This Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), amends and supplements any existing and currently valid Agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and Grayscale Labs, Inc. (together with subsidiary(ies) and affiliated entities, collectively “Grayscale”) or “Processor”. Defined terms used herein but not otherwise defined shall have the meanings set forth in the Agreement(s).
1.0 Purpose of the DPA. This DPA is intended to reflect the parties’ agreement with regard to the Processing of data, including Personal Data (as defined below) in connection with the provision of services to Customer (“Services”) pursuant to the Agreement.
2.0 Definitions. For the purpose of this DPA, these terms shall mean the following:
2.1 “Applicable Laws” shall mean all applicable federal, state and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the EU Data Protection Laws, the UK GDPR and Applicable State Privacy Laws but excluding, without limitation, consent decrees.
2.2 “Applicable State Privacy Laws” shall mean individually and collectively, as applicable, those laws and regulations of the states within the United States that govern the transfer, sharing or sale to a third party of the personal information or personal data of consumers or individuals (as such transfers and data are defined in the applicable law), that are currently in effect or that become effective in the future, including, but not limited to, the California Consumer Privacy Act of 2018 (“CCPA”) as updated by the California Privacy Rights Act of 2020 (“CPRA”), the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, and the Virginia Consumer Data Protection Act, and in each case, any amendments, final regulations, and successor legislation.
2.3 “Authorized Personnel” means (a) Grayscale’s employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable Services; and (b) Grayscale’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Grayscale to perform its obligations under this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.
2.4 “EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR and the UK GDPR.
2.5 “EU Personal Data” means Personal Data collected from data subjects when they were located in the European Economic Area (EEA) and/or Switzerland.
2.6 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
2.7 “Personal Data” means any data relating to an identified or identifiable person that is submitted to, or collected by, Grayscale in connection with the Services or in connection with the provision of the Services to Customer, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Applicable Laws. Personal Data does not include the name and contact information of those Customer employees who are responsible for interacting with Grayscale in connection with its performance of the Services under the Agreement.
2.8 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.9 “Processor” means any natural or legal person, public authority, agency or any other body which processes data on behalf of the controller.
2.10 “Security Breach” means any negligent act or omission by Grayscale that materially compromises the security, confidentiality, or integrity of Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Applicable Law(s) governing the particular circumstances.
2.11 “Standard Contractual Clauses” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses (Module 2) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); and (ii) where the UK GDPR applies, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO.
2.12 “UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
2.13 “UK Personal Data” means Personal Data collected from data subjects when they were located in the United Kingdom.
3.0 Processing and Transfer of Personal Data.
3.1 Grayscale shall process Personal Data in accordance with Customer’s written instructions (unless waived in a written requirement) provided during the term of this DPA. In the event Grayscale reasonably believes there is a conflict with any Applicable Law and Customer’s instructions, Grayscale will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
3.2 For purposes of this Section 3.2, the terms “aggregate consumer information,” “deidentified,” “process,” “processor,” “sell,” “service provider,” and “share” shall have the meanings ascribed to them in the Applicable State Privacy Law.
(a) Grayscale is acting as a service provider or processor to Customer and except for usage of Personal Data as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Applicable Laws, will not (i) “sell” or “share” Personal Data, (ii) combine the Personal Data with any other Personal Data, unless expressly instructed by Customer for a specific purpose, and sole benefit of Customer, in the Services, or (iii) retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than other than in connection with performing the services as specified in the Agreement and as otherwise permitted under the Agreement. Grayscale certifies that it understands the preceding restrictions. The parties acknowledge and agree that Customer’s provision of access to personal information is not part of and explicitly excluded from the exchange of consideration or any other things of value between the parties.
(b) To the extent that Grayscale reserves rights under the Agreement to “aggregate” or “aggregated” Personal Data, Grayscale agrees that the CCPA/CPRA definition of “aggregate consumer information” applies to such Personal Data and Grayscale will process such Personal Data accordingly.
(c) To the extent that Grayscale reserves rights under the Agreement to “de-identified,” “anonymized,” or “anonymous” Personal Data, Grayscale agrees that the CCPA/CPRA definition of “deidentified” applies to such Personal Data and Grayscale will process such Personal Data accordingly.
