This Data Processing Addendum (“DPA”) sets forth the terms under which Kit processes Personal Data concerning Subscribers of creators’ newsletters (“Subscriber Personal Data”) in the course of providing the Services to You. This DPA will terminate automatically upon termination of the Terms or as earlier terminated pursuant to the terms of this DPA.
DATA PROCESSING AND PROTECTION
1.1 Limitations on Use. Kit will Process Subscriber Personal Data only: (a) in a manner consistent with Your documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Subscriber Personal Data to a third country; and (b) as required by applicable laws. Without limiting the instructions under Section 1.2, Kit will not: (x) retain, use, or disclose the Subscriber Personal Data (i) outside of the direct business relationship between the parties except as permitted by Data Protection Law or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Subscriber Personal Data for a commercial purpose other than providing the Services, or as otherwise permitted by Data Protection Law; (y) sell or share (as defined by Data Protection Law) the Subscriber Personal Data; or (z) combine Subscriber Personal Data with Personal Data Kit receives from individuals or other customers, except as necessary to provide the Services, with Your consent, or as permitted by Data Protection Law.
1.2 Instructions. You instruct Kit to Process Subscriber Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Terms, including as specified in Attachment 2 (Scope of Processing). This DPA, the Terms, and any instructions provided by You through configuration tools made available by Kit constitute Your documented instructions regarding Kit’s Processing of Subscriber Personal Data. Kit may suspend Processing based upon any of Your instructions that Kit reasonably suspects violate Data Protection Law, provided Kit will promptly inform You if, in Kit’s opinion, an instruction infringes Data Protection Law.
1.3 Compliance. Each party will comply with its obligations under Data Protection Law. Kit shall notify You if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from You that Kit has Processed Subscriber Personal Data without authorization, You may take reasonable and appropriate steps to stop and remediate such Processing.
1.4 Confidentiality. Kit will ensure that persons authorized by Kit to Process any Subscriber Personal Data are subject to appropriate confidentiality obligations.
1.5 Security. Kit will implement and maintain appropriate technical and organizational measures designed to protect Subscriber Personal Data against Security Incidents and provide the level of protection required by Data Protection Law as set form in Kit’s Security Policy, located at https://kit.com/security, provided the new measures do not materially reduce the level of security.
1.6 Disposal. At Your choice, Kit will delete or return all Subscriber Personal Data upon the end of the provision of Services: (a) unless applicable law requires the storage of such Subscriber Personal Data by Kit; and (b) except for Subscriber Personal Data that is archived on back-up systems, which Kit will securely isolate and protect from any further Processing, except to the extent required by law. You may make Your request by emailing the request to legal@kit.com.
1.7 Deidentified Data. You authorize Kit to Process Deidentified Data to improve the Services. Kit will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with a Data Subject and (b) publicly commit to maintain and use Deidentified Data in a deidentified form and not attempt to reidentify Deidentified Data except as permitted by Data Protection Law.
1.8 Your Obligations. You agree that in connection with the performance of the Services, Kit employs the use of cookies, unique identifiers, web beacons, and similar tracking technologies. You shall maintain notice, consent, opt-in, and opt-out mechanisms as required by the Data Privacy Framework and/or Data Protection Laws to enable Kit to employ tracking technologies lawfully on, and collect data from, the devices of Subscribers.
1.9 Usage Data. Notwithstanding anything to the contrary in the Terms and DPA, You agree that Kit shall have the right to use and disclose data relating to the operation, support, and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development, and sales and marketing. To the extent that any such data is considered Personal Data under the Data Privacy Framework and/or Data Protection Laws, Kit is the Controller of such data and accordingly shall Process such data in accordance with Kit’s Privacy Policy, the Data Privacy Framework, and Data Protection Laws.
