Effective date: April 20, 2023
This Cyango Data Processing Addendum (this "DPA") forms part of and is subject to the provisions of the Agreement. This DPA will apply to the extent Customer is subject to relevant Data Protection Laws.
Capitalized terms that are used but not defined in this DPA have the meanings given to them in the Agreement.
1.1. “Affiliate” means an entity that directly or indirectly controls (e.g., subsidiary), is controlled by (e.g., parent), or is under common control with (e.g., sibling) such party; and the term “control” (including the terms “controlled by” and “under common control with”) means either: (a) ownership or control of more than 50% of the voting interests of the subject entity; or (b) the power to direct or cause the direction of the management and policies of an entity, whether through ownership, by contract, or otherwise.
1.2. “Agreement” means any services agreement including, but not limited to, Cyango’s Terms of Service, a Master Subscription Agreement, or other services agreement between Cyango and Customer under which the Service is provided by Cyango to Customer.
1.3. “Authorized Affiliate” means Customer's Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Service pursuant to the Agreement between Customer and Cyango; and (c) have not signed their own Agreement with Cyango and are not "Customers" as defined under this DPA.
1.4. “Controller” means the entity that determines the purposes and means of the Processing of Personal Information.
1.5. “Customer” means the entity and the entity’s Authorized Affiliates that agree to be bound by the Agreement and this DPA.
1.6. “Customer Account Data” means Personal Information that relates to the Customer’s relationship with Cyango, including the names or contact information of the business point(s) of contact between the Customer and Cyango, individuals, Customer billing information, and customer relationship management information.
1.7. “Customer Workforce” means any Data Subjects who are employees, contractors, representatives, or other individuals engaged by Customer who have access to the Service via a user account.
1.8. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Information transmitted, stored, or otherwise Processed.
1.9. “Data Protection Laws” means all applicable laws and regulations applicable to Cyango’s processing of Personal Information under the Agreement, including GDPR, all as amended or replaced from time to time.
1.10. “Data Subject” means an individual whose Personal Information is subject to Data Protection Laws.
1.11. “EEA” means the European Economic Area.
1.12. “End User” means any Data Subject accessing or otherwise using Customer’s Website Content.
1.13. “EU Standard Contractual Clauses” or “EU SCCs” means the annexe found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021, at data.europa.eu/eli/dec_impl/2021/914/oj) and any amendments, replacements, or updated standard contractual clauses as recognized and approved by the European Commission from time to time.
1.14. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.15. “Personal Information” means any information relating to a Data Subject.
1.16. “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.17. “Processor” means the entity which Processes Personal Information on behalf of the Controller.
1.18. “Regulator” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Service or the Processing of Personal Information.
1.19. “Service” means access to Cyango’s software-as-a-service platform and the related virtual reality technology products and services as subscribed to by the Customer.
1.20. “Subprocessor” means any Processor engaged by Cyango to Process Personal Information on behalf of Cyango.
1.21. “Website Content” means any content that the Customer submits, posts, displays, or otherwise makes available on or via the Service.
The Parties hereby agree that with regard to the processing of Customer Personal Information, Customer may act either as a Controller or Processor and Cyango is a Processor for all Customer Personal Information except for Customer Account Data as set forth in Section 2.2 (Cyango as a Controller of Customer Account Data). Cyango will process Customer Personal Information in accordance with the Customer’s instructions as set forth in Section 3.1 (Instructions).
The parties hereby agree that, with regard to the processing of Customer Account Data, Cyango is an independent Controller, not a joint Controller with Customer. Cyango will process Customer Account Data as a Controller: (a) to manage the relationship with Customer; (b) to carry out Cyango’s core business operations, such as accounting and filing taxes; (c) to detect, prevent, or investigate Data Breaches, fraud, and other abuse or misuse of the Service; (d) to comply with applicable law; and (e) as otherwise permitted under Data Protection Law and in accordance with this DPA, the Agreement, and Cyango’s Privacy Policy.
The customer instructs Cyango when acting as a Processor, to Process Customer's Personal Information to provide the Service. The Customer warrants that the instructions it provides to Cyango pursuant to this DPA will comply with Data Protection Laws.
Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Information, in accordance with Data Protection Laws. To the extent such requests or communications require Cyango’s assistance, Customer shall immediately notify Cyango in writing of the Data Subject’s or Regulator’s request.
The customer agrees that the Personal Information it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon Cyango’s request, the Customer shall provide all information necessary to demonstrate compliance with these requirements.
Cyango will Process the Personal Information on documented instructions from Customer in such manner as is necessary for the provision of the Service under the Agreement, except as may be required to comply with any legal obligation to which Cyango is subject.
Cyango may make a reasonable effort to inform Customer if, in its opinion, the execution of an instruction relating to the Processing of Personal Information could infringe on any Data Protection Laws. In the event Cyango must Process or cease Processing Personal Information for the purpose of complying with a legal obligation, Cyango will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
Cyango will grant access to Customer Personal Information to its personnel only to the extent strictly necessary for implementing, managing and monitoring the Service. Cyango shall ensure that personnel authorized to Process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Cyango shall implement appropriate technical and organizational measures to ensure the security of Personal Information including protection against a Data Breach. In complying with its obligations under this paragraph, Cyango shall implement the technical and organizational measures specified in Schedule II.
Cyango shall notify Customer without undue delay in the event of a confirmed Data Breach.
Taking into account the nature of the Processing and the information available to Cyango, Cyango will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
Cyango shall promptly notify Customer of any request it has received from a Data Subject. Cyango shall not respond to the request itself unless authorized to do so by Customer. Cyango shall provide reasonable assistance to Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws.
Following termination of the Agreement, Cyango shall, at the choice of Customer, delete or return all Customer Personal Information processed on its behalf unless such continued processing is otherwise required by applicable law or regulations.
Cyango shall make available to the Customer all information necessary to demonstrate compliance with GDPR. At the Customer’s request, Cyango shall also permit and contribute to audits in the manner prescribed in Section 6 of this DPA (Audit).
Except as expressly provided in this DPA, Cyango will not disclose Customer Personal Information to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose Customer Personal Information, to the extent legally permissible and practicable, Cyango will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
Cyango will maintain records of its Processing activities carried out on behalf of Customer and will make available to Customer the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Cyango may limit the scope of information made available to Customer if Customer is a Cyango competitor, provided that such limitation does not violate Data Protection Laws or the EU Standard Contractual Clauses. Customer’s inspection rights under this DPA do not extend to Cyango’s employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Service or to the extent they pertain to third parties.
Subject to thirty (30) days prior written notice from Customer and at the Customer's additional expense (including all reasonable costs and fees for any and all time Cyango expends on such audit, in addition to the rates for services performed by Cyango), Cyango and Customer shall mutually agree to appoint a third-party auditor to verify that Cyango is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to Cyango. Audits and inspections will be carried out at mutually agreed times during regular business hours. The customer shall be entitled to exercise this audit right no more than once every twelve (12) months. The customer shall not be entitled to an on-site audit of Cyango’s premises unless legally required by a Regulator.
All information obtained during any such request for information or audit will be considered Cyango’s Confidential Information under the Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Cyango’s Confidential Information. The third-party auditor may only disclose to the Customer specific violations of this DPA, if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
To the extent Cyango processes Personal Information originating from and protected by Data Protection Laws in one of the jurisdictions listed in Schedule 3 (Jurisdiction Specific Terms), the terms specified in Schedule 3, with respect to the applicable jurisdiction(s), will apply.
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.
This DPA shall be subject to the limitations of liability agreed between Customer and Cyango in the Agreement and such limitation shall apply in aggregate for all claims under the Agreement and DPA.
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.
Cyango may update the terms of the DPA from time to time; provided, however, Cyango will provide Customer reasonable written notice to Customer when Cyango makes a material update to the DPA.
Data exporter:
Name: Customer, the user of the Service.
Contact Details: Specified in the signature block above.
Activities relevant to the data transfer: Use of the Service.
Role: Controller and/or Processor depending on the type of processing as set forth below.