3.3 The parties acknowledge and agree that processing of the Personal Data will occur in the United States and perhaps other jurisdictions outside the residence of the data subjects, and Customer shall comply with all notice and consent requirements for such transfer and processing to the extent required by Applicable Laws.
4.0 EU and UK Data Protection Laws.
4.1 EU Standard Contractual Clauses (EU SCCs). The parties agree, as evidenced by their signature on this DPA, that the EU SCCs will apply to EU Personal Data transferred from Customer, either directly from the EU or via onward transfer, to Grayscale to the extent Grayscale is located in the United States or any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described by the GDPR). The parties agree to delete the optional provision in Clause 11 and choose Option 1 in Clause 17. The parties agree that the blank lines in Clauses 17 and 18 shall state Ireland. The Annexes to the EU SCCs are attached to this DPA as Schedule 1. In the event of any conflict or inconsistency between the provisions of this DPA and the EU SCCs, the provisions of the EU SCCs shall prevail. In the event that any provision of the EU SCCs is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of the SCCs and the terms of this DPA shall remain operative and binding on the parties.
4.2 UK Standard Contractual Clauses (UK SCCs). The parties agree, as evidenced by their signature on this DPA, that the UK SCCs will apply to UK Personal Data transferred from Customer, either directly from the UK or via onward transfer, to Grayscale to the extent Grayscale is located in the United States or any country not recognized by the UK as providing an adequate level of protection for personal data. The Appendices to the UK SCCs are attached to this DPA as Schedule 2. In the event of any conflict or inconsistency between the provisions of this DPA and the UK SCCs, the provisions of the UK SCCs shall prevail. In the event that any provision of the UK SCCs is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of the SCCs and the terms of this DPA shall remain operative and binding on the parties.
4.3 GDPR Contractual Requirements. Grayscale shall: (a) assist, to a reasonable extent, the fulfillment of Customer’s obligations to respond to requests for exercising a data subject’s rights with respect to Personal Data under Chapter III of GDPR; (b) assist, to a reasonable extent, Customer in complying with its obligations with respect to Personal Data pursuant to Articles 32 to 36 of GDPR; (c) make available to Customer information reasonably necessary to demonstrate compliance with its obligations as a processor specified in Article 28 of GDPR; (d) maintain a record of all categories of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR; and (e) cooperate, on request, with an EU supervisory authority in the performance of the Services under the Agreement.
4.4 Sub-processors. Customer grants a general authorization to Grayscale to appoint its affiliates as sub-processors, and a specific authorization to Grayscale and its affiliates to appoint as sub processors the entities set out in Annex III of the Standard Contractual Clauses attached hereto, and for the sub-processing activities as described thereon, as it may be updated from time to time.
5.0 Compliance with Data Protection Laws.
5.1 Representation and Warranty. Customer represents and warrants that the Personal Data provided to Grayscale for processing under the Agreement and this DPA is collected and/or validly obtained and utilized by Customer in compliance with all Applicable Laws, including without limitation the disclosure, informed affirmative consent and targeted advertising provisions of the CCPA and EU Data Protection Laws, including without limitation Chapter II of the GDPR.
5.2 Data Security. Grayscale will utilize commercially reasonable efforts to protect the security, confidentiality and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Grayscale will cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by Grayscale’s retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes; and (f) upon receiving a request from Customer to correct an error or omission in the Personal Data about the individual that is in the possession or under the control of Grayscale, correct the Personal Data as soon as reasonably practicable.
5.3 Authorized Personnel; Sub-processors. Grayscale shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA. In addition, Grayscale is authorized to use sub-processors provided that Grayscale shall enter into an agreement with the sub-processor containing data protection obligations that are at least as restrictive as the obligations under this DPA.
5.4 Security Breaches. Grayscale will promptly, without undue delay, after becoming aware of a Security Breach (a) notify Customer of the Security Breach; (b) investigate the Security Breach; (c) provide Customer with details about the Security Breach; and (d) take reasonable actions to prevent a recurrence of the Security Breach. Grayscale agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Security Breach’s effects on Customer, as required to comply with Applicable Law. Neither party shall make a public announcement regarding such Security Breach that refers to the other party without the other party’s prior written approval.
5.5 Data Subject Requests. Grayscale will cooperate with Customer to address data subject rights and requests afforded by Applicable Laws.
