Data Processing Addendum

When providing our service, Salmon Run AI may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/ customers we’ve developed a Data Processing Addendum (DPA) that we enter into free of charge with anyone that uses our service and requests it.

The terms of this DPA are attached to Salmon Run AI's Terms of Service and form part of your agreement with us when you sign up to use our Services.


However, should there be a requirement for you to sign a separate DPA with us, Salmon Run AI offers a Data Processing Addendum that supplements the Terms of Service or any other Agreement. Please have an authorized individual execute this DPA. Once you sign the agreement, you will immediately receive a fully executed downloadable copy via email.


This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Agreement between Salmon Run AI B.V. (“Salmon Run AI”) and the entity or person placing an order for or accessing the Services (“Customer”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).


This DPA governs Salmon Run AI’s and Customers obligations as to the protection of Personal Data, Content, and other Customer Confidential Information pursuant to Data Protection Law.
Definitions

1. Definitions


“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.


“Agreement” means Salmon Run AI’s Terms of Service, or other written or electronic agreement, which govern the provision of the Services to Customer, as such terms or agreement may be updated from time to time.


“CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.


“Controller”, “Data Subject”, “Process” and “Processor” (whether or not capitalized) have the meanings provided in the GDPR and include analogous provisions under Data Protection Laws in other jurisdictions.


“Data Protection Law(s)” means all laws and regulations applicable to Salmon Run AI’s processing of Personal Data under the Agreement, including CCPA and GDPR.


“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.


“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Salmon Run AI on Customer’s behalf pursuant to the Agreement.


“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Content, User Personal Data or other Customer Confidential Information processed by Salmon Run AI on Customer’s behalf pursuant to the Agreement.


2. Processing of personal data


2.1        Roles of the Parties. Customer may be the controller of Personal Data or a processor. Salmon Run AI will act as a processor or Sub-processor, as appropriate. Salmon Run AI will comply with obligations under Data Protection Laws that govern Salmon Run AI’s activities when processing Personal Data. Customer shall be solely responsible for compliance with Data Protection Laws regarding the collection of and transfer to Salmon Run AI of Personal Data, and for advising Salmon Run AI of any obligations imposed on Salmon Run AI as a Sub-processor of or service provider to Customer.


2.2        Details of the Processing. The subject-matter of processing of Personal Data by Salmon Run AI is the performance of the Salmon Run AI Application pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex A.


2.3        Processing in Accordance with Data Protection Law. Salmon Run AI shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (a) processing in accordance with the Agreement and applicable Order Form(s); (b) processing initiated by Users in their use of the Salmon Run AI Application; and (c) processing to comply with other documented instructions provided by Customer. Salmon Run AI will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Law.


2.4        Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Salmon Run AI will not “sell” (as defined in the CCPA) any Personal Data; and (b) Salmon Run AI will not collect, share or use any Personal Data except as necessary to perform services for Customer.


2.5       Confidentiality of Processing. Salmon Run AI will treat Personal Data as Customer’s Confidential Information and protect it in accordance with the confidentiality obligations in the Agreement. Salmon Run AI shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements no less protective of Customer’s rights in such data as this DPA.


2.6        Data Subject Requests; Data Impact Assessments. Salmon Run AI shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws; (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data, and (c) any data protection impact assessment that Customer may be required to perform under Data Protection Law. If any such request, correspondence, enquiry or complaint is made directly to Salmon Run AI, Salmon Run AI will promptly inform Customer providing full details of the same. Salmon Run AI shall not respond to a data subject request without Customer’s prior written consent except to confirm that such request relates to Customer.


3. Sub-processors


3.1        Authorized Sub-processors. Customer consents to Salmon Run AI engaging Salmon Run AI Affiliates and third party Sub-processors to process Personal Data for the purposes described in the Agreement and this DPA. The Sub-processors currently engaged by Salmon Run AI are available here. Salmon Run AI or a Salmon Run AI Affiliate will enter a written agreement with each Sub-processor imposing data protection terms on the Sub-processor substantially equivalent to, and no less protective of data subjects’ rights in Personal Data than, this DPA. Salmon Run AI shall notify Customer if it adds or removes Sub-processors within ten (10) business days of such changes if Customer opts in to receive such notifications here. Customer may object to Salmon Run AI's appointment or replacement of a Sub-processor, provided such objection is based on reasonable grounds relating to data protection. If Customer does not object to a new Sub-processor within ten (10) business days, Customer will be deemed to have authorized Salmon Run AI’s use of the new Sub-processor and to have waived its right to object. If Customer objects to a new Sub-processor Salmon Run AI will use reasonable efforts to avoid using that Sub-processor to process Personal Data, either by adapting or recommending a change in Customer’s configuration of the Salmon Run AI Application. If neither of the foregoing is commercially practicable, Salmon Run AI will terminate the applicable subscription with respect to the portion of the Salmon Run AI Application that can only be provided by Salmon Run AI using that Sub-processor. Customer will not receive a refund of any unused prepaid fees on such termination and if fees remain unpaid for a subscription term, Customer will immediately pay the remaining balance due for the remainder of the subscription term.


