This Data Processing Addendum (“Addendum”) supplements and is incorporated by this reference into the GetWhy Master Services Agreement entered into between GetWhy and the Customer (“Agreement”) and relates to Personal Data which is provided or made available to, shared with, or accessed by GetWhy for Processing on Customer’s behalf. Data Protection Laws worldwide place certain obligations upon a Controller, to ensure that a Processor engaged by the Controller provides sufficient guarantees that any such Processing is secure. This Addendum exists to ensure that there are sufficient security measures in place and that the Processing complies with the Parties’ obligations under such Data Protection Laws.
Any capitalized terms used but not defined in this Addendum will have the meanings set forth in the Agreement.
a. “CCPA” means Title 1.81.5, California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended by Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). The CCPA is a data privacy law that provides California consumers with a number of privacy protections, including the right to access, delete and opt-out of the “sale” or “sharing” of their Personal Data (as such terms are defined in the CCPA).
b. “Data Controller” means an entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data (including as applicable, a “business” as defined by the CCPA).
c. ”Data Processor” means an entity which Processes Personal Data on behalf of the Data Controller (including as applicable, a “service provider” as defined by the CCPA).
d. “Data Protection Laws” mean any privacy or data protection Laws applicable to GetWhy’s Processing of Personal Data under the Agreement or this Addendum, including without limitation: (i) the EU Data Protection Laws; (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Laws; (v) the CCPA; and (vi) the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq.) and other applicable state laws; in each case, as updated, amended or replaced from time to time.
e. “EU Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”).
f. “EU Standard Contractual Clauses”, “SCCs” or “Clauses” means, where the EU Data Protection Laws apply, the Standard Contractual Clauses forming part of Decision 2021/914/EC (as amended or replaced from time to time), including their appendices and with the relevant Modules and Options set out herein.
g. “Laws” means any applicable national, state, provincial and local laws, rules, regulations, directives, statutes, orders, judgments, decrees, rulings, and enforceable regulatory guidance.
h. “Personal Data” means Customer Content relating to an identified or identifiable natural person. An identifiable natural person is one who can be specifically identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data or online identifier, or by reference to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
i. “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
j. “Security Incident” means a Personal Data breach or any unauthorized access or breach of security due to GetWhy’s failure to comply with its data privacy and/or security obligations hereunder, leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction loss, alteration or unauthorized disclosure of, or access to, any Personal Data Processed by GetWhy under or in connection with the Agreement.
k. “Sub-processor” means a third-party service provider engaged by GetWhy to assist with the Processing of Personal Data.
l. “UK Data Protection Laws” means the Data Protection Act 2018 and the United Kingdom’s version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and any legislation applicable in the UK in force from time to time relating to privacy or the Processing of Personal Data.
m. “UK Standard Contractual Clauses” means, where the UK Data Protection Laws apply, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, as currently set out at https://ico.org.uk/media/for- organisations/documents/4019539/international-data-transfer-addendum.pdf, and as revised under Section 18 of the International Data Transfer Addendum (the “UK Addendum”).
a. As the Data Processor, GetWhy will Process Personal Data solely in accordance with (i) the Agreement or other documented instructions of Customer (whether in written or electronic form) provided in accordance with the Agreement or (ii) as otherwise required by applicable Laws, in which case GetWhy will inform Customer of the legal requirement before Processing, unless legally prohibited on grounds of public interest. Customer acknowledges and agrees that Customer’s final and complete instructions regarding the Processing of Personal Data are set out in the Agreement. Any additional or alternate instructions must be agreed in writing by the Parties (and GetWhy will be entitled to charge a reasonable fee to cover any compliance costs incurred).
b. GetWhy will ensure that persons authorized to Process Personal Data on GetWhy’s behalf have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
c. As the Data Controller, Customer is responsible for ensuring that, in accordance with Data Protection Laws, (i) there is a lawful basis for the collection and Processing of Personal Data and (ii) Customer has provided an appropriate privacy policy to Authorized Users and other data subjects.