DATA PROCESSING ASSISTANCE
2.1 Data Subject Rights Assistance. Kit’s Services provide You with controls to retrieve, correct, delete, or restrict Subscriber Personal Data, which You may use in connection with Your obligations under Data Protection Law, including responding to requests from Data Subjects. Requests from Data Subjects may include the Data Subject’s right of access, right to rectification, right to restriction of Processing, right to erasure (“right to be forgotten”), right to data portability, right to object to the Processing, and right to not be subject to automated decision-making. To the extent that You are unable to independently access Your relevant Subscriber Personal Data within the Services, Kit will, at Your expense, provide reasonable assistance to help You respond to requests from Data Subjects or data protection authorities relating to the Processing of Personal Data under the DPA. In the event any request is made directly to Kit, Kit will not respond to the request directly without Your prior authorization, unless legally compelled to do so. If Kit is required to respond to a request, Kit will promptly notify You and provide You with a copy of the request unless legally prohibited from doing so.
2.2 Security Assistance. Taking into account the nature of Processing and the information available to Kit, Kit will provide commercially reasonable efforts to assist You in Your efforts to comply with Your obligations to secure Subscriber Personal Data by providing the information and assistance described in Section 3 (Audits).
2.3 Security Incident Notice and Assistance. Kit will notify You without undue delay after becoming aware of a Security Incident. Kit will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident. Taking into account the nature of Processing and the information available to Kit, Kit will assist You in ensuring compliance with Your notification obligations imposed under Data Protection Law in connection with any Security Incident.
2.4 Data Protection Impact Assessment (“DPIA”) and Prior Consultation Assistance. Taking into account the nature of Processing and the information available to Kit, Kit will provide commercially reasonable efforts to assist You in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities to the extent require by Data Protection Law.
AUDITS
3.1 General Assistance. Kit will make available to You information necessary to demonstrate compliance with its obligations in this DPA. Any such information or results of audits will be deemed the confidential information of Kit under the Terms.
3.2 Audit Reports. Upon Your written request not more than once per year, and subject to a mutually agreed upon non-disclosure agreement covering the audit, Kit shall make available to You that is not a competitor of Kit information necessary to confirm Kit’s compliance with its Security Policy and this DPA. In the event that the information provided pursuant to this Section 3.2 is insufficient to confirm Kit’s compliance with this DPA and Data Protection Law, to the extent required under Data Protection Law, Kit will allow for and contribute to audits, including inspections, conducted by You or an auditor mandated by You.
SUBPROCESSORS
4.1 Appointment of Subprocessors. You authorize Kit to use subcontractors to Process Subscriber Personal Data in connection with providing the Services (each, a “Subprocessor”). You specifically consent to Kit’s appointment of the Subprocessors identified on Attachment 3 (the “Subprocessor List”).
4.2 Objection Right for New Subprocessors.
4.2.1 Kit will notify You of its intent to update the Subprocessor List at least 10 days prior to engaging a new Subprocessor. You may object to Kit’s use of a new Subprocessor on reasonable grounds relating to Data Protection Law or the Data Privacy Framework within 5 business days of such notice by sending an e-mail to legal@kit.com clearly indicating Your desire to object to any such change.
4.2.2 If You object to the change in Subprocessors, Kit and You will cooperate in good faith to resolve Your objection. If the parties unable to resolve Your objection within 10 days, then either party may terminate the Terms only with respect to those Services that Kit indicates cannot be provided without the objected-to Subprocessor.
4.3 Liability. Kit will impose data protection obligations upon any Subprocessor that are no less protective of Subscriber Personal Data than those included in this DPA or required by the Data Privacy Framework. Kit will remain liable to You for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.
DATA TRANSFERS
5.1 Data Privacy Framework. The transfer of EEA, UK, and Swiss residents’ Subscriber Personal Data to a country not subject to an adequacy decision (a “Data Transfer”) will be done using an approved transfer mechanism. You acknowledge that, in connection with the performance of the Services, Kit will do so in accordance with the Data Privacy Framework and ensure that it provides at least the same level of protection to such data as is required by the Data Privacy Framework Principles and will let You know if it is unable to comply with this requirement.
5.2 SCCs. If Data Protection Law requires that additional or other appropriate safeguards are put into place, then the parties will conduct such Data Transfers subject to the SCCs, which are incorporated by this reference. In such instances, the parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs (which are deemed executed as of the effective date of this DPA) with You as the “data exporter” and Kit as the “data importer.”
