Last updated July 15th, 2024
This Data Processing Agreement (“DPA”) supplements the Terms of Use Agreement Terms of Use (the DPA, along with the Terms of Use, is collectively referred to as the “Agreement”) entered into between IceBrkn Holdings, Inc. (“IceBrkn”) and the Customer (if an individual, or a business customer collectively with its affiliates and subsidiaries worldwide, either may referred to as “Customer”) the terms of this DPA are incorporated by reference therein. This DPA shall apply to all Processing of Customer Personal Data by IceBrkn to provide the Product as agreed to in the Agreement.
If there is any conflict between this DPA and the Terms of Use, this DPA shall prevail solely to the extent of such conflict.
1. DEFINITIONS
In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly
1.1 Customer Data has the meaning given to it in the Terms of Use.
1.2 Customer Personal Data means any Customer Data that is Personal Data processed by IceBrkn in connection with the performance of the Product. Customer Data does not include Out of Scope Customer Personal Data (as defined in Section 3.1 below).
1.3 Data Breach means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Customer Data or Confidential Information, or any other unauthorized Processing of Customer Personal Data that may adversely affect the privacy or security of individuals or the Customer. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Data or Confidential Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.
1.4 Data Protection Laws means all applicable laws relating to privacy, security, or protection of Personal Data, as may be defined in such laws, including, the EEA Law, U.S. State Privacy Laws such as the California Consumer Protection Act (“CCPA”) as amended by the California Privacy Rights Act of 2021 (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.
1.5 EEA means the European Economic Area and the European Union, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).
1.6 EEA Law means EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) and any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), and any other law relating to the data protection, security, or privacy of individuals that applies in the EEA.
1.7 Personal Data means any information, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or to the extent required by any applicable Data Protection Law any inferences drawn therefrom. Personal Data includes, but is not limited to, name, alias, postal address, identification number, phone number, physical address, email address, details of orders and fulfillments, location data, online identifiers such as internet protocol addresses, cookie or other unique identifiers or as otherwise defined (including under similar terms such as “personal information,” “personal health information,” “personally identifiable information,” and “sensitive personal information”) under Data Protection Laws.
1.8 Process, processed, or processing means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.
1.9 Services means services provided by IceBrkn as agreed to and defined in the Agreement.
1.10 Standard Contractual Clauses means the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of EEA Personal Data to Third Countries as adopted by the European Commission or Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (UK ICO) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.
1.11 Third Country means countries that have not received an adequacy decision from an applicable regulator relating to cross-border transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.
1.12 The terms “Business”, “business purpose”, Controller, Data Processor, Subprocessor, Data Subjects, Deidentify, Sell, Service Provider, Share, and Third Party shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.
2. GENERAL DATA PROCESSING OBLIGATIONS
2.1 Role of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, IceBrkn is a Data Processor, and a Service Provider (collectively “Processor”) and Customer is a Controller, except that if Customer is a Data Processor in which case IceBrkn is a Subprocessor. If Customer is a Processor of Customer Personal Data, Customer represents and warrants that Customer’s instructions and Processing of Customer Personal Data, including its appointment of IceBrkn as a Subprocessor, have been authorized by the respective Controller.
This DPA shall apply solely to the Processing of Customer Data by IceBrkn acting as a Processor or Subprocessor to provide the Services.
2.2 Compliance with Data Protection Laws. Each party will comply with obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data.
2.3 Purpose of Processing. The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement and related ordering documentation. Exhibit 1 (Details of Processing of Customer Personal Data) describes the subject matter and details of the Processing of Customer Personal Data.
2.4 Customer Instructions and Restrictions on Processing.
2.4.1. IceBrkn shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of the Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. IceBrkn shall not Sell or Share Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with the Customer or for any other purpose except as required by law. IceBrkn will inform Customer if, IceBrkn determines that it is no longer able to meet its obligations under Data Protection Laws or where in IceBrkn’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable and appropriate steps to ensure IceBrkn’s Processing of Customer Personal Data is consistent with Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data.
2.4.2. IceBrkn shall have rights to use Customer Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Service including as part of its business operations; (c) to disclose aggregate statistics about the Service in a manner that prevents individual identification or reidentification of the Customer, Customer Data, any individual device, or individual person; and/or (d) protect the Service from a threat to the Service or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to the Customer; (iii) as otherwise expressly authorized by the Customer or Data Protection Law.
2.4.3. Except where authorized by Customer, IceBrkn will not combine the Customer Personal Data, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individual, provided that IceBrkn may combine Personal Data to perform any business purpose permitted or required under the Agreement to perform the Services.