Data importer:
Name: Cyango, provider of the Service.
Contact Details: Rua Circular Norte do PITE, NERE, 7005-841 Évora, Portugal.
Activities relevant to the data transfer: Provisioning of the Service.
Role: Controller and/or Processor depending on the type of processing as set forth below.
Categories of data subjects whose personal data is transferred:
Module One (Controller to Controller):
Module Two (Controller to Processor) and Module Three (Processor to Processor):
Categories of personal data transferred:
Module One (Controller to Controller):
Module Two (Controller to Processor) and Module Three (Processor to Processor):
Sensitive data transferred (if applicable):
Module One (Controller to Controller):
Module Two (Controller to Processor) and Module Three (Processor to Processor):
Frequency of the transfer:
Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):
Purposes of the data transfer and further processing:
Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):
The period for which the personal data will be retained:
Module One (Controller to Controller):
Module Two (Controller to Processor) and Module Three (Processor to Processor):
Module One (Controller to Controller), Module Two (Controller to Processor), and Module Three (Processor to Processor):
Cyango has a SOC 2 Type II certification and is dedicated to the continued validation of its security program. Specifically, Cyango implements the following security measures with respect to Personal Information:
a. Cyango’s infrastructure is managed via Amazon Web Services’ ISO 27001 certified data centres, and hosted in multiple regions and availability zones.
b. All database servers are isolated inside virtual private networks, and accessible only by key personnel via multi-factor authentication.
c. All-access to production environments is logged, and access can be immediately revoked.
a. All data operations are mirrored to a redundant secondary database.
b. All data is backed up on a daily basis and stored on highly-redundant storage media in multiple availability zones.
c. All data is encrypted at rest using Amazon’s EBS encryption functionality.
a. User account passwords are hashed using a secure low-entropy key derivation function, which protects against brute-force attacks.
b. All applications are served exclusively via TLS with a modern configuration.
c. All login pages have brute-force logging and protection.
d. Two-factor authentication is supported and is mandatory for all internal administrator functions of the application.
e. All code changes to our applications require code reviews via an enforced code review process.
f. Automated code and dependency analysis tools are in place to identify emergent security issues.
g. Regular application security penetration tests are conducted by different vendors. These tests include high-level server penetration tests across various parts of our platform (i.e. Dashboard, Designer, Editor, Hosted Sites), as well as security-focused source code reviews.
a. All new employees are given security and data privacy training, tailored to their job functions.
b. All employees undergo regular security best practices and data privacy training.
c. All developers undergo advanced application security and privacy training.
d. All new product changes and improvements undergo a data privacy assessment before any project proceeds to implementation.
a. Cyango only uses cloud providers that have confirmed they have implemented and maintain Security Measures in compliance with Article 32 of the GDPR, in storing and keeping secure Personal Information.
a. Cyango has a dedicated security and privacy team to respond to Controller requests and inquiries. Taking into account the nature of the Processing and to the extent reasonably possible, Cyango will assist Controller in fulfilling its obligations in relation to Data Subject requests and compliance obligations under applicable Data Protection Laws. This team can be contacted at info[at]cyango.com
b. Cyango will not disclose Personal Information to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Personal Information, to the extent legally permissible and practicable, Cyango will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
To the extent that the California Consumer Privacy Act of 2018 (“CCPA”)(California Civil Code sections 1798.100 - 1798.199) applies, Cyango agrees it will not: (a) sell California Consumers’ Personal Information (as “sell” is defined in the CCPA); (b) retain, use, or disclose California Consumers’ Personal Information for a commercial purpose other than providing the Service specified in the Agreement; (c) retain, use, or disclose California Consumers’ Personal Information outside of the direct business relationship between Customer and Cyango.
Cyango certifies that it understands these restrictions set out in this section and will comply with them.
2.1 The definition of “Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
2.2 To the extent that Personal Information transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 1.2 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
a. references to "EU Member State" and "Member State" will be interpreted to include Switzerland, and
b. insofar as the transfer or onward transfers are subject to the FADP:
i. references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
ii. the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
iii. in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
iv. in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).