5.2.1 Transfers Subject to the GDPR. To the extent Subscriber Personal Data subject to the GDPR is subject to a Data Transfer, the SCCs will be modified as follows: in Clause 7, the optional docking language is deleted; in Clause 8.9, the audits shall be conducted according to the audit provisions of this DPA; in Clause 9, Option 2 applies and changes to Subprocessors will be notified in accordance with the Subprocessors section of this DPA; in Clause 11, the optional language is deleted; in Clauses 17 and 18, Kit and You agree that the governing law and forum for disputes will be the laws and courts of Ireland (without reference to conflicts of law principles); the Annexes of the SCCs will be deemed completed with the information set forth in this DPA; and the supervisory authority that will act as competent supervisory authority will be determined in accordance with the GDPR.
5.2.2Transfers Subject to Swiss Data Protection Law. To the extent Subscriber Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.
5.3 Transfers Subject to the UK GDPR. To the extent Subscriber Personal Data that is subject to the UK GDPR is subject to a Data Transfer, the parties will conduct such transfers pursuant to the SCCs in tandem with the UK IDTA, which is incorporated by this reference. The information needed to complete the Tables to the UK IDTA is provided in the Attachments to this DPA.
5.4 Alternative Transfer Mechanism. In the event that Kit is required to adopt an alternative transfer mechanism under Data Protection Law, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with Data Protection Laws), and You agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
LIMITATION OF LIABILITY
Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Terms. Nothing in this Section 6 is intended to restrict the rights of data subjects under Data Protection Law.
MISCELLANEOUS
To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Terms remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law clause and forum selection clause of the Terms will apply to any disputes arising out of this DPA. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.
Attachment 1: Definitions
For purposes of this DPA, the following terms will have the meaning ascribed below:
“CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
“Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework; as may be amended, superseded, or replaced.
“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded, or replaced.
“Data Protection Law” means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Kit’s Processing of Subscriber Personal Data.
“Deidentified Data” means information that cannot reasonably be linked to or associated with You or any Data Subject.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Kit Systems” means the facilities, systems, equipment, hardware, and software Kit and Kit’s subprocessors use to Process Subscriber Personal Data
“Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.
“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.
“Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.
“SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Subscriber Personal Data Processed by Kit.
“Services” means the services provided by Kit pursuant to the Terms.
“Subscribers” means and any individual whose email address is included in Your distribution list, whose information is stored on or collected via the Services, or to whom Users send emails or otherwise engage or communicate with via the Services.
“UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.
“Users” means any individual accessing and/or using the Services through Your account.
Attachment 2 – Scope of Processing
Data exporter
You
Data importer
Kit
Subject-Matter and Duration of Processing
Kit Processes Subscriber Personal Data if and when provided by You in the course of providing the Services in accordance with the Terms and until the Terms terminate or expire.
Nature and Purpose of Processing
Processing of Subscriber Personal Data in connection with and for the purpose of Kit providing the Services to You pursuant to the Terms. Specifically, the Subscriber Personal Data will, if and to the extent You provide it, be subject to storage and analysis, among other Processing activities.
Types of Subscriber Personal Data
You may submit Subscriber Personal Data to the Services, the extent of which is determined and controlled by You in Your sole discretion. This may include, but is not limited to the following categories of data:
Direct identifying information (e.g., name, date of birth, address, title, email address, username)
Device identification data and traffic data (e.g., IP addresses, usage data, cookies data, online navigation data, location data, browser data, access device information)
Demographic information (e.g., gender)
Employment details (e.g., employer, job title, geographic location, area of responsibility)
Personal interests or preferences (e.g., purchase history and payment method (but not financial information, account details or credit card details), marketing preferences, website preferences, publicly available social media profile information)
Any other Personal Data supplied by Users
Categories of Data Subjects
Users and Subscribers
Special Categories of Data (as applicable)
The Services are not designed for special categories of Personal Data. Kit does not anticipate that You will submit special categories to the Services. To the extent that such data is submitted to the Services, it is determined and controlled by You in Your sole discretion.
Frequency of Transfers
Kit will import Subscriber Personal Data on a continuous basis.
Period of Data Retention
Kit will retain the Personal Data until the termination of the Terms, unless otherwise agreed to by the parties.
Subprocessor Name
Services Performed
Countries where Subprocessor will Process Subscriber Personal Data
