Terms of Service 1 — Stick - Marketing Platform

Data protection addendum.

This Data Protection Addendum (“Addendum”) forms part of the agreement between Customer and Stick covering Customer’s use of the Services (as defined below) (“Agreement”).

I. Introduction

1. Definitions.

“Applicable Data Protection Law” refers to all laws and regulations applicable to Stick’s processing of personal data under the Agreement.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Customer Account Data” means personal data that relates to Customer’s relationship with Stick, including the names or contact information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data Stick may need to collect for the purpose of identity verification (including providing the MFA Services, as defined below), or as part of its legal obligation to retain Subscriber Records (as defined below).

“Customer Content” means (a) personal data exchanged as a result of using the Services (as defined below), such as text message bodies, voice and video media, images, email bodies, email recipients, sound, and, where applicable, details Customer submits to the Services from its designated software applications and services and (b) data stored on Customer’s behalf such as communication logs within the Services or marketing campaign data that Customer has uploaded to the Services (as defined below).

“Customer Data” has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content, and Sensitive Data, each as defined in this Addendum.

“Customer Usage Data” means data processed by Stick for the purposes of transmitting or exchanging Customer Content utilizing phone numbers either through the Public Switched Telephone Network (PSTN) or by way of other communication networks. Customer Usage Data includes data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.

“Multi Factor Authentication Services” or “MFA Services” means the provision of a portion of the Services under which Customer adds an additional factor for verification of Customer’s end users’ identity in connection with such end users’ use of Customer’s software applications or services.

“personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Stick Privacy Notice” means the privacy notice for the Services, the current version of which is available at https://www.connectwithstick.com/privacy-policy

“processor” means the entity which processes personal data on behalf of the controller.

“processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

“Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.

“Services” means the products and services provided by Stick or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an Order Form.

”Subscriber Records” means Customer Account Data containing proof of identification and proof of physical address necessary for Stick to provide Customer or Customer’s end users with phone numbers in certain countries (“telephone number assignments”). When required by law or regulation, Subscriber Records are shared with local telecommunications providers, which provide local connectivity services, or local government authorities.

“sub-processor” means (a) Stick, when Stick is processing Customer Content and where Customer is a processor of such Customer Content or (b) any third-party processor engaged by Stick to process Customer Content in order to provide the Services to Customer. For the avoidance of doubt, telecommunication providers are not sub-processors.

“Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.

Capitalized terms not defined in this Section 1 will have the meaning given to them in this Addendum or the Agreement.

II. Controller and Processor

2. Relationship of the Parties

2.1 Stick as a Processor. The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and Stick is a processor. Stick will process Customer Content in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).

2.2 Stick as a Controller of Customer Account Data. The parties acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and Stick is an independent controller, not a joint controller with Customer. Stick will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Stick’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; (e) comply with Stick’s legal or regulatory obligation to retain Subscriber Records; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Stick Privacy Notice.

2.3 Stick as a Controller of Customer Usage Data. The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and Stick is an independent controller, not a joint controller with Customer. Stick will process Customer Usage Data as a controller in order to carry out the necessary functions as a communications service provider, such as: (a) Stick’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Stick Privacy Policy.

3. Purpose Limitation. Stick will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.

4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to Stick for processing in accordance with the terms of the Agreement and this Addendum.

III. Stick as a Processor – Processing Customer Content

5. Customer Instructions. Customer appoints Stick as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the Stick Acceptable Use Policy, and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).

5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Stick is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Stick’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Stick’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause Stick to violate any applicable law or regulation, including Applicable Data Protection Law. Stick will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.

5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to Stick for carrying out such additional instructions.

6. Confidentiality

6.1 Responding to Third Party Requests. In the event any Third Party Request is made directly to Stick in connection with Stick’s processing of Customer Content, Stick will promptly inform Customer and provide details of the same, to the extent legally permitted. Stick will not respond to any Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.

6.2 Confidentiality Obligations of Stick Personnel. Stick will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with Stick’s confidentiality obligations in the Agreement.

7. Sub-processors

7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for Stick to engage onward sub-processors that is conditioned on the following requirements:

(a) Stick will restrict the onward sub-processor’s access to Customer Content only to what is strictly necessary to provide the Services, and Stick will prohibit the sub-processor from processing the personal data for any other purpose;

(b) Stick agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and

(c) Stick will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.