6.0 Audits and Certifications. Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under Applicable Laws), Grayscale shall make available to Customer (or a mutually agreed upon third-party auditor) information regarding Grayscale’s compliance with the obligations set forth in this DPA, including reasonable documentation.
7.0 Miscellaneous.
7.1 In the event of any conflict or inconsistency between this DPA and Applicable Laws, Applicable Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data.
7.2 To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with Applicable Laws or changes to Applicable Laws, Customer and Grayscale agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Applicable Laws.
7.3 Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and appendices.
7.4 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. This DPA only applies to the extent Grayscale processes Personal Data on behalf of Customer. This DPA together with the Agreement is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.
Data Processing Addendum
Schedule 1: Annexes to Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The data exporter is Customer, a user of services provided by Processor, with contact details regarding the Customer and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for Services.
Data importer(s): The data importer is Grayscale Labs, Inc., a global producer of software and services and processes Personal Data in accordance with the terms of the Agreement and the DPA, with contact details for Grayscale and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for Services.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to Grayscale Labs, Inc., the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, customer and prospective customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Services.
Categories of personal data transferred
Data exporter may submit Personal Data to Grayscale Labs, Inc., the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) ID data; (g) Professional life data; (h) Personal life data; (i) Connection data; (j) Localisation data; and (k) other data in an electronic form used by Grayscale Labs, Inc. in the context of the Services.
Sensitive data transferred (if applicable)
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the term of the Agreement.
Nature of the processing
As described in the Agreement and the applicable Order Form
Purpose(s) of the data transfer and further processing
To utilize Grayscale’s Services as set forth in the Agreement and the applicable Order Form.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of the Agreement plus a period of approximately 30 days unless the Customer requests a longer period of time during which to elect to have Personal Data returned to Customer.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As necessary to enable Grayscale to perform the Services described in the Agreement and the applicable Order Form and for the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13
Ireland
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Grayscale will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data transferred to it as described in the Agreement.
ANNEX III
Grayscale’s Sub-Processors
| Sub-processor name | Sub-processing activities | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting | 410 Terry Avenue North Seattle, WA 98109 US |
| Heroku | Cloud hosting | 415 Mission Street, Suite 300, San Francisco, CA 94105, US |
| Full Story | Tracking/support/troubleshooting | 1745 Peachtree Rd NW Suite G, Atlanta, GA 30309 |
| Twilio | Sending and receiving SMS | 375 Beale Street, Suite 300, San Francisco, CA 94105, US |
| Rollbar | Infrastructure error monitoring | 51 Federal St #401, San Francisco, CA 94107, US |
| Google Analytics | Analytical aggregation of data | 1600 Amphitheatre Pkwy, Mountain View, California, 94043, US |
| Intercom | Support and customer communication | 55 2nd Street, 4th Floor, San Francisco, CA 94105, US |
| Merge | Middleware for SAP Successfactors Integration | Two Embarcadero Center WeWork, 8th Floor, San Francisco, California, 94111, US |
| Shortcut (formerly Clubhouse) | Ticket tracking, may have PII for troubleshooting purposes | 201 Allen St Unit #10004, New York, NY 10002 |
| Datadog | logging, application performance monitoring | 620 8th Avenue, Floor 45, New York, NY 10018 |
| Cronify Limited | Automated scheduling | 228 Park Ave. S, New York, NY 10003 |
| Meta/WhatsApp | Sending and receiving messages | 1601 Willow Road, Menlo Park, CA 94025
Meta Data Center Locations WhatsApp Client Terms |
Customer grants to Grayscale the right to register with subprocessors and to provide consent on behalf of Customer to any applicable terms, conditions, and policies. Customer may also directly register with WhatsApp for use of the WhatsApp platform.
Schedule 2: Appendices to the UK SCCs – Controller to Processor
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Schedule 1 EU SCCs, Annex I.A.
Annex 1B: Description of Transfer: See Schedule 1 EU SCCs, Annex I.B.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Schedule 1 EU SCCs, Annex II
Annex III: List of Sub processors (Modules 2 and 3 only): See Schedule 1 EU SCCs, Annex III
Table 4: Ending this Addendum when the Approved Addendum Changes
Part 2: Mandatory Clauses