2.4.4 The obligations imposed by this Section 2.4 apply to Personal Data only to the extent that Data Protection Laws require such obligations with respect to the Personal Data.
3. CUSTOMER’S OBLIGATIONS
3.1 Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data that Customer provides or causes to provide to the Service, including without limitation the means by which Customer collected or obtained Customer Personal Data. Customer will use commercially reasonable efforts not to provide or cause to provide any data or information with Customer Personal Data that is not typically included in equity financing or fund transaction documents (“Out of Scope Customer Personal Data”). If IceBrkn discovers such Out of Scope Customer Personal Data, IceBrkn may provide to Customer that such information must be removed. If Out of Scope Customer Personal Data is provided, it will be handled with the same set of security requirements as all other data on the IceBrkn platform. Customer is solely responsible for the security and integrity of any Customer’s systems from where Customer Personal Data is provided to IceBrkn.
3.2 Customer shall, in its use of the Services, Process Customer Personal Data in compliance with the requirements of Data Protection Laws, including any applicable industry standards and self-regulatory programs that are binding on Customer. Customer shall be responsible for complying with any notice and consent obligations under such Data Protection Laws.
3.3 Customer understands and agrees that Customer is solely responsible for its own actions and activity in connection with the Customer Account and that Customer will keep its account passwords and login information confidential.
4. CONFIDENTIALITY OBLIGATIONS
Each party agrees, both during and after termination of this Agreement, to hold the Confidential Information in the strictest confidence and comply with the applicable confidentiality obligations in the Terms of Use.
5. ICEBRKN OBLIGATIONS
5.1 Data Protection Compliance Assistance.
5.1.1 Where IceBrkn is acting as a Processor, IceBrkn will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection impact assessments, and any consultations with the supervisory or regulatory authority.
5.1.2 IceBrkn shall not perform its obligations under this Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.
5.2 Data Subject Rights.
5.2.1 Where IceBrkn is acting as a Processor or Subprocessor, IceBrkn will promptly notify Customer in writing, and in any case without undue delay, if IceBrkn receives (i) any requests from a Data Subject, with respect to Customer Personal Data, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Customer Personal Data, including allegations that the Processing infringes on any individual’s or third party’s rights. IceBrkn will not respond to any such request or complaint unless expressly authorized to do so by Customer or required to respond under applicable Data Protection Laws.
5.2.2 To the extent Customer, in its use of the Services, does not have the ability to respond to a request under this Section 5, IceBrkn shall upon Customer’s written request provide reasonable assistance to the Customer in responding to such request.
5.2.3 IceBrkn shall comply with any instructions given by the Customer regarding responding to requests under this Section 5.
5.3 Subprocessors.
5.3.1 IceBrkn will select and retain Subprocessors that have agreed by written contract to comply with terms substantially similar to those contained in this DPA to assist IceBrkn in performing its rights and obligations under the Agreement. To the extent required by applicable Data Protection Law, IceBrkn will (i) provide Customer with a list of its Subprocessors upon request; and (ii) enable Customer to terminate the applicable Services without penalty by providing, before the end of the notice period, written notice of termination that includes an explanation of the grounds for non-approval if Customer does not approve of a new Subprocessor.
5.3.2 For EEA Customer Personal Data, Customer authorizes IceBrkn to use Vendor’s Subprocessors (as described in Clause 9 of the Standard Contractual Clauses). IceBrkn shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors in accordance with Clause 9(a) of the Standard Contractual Clauses. Where that Subprocessor fails to fulfil its data protection obligations, IceBrkn shall remain fully liable to Customer for the performance of its Subprocessors obligations. Without limiting the foregoing, IceBrkn will develop and use reasonable steps to select and retain Subprocessors that assist IceBrkn in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessor to agree by written contract to comply with terms substantially similar to those contained in this DPA.
5.4 Staff Confidentiality. IceBrkn shall implement policies and procedures designed to ensure that all employees, agents, officers, consultants, Subprocessors and any third party authorized to Process the Customer Personal Data or Confidential Information are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
5.5 Security. IceBrkn will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Personal Data and Confidential Information and the nature of its activities under the Agreement, to protect the security, confidentiality and integrity of such information Processed by IceBrkn or in its possession and control including such safeguards (a) designed to ensure the security of systems upon which such information is Processed; and (b) designed to prevent a Data Breach. The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in Exhibit 2 (IceBrkn Security Measures) to the DPA.
5.6 Data Breach.
5.6.1. In the event IceBrkn discovers or learns of a Data Breach affecting Customer Data, IceBrkn shall take appropriate and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, (b) notify Customer of such Data Breach without unreasonable delay; (c) furnish to Customer necessary and relevant details of the Data Breach as may be available; (d) assist Customer, as needed, in its investigation, mitigation, and remedying of the Data Breach; (e) provide information and reasonably assist Customer, as needed, in meeting Customer’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach; and (f) cooperate with Customer in any other reasonable action, step, or proceeding as may be deemed necessary by Customer in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach.