7.2 Current Sub-processors and Notification of Sub-processor Changes. Customer consents to Stick engaging third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that Stick maintains an up-to-date list of its sub-processors. With respect to changes in infrastructure providers, Stick will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to Stick’s other sub-processors, Stick will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.

7.3 Objection Right for new Sub-processors. Customer may object to Stick’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of Stick’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Stick. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to Stick replacing or appointing a new sub-processor, Stick will deem Customer to have authorized the new sub-processor.

8. Data Subject Rights. As part of the Services, Stick provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Content. Customer may use these self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the Services at no additional cost. To the extent Customer does not have the ability to resolve a data subject request through the self-service features, upon Customer’s request, Stick will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.

9. Impact Assessments and Consultations. Stick will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Stick to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.

10. Return or Deletion of Customer Content. Stick will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.

10.1 Extension of Addendum. Upon termination of the Agreement, Stick may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that Stick will ensure that Customer Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.

10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, Stick may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.

IV. Security and Audits

11. Security

11.1 Security Measures. Stick has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Stick’s technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.

11.2 Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings, availability of multi-factor authentication on Customer’s account, or optional Transport Layer Security (TLS) encryption. Customer is responsible for reviewing the information Stick makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Stick to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer’s use of the Services.

11.3 Security Incident Notification. Stick will provide notification of a Security Incident in the following manner:

(a) Stick will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after Stick’s discovery of a Security Incident impacting Customer Data of which Stick is a processor;

(b) Stick will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which Stick is a controller; and

(c) Stick will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer’s account.

Stick will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by Stick’s violation of this Addendum, remediate the cause of such Security Incident. Stick will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.

12. Audits. The parties acknowledge that Customer must be able to assess Stick’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Stick is acting as a processor on behalf of Customer.

V. Miscellaneous

15. Cooperation and Data Subject Rights. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third Party Request relating to the processing of Customer Account Data or Customer Usage Data conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Law.

16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the Stick Privacy Notice. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.

17. Failure to Perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility or the parties cannot reach an agreement, the parties may mutually agree to terminate the Agreement for convenience.

18. Updates. Stick may update the terms of this Addendum from time to time; provided, however, Stick will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at TBD URL.

SCHEDULE 1

DETAILS OF PROCESSING

1. Nature and Purpose of the Processing. Stick will process personal data as necessary to provide the Services under the Agreement. Stick does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

1.1 Customer Content. Stick will process Customer Content as a processor in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions) of this Addendum.

1.2 Customer Account Data. Stick will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (Stick as a Controller of Customer Account Data) of this Addendum.

1.3 Customer Usage Data. Stick will process Customer Usage Data as a controller for the purposes set forth in Section 2.3 (Stick as a Controller of Customer Usage Data) of this Addendum.

2. Processing Activities.

2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:

the provision of products and services which allow the transmission and delivery of email communications on behalf of Customer to its recipients. Stick will also provide Customer with analytic reports regarding the email communications it sends on Customer's behalf. Storage of personal data on Stick’s network.

the provision of products and services which allow Customers to integrate, manage and control their data relating to end users. Storage of personal data on Stick’s network.

2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.

2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.

3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:

3.1 Customer Content.

(a) Services. Prior to the termination of the Agreement, (x) Stick will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer Content via the Services. Upon termination of the Agreement, Stick will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services; (ii) automatically delete any stored Customer Content thirty (30) days after the termination effective date; and (iii) automatically delete any stored Customer Content on Stick’s back-up systems sixty (60) days after the termination effective date. Any Customer Content archived on Stick’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.

3.2 Customer Account Data. Stick will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Stick’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Stick Privacy Notice.

3.3 Customer Usage Data. Upon termination of the Agreement, Stick may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Stick will anonymize or delete Customer Usage Data when Stick no longer requires it for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1.

4. Categories of Data Subjects.

4.1 Customer Content. Customer’s end users.

4.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s Stick account or make use of the Services or telephone number assignments received from Stick.

4.3 Customer Usage Data. Customer’s end users.

5. Categories of Personal Data. Stick processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data.

6. Sensitive Data or Special Categories of Data.

6.1 Customer Content. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.

6.2 Customer Account Data and Customer Usage Data.

(a) Sensitive Data may be found in Customer Account Data in the form of Subscriber Records containing passport or similar identifier data necessarily processed in order to receive telephone number assignments.

(b) Customer Usage Data does not contain Sensitive Data.