3.2 Liability for Sub-processors. Where a Sub-processor fails to fulfil its data protection obligations, Salmon Run AI shall remain fully liable to Customer for the performance of that Sub-processor's obligations.

4. Security


4.1        Security Measures. Salmon Run AI will use procedural, technical and administrative safeguards designed to ensure the confidentiality, security, integrity, availability and privacy of Content, Personal Data and other Customer Confidential Information stored in the Salmon Run AI Application. Salmon Run AI may update or modify such measures from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Salmon Run AI Application during Customer’s subscription term. Salmon Run AI is not responsible for any breach or loss caused by Customer, Customer’s users or by Customer’s configuration of and deployment specifications for the Salmon Run AI Application.


4.2        Audit Rights. Salmon Run AI will make available to Customer such information as Customer may reasonably request to demonstrate Salmon Run AI’s compliance with the obligations under Data Protection Laws. Salmon Run AI will further allow for and contribute to audits conducted by Customer or an auditor mandated by Customer so long as it is not a competitor of Salmon Run AI. All such information and audit requests and procedures: (a) must be reasonable based on the nature of the Salmon Run AI Application and the categories of Personal Data processed, (b) must be subject to an appropriate confidentiality agreement; and (c) may be made no more than once per year unless otherwise required by instruction of a competent data protection authority. Before the commencement of any such audit, Customer and Salmon Run AI shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Salmon Run AI incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Salmon Run AI. Customer shall promptly notify Salmon Run AI with information regarding any non-compliance discovered during the course of an audit.


4.3       Breach Notice. Salmon Run AI will inform Customer via email without undue delay on its discovery of a Security Incident. Salmon Run AI will take all actions reasonably necessary to remedy or mitigate the effects of the Security Incident. Salmon Run AI will further keep Customer informed of all material developments regarding the incident and provide such information and cooperation as Customer may reasonable require in order to fulfil its data breach reporting obligations under Data Protection Law.


5. Return and deletion of personal data


Upon termination or expiration of the Agreement, Salmon Run AI shall (at Customer’s election) delete or return to Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Salmon Run AI is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Salmon Run AI shall securely isolate, protect from any further processing and eventually delete in accordance with Salmon Run AI’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Salmon Run AI to Customer only upon Customer’s written request.


6. Europe-specific provisions


6.1        Cross-Border Data Transfer Mechanisms. The transfer mechanisms listed in Annex B shall apply, in the order of precedence below, to any transfers of Personal Data from member states of the European Union, the European Economic Area and the United Kingdom to countries that have not been designated by the European Commission as providing an adequate level of protection for Personal Data.


6.2        To the extent Salmon Run AI processes Personal Data originating from member states of the European Union, the European Economic Area or the United Kingdom in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection by virtue of the unchanged European Commission-approved version of the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914 (the “SCCs”) as set out in http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm as of the DPA Effective Date, which are incorporated by reference into this DPA. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the SCCs. The information required by Annexes 1 and 2 of the SCCs is provided in Annexes A and B of this DPA.


7.         Miscellaneous


7.1        Limits of Liability. Each party’s liability to the other under this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability in the Agreement.


7.2      Construction; Interpretation. This DPA is not a standalone agreement and is only effective while the Agreement is in effect between Salmon Run AI and Customer. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.


7.3        Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.


7.4        Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties hereto. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.


7.5        Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.


7.6        Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by the GDPR, in which case this DPA will be governed by the laws of the Netherlands.


7.7        Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
 
APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS


1.  Incorporation of SCCs


The parties agree that the SCCs are hereby incorporated by reference into this DPA as follows:


1.1         Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Salmon Run AI Processes Personal Data as a Controller pursuant to the terms of the Agreement, Salmon Run AI and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.


1.2        Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Salmon Run AI Processes Personal Data as a Processor pursuant to the terms of the Agreement, Salmon Run AI and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.


1.3        Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Salmon Run AI Processes Personal Data as a Processor pursuant to the terms of the Agreement, Salmon Run AI and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.


1.4        Module 4: Transfer processor to controller, Clauses 1 to 6, 8, 10 to 12, and 14 to 18 apply where Salmon Run AI Processes Personal Data as a Processor pursuant to the terms of the Agreement, and Salmon Run AI and its relevant Sub-Processor Affiliates are located in the EEA, and Customer and its relevant Affiliates are located in non-adequacy approved third countries.


2.          Standard contractual clause optional provisions


In addition to Section 1.1, where the SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:


2.1        Clause 7 (Docking Clause) is omitted;


2.2        In Clause 9(a) (Use of sub-processors) (Module 2) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;


2.3        In Clause 11(a) (Redress) (Module 1, 2 or 4) – the Optional provision shall NOT apply;


2.4        In Clause 16(b) (Suspension of transfers) if Salmon Run AI is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;


3.          EU optional provisions


3.1        In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of the Netherlands shall govern; and


3.2        In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts of the Netherlands shall have jurisdiction.


4.          UK-specific provisions


4.1        Clause 6 Description of the transfer(s) is replaced with:


“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.”


4.2        References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.


4.3       References to Regulation (EU) 2018/1725 are removed.


4.4       References to the “Union”, “EU” and “EU Member State” are all replaced with “United Kingdom”.


4.5       In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of England and Wales shall govern; and


4.6       In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts in London England shall have jurisdiction.


5.          Supplementary terms to SCCs


5.1        Documentation and compliance. For the purposes of Clause 8.9(b) – Module One, Clause 8.9(e) – Module Two and Clause 8.3 – Module Four the review and audit provisions in the Agreement and DPA shall apply.


5.2       Notification and Transparency. The Parties acknowledge and agree that Salmon Run AI, where required by the SCCs to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly. 


5.3       For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Salmon Run AI to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the Data Importer) have the option to be the party who makes any communication to the data subject, and Salmon Run AI shall provide the level of assistance set out in the DPA.


5.4       Liability. For the purposes of Clause 12(a), the liability of the parties shall be limited in accordance with the limitation of liability provisions in the Agreement. 


5.5       Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Salmon Run AI and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly. 

Annex A: Details of the processing


Subject Matter of Processing


Salmon Run AI will process Personal Data as necessary to provide the Salmon Run AI Application to Customer pursuant to the Agreement.


Duration of Processing


Salmon Run AI will process Personal Data for the duration of the Agreement until termination of the Agreement, unless otherwise agreed in writing.


Categories of Data Subjects


Salmon Run AI collects Personal Data from Customer’s Users in order to provide the Salmon Run AI Application.


 Nature and Purpose of Processing


The purpose of processing of Customer Personal Data by Salmon Run AI is the provision of the Services pursuant to the Agreement.


Types of Personal Data


Personal Data collected from Customer’s users may include without limitation: Identification Data such as name and email address, and Electronic identification data such as IP address and other online identifiers. Other types of Personal Data includes physical address (for payment purposes), telephone/mobile number, location data, and device ID. Salmon Run AI does not monitor content users introduce into the Salmon Run AI Application. If users add Personal Data to the Salmon Run AI Application (in a Salmon Run AI project within the Services), Salmon Run AI will automatically process that Personal Data.

Sensitive Personal Data Transferred


Customer will not be required to submit sensitive Personal Data to the Services.


Frequency of Transfer of Data

Continuous


Period for which the Personal Data will be retained


The period for which the Personal Data will be retained is more fully described in the Agreement, DPA, and accompanying applicable Order Forms.


Obligations and rights of the Customer


The obligations and rights of Customer as a controller are set out in the Agreement and this DPA.
 
Annex B: Security controls


Description of Salmon Run AI’s Technical and Organizational Security Measures


Salmon Run AI establishes data security in accordance with applicable laws. The Technical and Organizational Security Measures implemented are set forth below. The measures taken are designed to guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must also be taken into account. Salmon Run AI has set out a number of Technical and Organizational Security Measures and may implement alternative adequate measures from time to time, provided such measures will not materially reduce Salmon Run AI’s security level. Salmon Run AI can provide Customer, upon reasonable request, adequate evidence of compliance with its Data Processing obligations under this Agreement. 

  • Measures of pseudonymization and encryption of personal data

  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Measures for user identification and authorization

  • Measures for the protection of data during transmission

  • Measures for the protection of data during storage

  • Measures for ensuring physical security of locations at which personal data are processed

  • Measures for ensuring events logging

  • Measures for ensuring system configuration, including default configuration

  • Measures for internal IT and IT security governance and management

  • Measures for certification/assurance of processes and products

  • Measures for ensuring data minimization

  • Measures for ensuring data quality

  • Measures for ensuring limited data retention

  • Measures for ensuring accountability

  • Measures for allowing data portability and ensuring erasure

‹ Terms of Service

Cookie Policy ›