Termination of the Agreement. If the Agreement is terminated pursuant to the terms of the Agreement, then this DPA will immediately and automatically terminate, unless another agreement is entered into by and between the Parties where Customer Personal Data is being processed.
GENERAL
26. Modifications to this DPA. The Parties agree that any modifications to this DPA will be set forth in writing and signed by both Parties.
27. Provisions of the Agreement. Except as expressly set forth in this DPA, this DPA is subject to each and every provision of the Agreement, all of which are incorporated in this DPA by reference. Except as expressly set forth in this DPA, all other provisions of the Agreement will remain in full force and effect.
28. Electronic Signature. A Party's signature to this DPA delivered by electronic transmission will be deemed to be an original signature and will be binding on such Party to the same extent as if such signature were an original signature.
APPENDIX A - DEFINITIONS
1. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) which may be amended from time to time.
2. “Contractors” or “Consultant” means a person or entity that enters into a written agreement with a Party to perform services for such Party.
3. “Customer Personal Data” means any Personal Data that Customer uploads to the Services as Customer Content, as that term is defined under Section 3 of the Agreement.
4. “Data Protection Laws” means the laws of the applicable country or state to which Voyage AI and Customer are subject, including (a) to the extent applicable, the EU GDPR; (b) to the extent the UK GDPR applies, the laws of the United Kingdom which relate to the protection of personal data; (c) to the extent applicable, FADP; and (d) to the extent applicable, CCPA.
5. “EU” means the European Union and European Economic Area.
6. “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal information and on the free movement of such data (also known as the General Data Protection Regulation), and repealing Directive 95/46/EC.
7. “European Commission” means the EU's supervisory authority that establishes the data privacy rights of individuals.
8. “FADP” means the Swiss Federal Act on Data Protection.
9. “ICO” or “Information Commissioner's Office” means the UK's supervisory authority that establishes the data privacy rights of individuals.
10. “ICO Addendum” means the ICO's international data transfer addendum to the Standard Contractual Clauses pursuant to the UK GDPR.
11. “Inadequacy Decision Countries” means countries located outside of the EU and the UK where it has been determined by the European Commission and the United Kingdom's Information Commissioner's Office that such countries do not have adequate data protection laws compared to the rights and freedoms protected under the EU GDPR and UK GDPR, respectively.
12. “Personnel” means the employees, Contractors, Consultants, agents, and advisors (legal and accounting) of a Party.
13. “Privacy Policy” means a document that explains how a Controller collects, uses, stores, and shares personal information of various users, and informs users about their rights with respect to their personal information.
14. “EU Standard Contractual Clauses” means, as the circumstances may require, the applicable module(s) of the Standard Contractual Clauses approved by the European Commission in decision 2021/914, or any subsequent versions of the Standard Contractual Clauses which may be adopted by the European Commission from time to time. Upon the effective date of adoption of any revised Standard Contractual Clauses by the European Commission, all references in this DPA to the “Standard Contractual Clauses” shall refer to that latest version thereof.
15. “Subprocessor” means any entity engaged by the Voyage AI that processes Customer Personal Data.
16. “UK” or “United Kingdom” means England, Wales, Scotland and Northern Ireland.
17. “UK GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018.
APPENDIX B - DESCRIPTION OF DATA PROCESSING
Subject-matter | The subject matter of the data processing under this DPA is Customer Personal Data. |
Purpose and Nature | The purpose of the data processing under this DPA is the provision of the Services to Customer in accordance with the Agreement. |
Duration | The duration of the data processing under this DPA is until the expiration or termination of the Agreement in accordance with its terms. |
Categories of Data Subjects | The data subjects may include Customer's customers, employees, suppliers, and end users, or any other individual whose personal data Customer uploads as Customer Personal Data. |
Types of Personal Data | The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploads as Customer Personal Data. |
APPENDIX C - PERSONAL DATA TRANSFERS
EU STANDARD CONTRACTUAL CLAUSES
1. When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 20 of the DPA, the parties agree that:
a. Clause 7 will not apply.
b. In Clause 9(a), Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 11 of the DPA.
c. In Clause 11(a), the optional language will not apply.
d. In Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland.
e. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.
2. For purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties):
a. Data Exporter: Customer.
i. Contact Details: Customer's account owner email address, or to the email address(es) for which Customer elects to receive legal communications.
ii. Data Exporter Role: Data Exporter's role is outlined in Section 4 of the DPA.
iii. Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule I to the DPA, as of the effective date of the Agreement.
b. Data Importer: Voyage AI
i. Contact Details: legal@voyageai.com
ii. Data Exporter Role: Data Exporter's role is outlined in Section 4 of the DPA.
iii. Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule I to the DPA, as of the effective date of the Agreement.
3. For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer):
a. The categories of data subjects may include Customer's customers, employees, suppliers, and end users, or any other individual whose personal data is contained in Customer Content.
b. The types of personal transferred are include any Customer Personal Data that Customer uploads to the Services as Customer Content.
c. The frequency of the transfer is on a continuous basis for the duration of the Agreement.
d. The nature and purpose of the processing is the provision of the Services to Customer in accordance with the Agreement.
e. The period of retention of Customer Data is set forth in Section 17 of the DPA.
4. For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority/ies shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses.
5. For purposes of Annex II of the Standard Contractual Clauses (Technical and Organizational Security Measures), a list of Voyage AI's current controls is available on its Trust Center page, available at: https://app.vanta.com/voyageai.com/trust/d1qz6shcx7dm98tqb3b9yr/controls#infrastructure-security
6. In addition to the above stipulations, each of the following forms a part of the Standard Contractual Clauses and sets out the parties' understanding of their respective obligations under the Standard Contractual Clauses:
a. Clause 8.9 of the Standard Contractual Clauses: Audit. Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 by instructing Data Importer to comply with the audit measures described in Sections 18 and 19 (Audit Rights) of the DPA.
b. Clause 9(c) of the Standard Contractual Clauses: Disclosure of Subprocessor agreements. The parties acknowledge that, pursuant to subprocessor confidentiality restrictions, Data Importer may be restricted from disclosing onward subprocessor agreements to Data Exporter. Even where Data Importer cannot disclose a subprocessor agreement to Data Exporter, the parties agree that, upon the request of Data Exporter, Data Importer shall (on a confidential basis) provide all information it reasonably can in connection with such subprocessing agreement to Data Exporter.
c. Clause 12 of the Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.
TRANSFERS OF CUSTOMER PERSONAL DATA PROTECTED BY FADP
With respect to transfers of Customer Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 and 3 above, with the following modifications:
a. Any references in the Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to FADP;
b. References to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
c. References to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.
TRANSFERS OF CUSTOMER PERSONAL DATA PROTECTED BY UK GDPR
With respect to transfers of Customer Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), shall apply and be incorporated by reference into this DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 3 of this Schedule 1. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 3 of this Schedule 1 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer.