Data Processing Addendum

Version 4.0.4

Controller and Processor agree to add the following terms to their Services Agreement:

Background

  1. As further described in the Services Agreement, Processor develops and hosts Discourse, an open-source computer software platform for running Internet discussion forums and provides related support services and tools.

  2. Controller’s Discourse forums will be presented under Controller’s branding and subject to any terms or privacy disclosures Controller is required to or elects to provide.

  3. Controller controls the extent of Personal Data collection, use, disclosure, and retention with respect to its forums. This control includes content moderation, authorizing and administering access rights for forum members, the extent to which forums are publicly available or restricted to controlled audiences, administering the type of data collected, and determining data retention.

  4. This addendum adds terms to the Services Agreement for compliance with Data Protection Laws.

Operational Details

Processing Summary

Subject Matter, Nature, and Purpose of Processing

Processor may Process Personal Data only to host Controller’s forums, as described in Background, and provide the Services in accordance with the Services Agreement.

Controller Activities

Controller will use the forum to host discussions and related correspondence among forum members to whom Controller grants access.

Categories of Data Subjects

Processor may Process Controller Personal Data relating to users of Controller’s forum and Controller personnel administering and using the forum.

Categories of Personal Data

Personal Data Processor may Process Personal Data input into Controller’s forum by Controller’s users and administrators, which may include Personal Data to visits to Controller’s forum, Controller’s forum users, administrators, and their accounts, and posts and other activity on the forum.

Special Categories of Personal Data and Sensitive Personal Data

Neither Controller nor Processor will solicit or intentionally collect Special Categories of Personal Data or Personal Data defined as “sensitive” under Data Protection Laws.

Processing Operations

Processor’s Discourse forum software will Process Controller Personal Data to deliver the Services.

Duration of Processing

Processor will Process data for the term of the Services Agreement.

Obligations

The Services Agreement and this addendum set out the obligations and rights of Processor and Controller.

Security Measures

Processor has implemented and will maintain a written security program that includes appropriate administrative, physical, and technical safeguards designed to ensure a level of security appropriate to the risk to the confidentiality, integrity and availability of Controller Personal Data. These safeguards include the security measures required by the Services Agreement.

Assistance Responding to Data Subject Rights

  1. Processor will provide Controller an e-mail address to which Controller can address requests for assistance with Data Subject rights requests.

  2. Processor’s Discourse forum software will provide Controller forum administrators with the ability to change and delete some Controller Personal Data without Processor’s assistance.

Processing of Controller Personal Data

Compliant Processing

Processor agrees to:

  1. comply with all Data Protection Law applicable to Processor’s Processing of Controller Personal Data;

  2. not Sell or Share Controller Personal Data;

  3. not retain, use, or disclose Controller Personal Data for any purpose other than for the specific purpose of performing the Services in accordance with the Services Agreement, including retaining, using, or disclosing such Personal Data for a commercial purpose other than providing the Services in accordance with the Services Agreement;

  4. not retain, use, or disclose Controller Personal Data outside of the direct business relationship between Processor and Controller;

  5. not combine Controller Personal Data received from, or on behalf of, anyone other than Controller except as may be allowed under Data Protection Laws;

  6. comply with applicable obligations under Data Protection Laws and, where applicable, provide the same level of privacy protection required by Data Protection Laws;

  7. allow Controller to take reasonable and appropriate steps to help ensure that Processor uses Controller Personal Data in a manner consistent with Controller’s obligations under Data Protection Laws in accordance with Section 10 (Audit) and take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Controller Personal Data;

  8. notify Controller if Processor makes a determination that it can no longer meet its obligations under Data Protection Laws; and

  9. not Process Controller Personal Data other than on the relevant Controller Company’s written instructions, unless:

    1. Processing is required by law, in which case the Processor agrees to give the Controller Company notice of the legal requirement before Processing, if the law permits; or

    2. Processor determines that an instruction infringes Data Protection Law, in which Processor will notify Controller without undue delay and cooperate in good faith with Controller to resolve the issue.

Instruction to Process

Each Controller Company instructs Processor, and authorizes Processor to instruct each of its Subprocessors, to Process Controller Personal Data and transfer Controller Personal Data to any country or territory as necessary for the provision of the Services, consistent with the Services Agreement.

Each Controller Company states that it is and will be legally authorized to give the instruction in Instruction to Process.

Required Information

Processing Summary sets out information required by GDPR 28(3). Controller can make amendments to Processing Summary by written notice to Processor as necessary to meet similar requirements of other Data Protection Law. Nothing in Processing Summary confers any right or imposes any obligation on any party to this addendum.

Personnel

Processor agrees to ensure that all Personnel with access to Controller Personal Data have obligations to keep them confidential under contracts, professional obligations, or legal requirements.

Subprocessing

Appointing Subprocessors

Each Controller Company authorizes Processor to appoint Subprocessors, and each of the Subprocessors to appoint Subprocessors in turn, and so on, under Subprocessing and any restrictions in the Services Agreement.

Current Subprocessors

Controller generally authorizes Processor to use Subprocessors as long as those Subprocessors meet the requirements of Subprocessor Requirements. Processor’s Subprocessors used as of the data of this addendum are listed at https://discourse.org/subprocessors.

Notice and Objection

Processor agrees to give Controller prior written notice of the appointment of any new Subprocessor, describing the Processing the Subprocessor will do. If Controller gives Processor written notice of a reasonable objection on data protection grounds within fourteen calendar days:

  1. Processor agrees to work with Controller in good faith to address Controller’s objection.

  2. If Processor and Controller cannot resolve Controller’s objection in good faith within thirty calendar days of receipt of Controller’s objection, Controller may terminate the Services Agreement to the extent of any Services that require the new Subprocessor.

Subprocessor Requirements

Processor must:

  1. ensure the relationship with a Subprocessor is governed by a written contract requiring at least a substantially similar level of protection for Controller Personal Data as provided in this addendum;

  2. remain fully liable to Controller for the performance of the Subprocessor’s data protection obligations where the Subprocessor fails to fulfill those data protection obligations; and

  3. ensure any Restricted Transfer is conducted in accordance with Data Protection Law, including by executing relevant Standard Contractual Clauses with the Subprocessor where appropriate.

Data Subject Rights

  1. Processor agrees to implement the appropriate technical and organizational measures listed in Assistance Responding to Data Subject Rights to help each Controller Company with its obligation to respond to requests to exercise Data Subject rights under Data Protection Law.

  2. Processor agrees to:

    1. notify Controller promptly if Processor receives a request from a Data Subject under Data Protection Law about Controller Personal Data; and

    2. ensure that it does not respond to that request unless otherwise required by applicable law, except on written instructions from the Controller or the relevant Controller Affiliate.

  3. To the extent permitted by applicable law, Processor agrees to notify Controller before it responds to a request because it is required to do so by applicable law.

Data Breach

Data Breach Notice

Processor agrees to notify Controller without undue delay when Processor or any Subprocessor becomes aware of a Personal Data Breach affecting Controller Personal Data. Where possible and on Controller’s written request, Processor agrees to promptly provide available information about:

  1. the nature of the Personal Data Breach;

  2. the estimated categories and number of Data Subjects affected;

  3. the estimated categories and number of Controller Personal Data records affected;

  4. contact information for Personnel who can answer further questions; and

  5. measures taken or planned to address the Personal Data Breach.

Data Breach Cooperation

Processor agrees to cooperate with each Controller Company to investigate, mitigate, and remediate any Personal Data Breach.

Impact Assessment and Prior Consultation

Processor agrees to assist each Controller Company with data protection impact assessments and prior consultations with any Supervisory Authority or other competent data privacy authority required by GDPR 35, GDPR 36, or similar provisions of other Data Protection Law, by answering questions about the Processing of Controller Personal Data by Processor.

Deletion or Return

Obligation to Delete

Subject to Option to Return and Data Retention, Processor agrees to delete all copies of Controller Personal Data within thirty calendar days of the End of Services.

Option to Return

Subject to Data Retention, Controller may give Processor written notice up to fourteen calendar days after the End of Services that Processor must instead return one complete copy of all Controller Personal Data that Processor has to Controller by secure file transfer in standard file formats and delete other copies. Processor agrees to return the copy requested within thirty calendar days of receiving Controller’s notice.

Data Retention

Processor may retain Controller Personal Data as required by applicable law. Processor agrees to keep them confidential, and to ensure they are only Processed as necessary for purposes required by Data Protection Law.

Audit

Audit Obligations

To the extent information and audit rights under the Services Agreement fall short of what GDPR 28(3)(h) and similar provisions of other Data Protection Law require, Processor agrees to:

  1. provide information on written request from any Controller Company, as necessary to demonstrate compliance with this addendum; and

  2. grant access for, and cooperate with, audits and inspections of compliance with this addendum by any Controller Company.

Audit Procedure

Notice of Audit

Each Controller Company agrees to give Processor at least thirty calendar day’s prior written notice of any audit or inspection under Audit Obligations.

Minimize Disruption

Each Controller Company agrees to ensure that Controller Company Personnel and auditor Personnel take reasonable steps to avoid and minimize damage, injury, and disruption to the premises, equipment, personnel, and business of Processor and every Subprocessor.

Audit Limits

Processor is not required to give access for an audit or inspection:

  1. to anyone without reasonable evidence of identity or authority;

  2. outside normal business hours;

  3. more than once per calendar year, unless Data Protection Law requires the Controller Company to audit more frequently; or

  4. by anyone not subject to contractual confidentiality obligations covering the audit, on terms acceptable to Processor.

Restricted Transfers

Standard Contractual Clauses

Subject to Modules, Options, and Specifications, the Standard Contractual Clauses are incorporated into this addendum by reference to safeguard any Restricted Transfer from Controller to Processor.

Modules, Options, and Specifications

  1. The Standard Contractual Clauses are incorporated into this addendum using module two for controller-to-processor transfers.

  2. The parties choose option 2 for subclause 9(a) and specify a time period of 14 calendar days for Processor to give Controller notice of intended additions and replacements to the list of Subprocessors.

  3. Under clause 17, the parties specify the law of Ireland as governing the Standard Contractual Clauses where necessary under the Standard Contractual Clauses to provide for third-party beneficiary rights.

  4. Under clause 18(b), the parties specify the courts of Ireland as the choice of forum for disputes arising from the Standard Contractual Clauses.

  5. The parties include optional clause 7 (Docking clause).

  6. The parties omit the optional paragraph on independent dispute resolution in clause 11(a) (Redress).

  7. The Appendix to the Standard Contractual Clauses and the Annexes referred to therein are attached to this addendum as the Appendix.

Territorial Amendments

Where a Restricted Transfer is made from the United Kingdom or Switzerland, the parties amend or supplement the Standard Contractual Clauses as follows:

United Kingdom Amendments

For any Restricted Transfer originating from the United Kingdom and subject to United Kingdom Data Protection Law, the parties agree to the terms of the International Data Transfer Addendum from the date of the Restricted Transfer, completed as follows:

  1. the details in Table 1 are populated with the corresponding information set out in this addendum;

  2. Table 2 reflects the use of the Standard Contractual Clauses detailed in this addendum; and

  3. Table 4 provides that either party may end the International Data Transfer Addendum under Section 19 of the International Data Transfer Addendum.

Switzerland Amendments

For any Restricted Transfer originating from Switzerland and subject to Swiss Data Protection Law, the Standard Contractual Clauses are amended as follows:

  1. the competent supervisory authority is the Federal Data Protection and Information Commissioner of Switzerland;

  2. references to GDPR refer to Swiss Data Protection Law; and

  3. the sentence “Data subjects having habitual residence in Switzerland may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland.” is added to the end of Clause 18(c);

  4. the Standard Contractual Clauses also protect the rights of legal entities until protection for legal entities is no longer available under Swiss Data Protection Law.

General Terms

Governing Law and Jurisdiction

Other than as superseded by the Standard Contractual Clauses, the dispute resolution, venue, and forum provisions of the Services Agreement apply to this addendum.

Order of Precedence

This Addendum Replaces Any Prior Addendum

This addendum terminates and replaces any prior data protection addendum the parties may have agreed to for their Services Agreement.

Standard Contractual Clauses Trump this Addendum

Where this addendum and the Standard Contractual Clauses conflict, the Standard Contractual Clauses take precedence.

This Addendum Trumps Other Agreements

Where this addendum conflicts with other agreements between the parties, such as the Services Agreement, signed before or after this addendum, this addendum takes precedence.

Changes in Data Protection Law

Amendments for Compliance

Controller may propose amendments to the Standard Contractual Clauses to allow any Restricted Transfer to continue without breaching Data Protection Law as required by:

  1. a change in Data Protection Law;

  2. a court or regulator decision under Data Protection Law; or

  3. the use of the Standard Contractual Clauses to safeguard any Restricted Transfer subject to Data Protection Law other than the GDPR.

Amendments to Address New Risks

If Controller gives notice under Amendments for Compliance, Controller agrees not to unreasonably withhold or delay agreement to any amendments to this addendum proposed by Processor to protect Processor or any Subprocessor from additional risks posed by the amendment to the Standard Contractual Clauses.

Good Faith Negotiation

If Controller gives notice under Amendments to Address New Risks, the parties agree to negotiate amendments to address the requirements identified in Controller’s notice in good faith, as soon as practical.

Amendment without Affiliates

Neither Controller nor Processor needs the consent or approval of any Affiliate to amend this addendum, including under Amendments to Address New Risks.

Severance

The parties intend that:

  1. any part of this addendum held invalid or unenforceable be changed to the minimum extent necessary to make it enforceable;

  2. any part of this addendum that cannot be changed to make it enforceable be disregarded; and

  3. the rest of this addendum remains in force, unless that frustrates the essential purpose of this addendum: to meet the requirements of Data Protection Law for Processing of Controller Personal Data as part of the Services.

Definitions

  1. Affiliate means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with another entity, where control means having direct or indirect power to direct the management and policies, through ownership of voting securities, contract, or otherwise.

  2. Services Agreement means the agreement for services between Controller and Processor, signed before this addendum or along with it.

  3. End of Services means the date Processor stops providing Services under the Services Agreement.

  4. CCPA means the California Consumer Privacy Act of 2018, as amended from time-to-time.

  5. Controller Affiliate means an Affiliate of Controller.

  6. Controller Company means Controller or any Controller Affiliate.

  7. Controller Personal Data means any Personal Data Processed by Processor under the Services Agreement on behalf of a Controller Company.

  8. Data Protection Law means laws applicable to Processor’s Processing of Personal Data under the Services Agreement including the GDPR and the CCPA.

  9. Data Subject means an identified or identifiable natural person.

  10. GDPR means EU General Data Protection Regulation 2016/679.

  11. Personal Data means information relating to a Data Subject that Processor Processes on behalf of Controller pursuant to the Services Agreement and this addendum.

  12. Personnel means employees, agents, and contractors.

  13. Process (and related conjugations) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data.

  14. Restricted Transfer means an international transfer of Controller Personal Data from the European Economic Area, Switzerland, or the United Kingdom that Data Protection Law would prohibit without an adequacy decision or use of an appropriate safeguard.

  15. Sell means exchanging Personal Data with a third party for money or other valuable consideration.

  16. Services means services provided under the Services Agreement.

  17. Share means to disclose Personal Data to a third party for targeted or cross-context behavioral advertising purposes.

  18. Standard Contractual Clauses means the standard contractual clauses for international transfers approved by the European Commission on June 4, 2021, in the English language.

  19. International Data Transfer Addendum means the addendum issued by the United Kingdom Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.

  20. Subprocessor (plural Subprocessors) means anyone appointed by or on behalf of Processor to Process Controller Personal Data on behalf of any Controller Company in connection with the Services Agreement.

  21. Personal Data Breach, Special Categories of Personal Data, and Supervisory Authority have the same meanings as in GDPR.

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: as on Controller’s signature page to the data processing addendum

Address: as on Controller’s signature page to the data processing addendum

Contact person’s name, position and contact details: as on Controller’s signature page to the data processing addendum

Activities relevant to the data transferred under these Clauses: The data importer provides services to the data exporter under the Services Agreement.

Signature and date: Controller’s signature to the data processing addendum acts also as data exporter’s signature to these standard contractual clauses.

Role (controller/processor): controller

Data importer(s):

Name: as on Processor’s signature page to the data processing addendum

Address: as on Processor’s signature page to the data processing addendum

Contact person’s name, position and contact details: as on Processor’s signature page to the data processing addendum

Activities relevant to the data transferred under these Clauses: The data importer provides services to the data exporter under the Services Agreement. Signature and date: Processor’s signature to the data processing addendum acts also as data importer’s signature to these standard contractual clauses.

Role (controller/processor): processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

as described in the Processing Summary section of the data processing addendum

Categories of personal data transferred

as described in the Processing Summary section of the data processing addendum

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

as described in the Processing Summary section of the data processing addendum

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

continuous

Nature of the processing

as described in the Processing Summary section of the data processing addendum

Purpose(s) of the data transfer and further processing

enabling the Processor to perform its obligations under the Services Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

as described in the Processing Summary section of the data processing addendum

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

as above

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Data Protection Commission, Ireland

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

measures at least as protective as those described in the Security Measures section of the data processing addendum

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

measures at least as protective as those described in the Security Measures section of the data processing addendum