5.6.2. Unless prohibited by an applicable statute or court order, IceBrkn shall notify Customer of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
5.6.3. IceBrkn will comply with any reasonable instructions given by the Customer regarding any requests in connection with a Data Breach.
5.6.4. IceBrkn’s cooperation or obligation to report or respond to Data Breaches under this DPA is not and will not be interpreted as an acknowledgment by IceBrkn of any fault or liability of IceBrkn with respect to a Data Breach.
5.7 Verification.
To ensure that IceBrkn complies with applicable Data Protection Laws and its contractual obligations regarding data privacy and security, the Customer agrees that IceBrkn is not required to provide the Customer with access to the IceBrkn’s systems or information in a manner that may compromise the security, privacy, or confidentiality of IceBrkn’s other Customers’ confidential or proprietary information. Any information disclosed pursuant to this Section 5.7 will be deemed IceBrkn’s Confidential Information.
6. DATA TRANSFERS
6.1. Transfers of EEA Customer Personal Data by Customer to IceBrkn or IceBrkn to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and Module Three (“Processor to Processor”) attached to this DPA and incorporated by reference. The information required for the purposes of the SCCs is provided in Exhibit 1 (“Description of Processing and Transfer Details”) to this DPA. The Parties agree that the SCCs are incorporated into this DPA without further need for reference, incorporation, or attachment and that by signing the Agreement and executing this DPA, each party is deemed to have signed and executed the SCCs.
6.2 Where the Customer Personal Data is subject to the Swiss DPA, the SCCs above shall be read to be modified as follows as applicable:
a. References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.
b. References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”.
6.3 For Customer Personal Data transfers subject to UK Data Protection Law and transferred in accordance with the UK Transfer Addendum, the Parties agree as follows:
a. Each Party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.
b. The Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum.
c. Sections 9 to 11 of the UK Transfer Addendum override Clause 5 (Hierarchy) of the EU SCCs
d. For the purposes of Section 12 of the UK Transfer Addendum, the EU SCCs will be amended in accordance with Section 15 of the UK Transfer Addendum.
e. Information required by Part 1 of the UK Transfer Addendum is provided as Exhibit 1 to this DPA.
f. To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK Transfer Addendum.
6.4. For Customer Personal Data transfers subject to other Data Protection Laws and require the use of SCC’s (or other measures) to transfer Customer Personal Data to Third Countries, the parties agree to implement the same as soon as practicable and document such requirements for implementation.
6.5. To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
7. RETURN OR DESTRUCTION OF CUSTOMER PERSONAL DATA
7.1. To the extent Customer does not already have the ability to do so as part of the Services, either upon request or direction by Customer or within thirty (30) days of the termination or expiration of this Agreement, IceBrkn will reasonably assist and cooperate with the Customer (a) to provide a copy of all Customer Personal Data in IceBrkn’s possession to the Customer and upon written verification from Customer of Customer’s receipt of such Customer Personal Data, destroy such information in accordance with this Section 7; (b) subject to Section 7.1 (a), promptly and securely destroy all such Customer Personal Data in accordance with applicable Data Protection Laws; and (c) certify in writing that it has complied with this Section 7; and in the case of 7.1(b) and 7.1(c), except to the extent that IceBrkn is required by applicable law to keep a copy of the Customer Personal Data.
7.2. IceBrkn agrees to comply with the terms of this DPA to the extent any Customer Personal Data remains in its possession or control in accordance with this Section 7.1.
Exhibit 1 to Data Protection Agreement
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Exhibit 1 includes details of the Processing of Customer Personal Data by IceBrkn.
1. Customer Details (for SCC purposes, the “Data Exporter”)
Company Name – As mentioned in the applicable Registration
Address – As mentioned in the applicable Registration
Contact name, position, and contact information – As mentioned in the applicable Registration
Role – Controller
2. IceBrkn Details (for SCC purposes, the “Data Importer”)
Company Name – IceBrkn Holdings, Inc.
Address 5600 W Lovers Lane, Suite 116-214, Dallas, TX 75209
Contact name, position, and contact information – As mentioned in the applicable Subscriber Agreement
Role – Processor
3. Activities relevant to the data processed in accordance with this DPA (and, for SCC purposes, transferred under these Clauses)
The activities relevant to the data transferred at the Services more fully described in the Agreement and applicable ordering documents.
For processing involving Customer Personal Data relating to California consumers, we process such Customer Personal Data for the following business purposes:
4. Processing Information
Categories of data subjects whose personal data is processed –
Customer may submit or give access to Customer Personal Data to IceBrkn, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Customer Data relating to the following categories of data subjects:
Categories of personal data processed –
IceBrkn may process the following categories of Customer Personal Data: As to Customer’s authorized users, employees, agents, or representatives, contact details of the individual which may include first and last name, email address and IP address.
To the extent Customer provides or causes to provide the following Customer Personal Data to IceBrkn, the following categories of Personal Data may be processed:
• Contact details including phone numbers and postal address
• Financial account numbers and related information (e.g., credit card information)
Sensitive personal data processed – Financial information
Frequency of the processing – Continuous
Nature of the processing and purpose of the data processing and further processing – The objective of Processing of Customer Personal Data by IceBrkn is the performance of the Agreement and this DPA.
Period for which the personal data will be retained or criteria used to determine that period – Subject to Section 7 (Return or Deletion of Customer Personal Data) of this DPA, IceBrkn will process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Subprocessor (subject matter, nature, and duration of processing) – In addition to the following, the subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying order forms.
Exhibit 2 to Data Protection Agreement
IceBrkn Security Measures
IceBrkn will implement and maintain a written security program with commercially reasonable administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Data and the nature of its activities under the Agreement, to protect the security, confidentiality, availability, and integrity of Customer Data Processed by IceBrkn or in its possession and control including such safeguards (a) to protect the security of systems upon which such data is Processed; and (b) designed to prevent a Data Breach.
IceBrkn’s personnel will not Process Customer Data without authorization. IceBrkn’s Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.
Without limiting the foregoing, IceBrkn will:
1. Develop and use reasonable steps to select and retain agents and subcontractors that assist IceBrkn in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessors to agree by written contract to comply with terms substantially similar to those contained in this DPA;
2. Conduct routine risk assessments to identify, document, and remediate material internal and external risks to the security, confidentiality, availability, and integrity of Customer Data that could result in a Data Breach, and assess the sufficiency of any security measures in place to control these risks;
3. At a minimum, the risk assessments required by subpart (2) should include assessment of risks in each area of relevant operation, including, but not limited to:
i. employee training and management;
ii. secure system design and testing;
iii. quarterly (at a minimum) security and vulnerability scans; and
iv. review, assessment, and response to internal and third-party security vulnerability reports;
4. Design and implement reasonable safeguards to control the risks identified through the risk assessments, including through reasonable and appropriate security policies and guidelines and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
5. Establish and enforce written procedures that follow role-based access control principles to control access to systems, networks, services, and facilities that may Process or store Customer Data and make such procedures available to Customer upon request.
6. Monitor access by IceBrkn personnel to Customer Data and limit any such access to those with a need to know in order to perform its obligations under the Agreement;
7. Implement multi-factor authentication for any system Processing Customer Data;
8. Implement and conduct routine security training for IceBrkn personnel with access to Customer Data;
9. Implement anti-malware software on any systems that Process Customer Data;
10. Commensurate with the nature and sensitivity of the Customer Data, encrypt Customer Data in transit across public networks or outside of IceBrkn’s physical or logical controls and at rest when stored on any device or storage media (such as servers, databases, backups, etc.) using industry standard encryption tools.
11. Provide reasonable assistance to Customer in Customer’s assessment and implementation of appropriate administrative, technical, and physical safeguards to provide an appropriate level of security of Customer Data, including (upon Customer’s reasonable request) completion of periodic assessments;
12. Automatically collect system, application, and user level logs on an ongoing basis for any network or system Processing Customer Data and retain such logs for security response for at least one year;
13. Implement, maintain, and monitor physical security controls for any processing facilities that are used for Processing Customer Data, including without limitation appropriate perimeter security that provide protection against unauthorized access, damage, or interference; and
14. Evaluate and adjust its security program in light of the results of the testing and monitoring required by subpart (2), any material changes to IceBrkn’s operations or business arrangements, or any other circumstances that IceBrkn knows or has reason to know may have a material impact on the effectiveness of its security program.
Business Continuity and Disaster Recovery Requirements:
During the term of the Agreement or so long as IceBrkn Processes Customer Data, whichever is longer, IceBrkn shall implement and maintain a disaster recovery plan that ensures that all Customer Data Processed by IceBrkn is capable of being recovered, and that the integrity of all such recovered Customer Data is retained, in the event that IceBrkn’s network, systems or other facilities experience a Data Breach or any significant interruption or impairment of operation or any loss, deletion, corruption, or alteration of Personal Information (“Disaster Recovery Plan”).