Customer agrees that GetWhy may disclose personal data to its Sub-processors for purposes of providing the Services to Customer, provided that GetWhy will impose on its Sub-processors data protection obligations that are at least as protective of Personal Data as those set forth in this Addendum. GetWhy has made available to Customer a list of its Sub-processors at https://getwhy.io/sub-processors/, which Sub-processors have been approved by Customer via the Agreement or this Addendum. GetWhy will provide Customer with a mechanism to receive notice of any changes to this list. GetWhy will notify Customer of the addition of any new Sub-processors by updating this list at least 30 days before granting the new Sub-processor access to Customer Content, in order to allow Customer an opportunity to object to the addition. GetWhy will be liable for the acts or omissions of any Sub-processors to the same extent as if the acts or omissions were performed by GetWhy. GetWhy will disclose Personal Data only to approved Sub-processors or as otherwise expressly authorized under the Agreement or this Addendum or as required by applicable Laws.
In providing the Services, and unless expressly agreed otherwise in writing by the Parties, GetWhy and its Sub-processors may transfer Personal Data to other countries where they have operations, or as otherwise required by applicable Laws. GetWhy will implement appropriate measures to protect Personal Data in accordance with this Addendum and in compliance with applicable Data Protection Laws, regardless of the jurisdiction in which it is located. Any cross-border transfers of Personal Data will take place only where enforceable data subject rights and effective legal remedies for data subjects are available and appropriate safeguards are in place in relation to the transfer, as provided for by: (a) the SCCs as referenced herein; or (b) any other data transfer mechanisms permitted by Data Protection Laws, as appropriate.
GetWhy will implement reasonable technical and organizational safeguards designed to protect Customer Content against unauthorized loss, destruction, alteration, access, or disclosure. GetWhy will require GetWhy personnel who will be provided access to, or will otherwise process, Customer Content, to protect Customer Content consistent with the standards set forth in this Addendum. If GetWhy discovers a Security Incident has occurred, GetWhy will notify Customer in accordance with the Agreement.
Upon Customer’s written request and as applicable, execution of a GetWhy standard nondisclosure agreement, GetWhy will provide responses up to once per year to any written questions that Customer may reasonably submit for purposes of verifying GetWhy’s compliance with this Addendum. If Customer reasonably determines that further assessment is required by Laws, then Customer at its sole expense may perform a review, once per year during the term (other than where a Security Incident has taken place, in which case Customer will be entitled to carry out an additional review within 30 days of GetWhy notifying Customer of such Security Incident), of the relevant policies, procedures and related documentation of GetWhy’s Services. The timing, scope and duration of any such review will be mutually agreed by the Parties. Any such review will be conducted in a manner that does not compromise confidentiality obligations to any of GetWhy’s other clients or other third parties. Customer will ensure that any third-party auditor that Customer appoints in connection with a review is: (a) not a GetWhy competitor; and (b) is committed to appropriate confidentiality obligations. Customer and/or any third-party auditor will comply with GetWhy’s standard policies and procedures when accessing GetWhy’s premises or systems.
GetWhy will promptly notify Customer, unless prohibited by applicable Laws, if GetWhy receives: (a) any request from an individual with respect to Personal Data Processed by GetWhy, including but not limited to opt-out requests, requests for access and/or rectification, blocking, erasure, requests for data portability, and all similar requests; or (b) any complaint relating to the Processing by GetWhy of Personal Data, including allegations that such Processing infringes on a data subject’s rights. Customer is responsible for responding to such requests and complaints from individuals and GetWhy will provide such information and assistance as Customer may reasonably require to allow Customer to comply with its obligations under Data Protection Laws in regard to such requests.
Upon termination or expiration of the Agreement, Customer will be entitled to retrieve its Customer Content (including any Personal Data) in accordance with the Agreement; provided that, Customer must notify GetWhy of Customer Content that Customer wishes to have returned or deleted within 30 days after the effective date of termination or expiration. GetWhy will delete Customer Content from the Services promptly following such retrieval period unless otherwise required by applicable Laws; provided that, GetWhy will be entitled to retain Personal Data where required by Data Protection Laws or other applicable Laws, or where such data is required for GetWhy’s internal record keeping or where it is necessary for use in legal proceedings.
a. With respect to EU-U.S. transfers of Personal Data, GetWhy (acting on its own behalf and as agent for each GetWhy Affiliate) and Customer (acting on its own behalf and as agent for each of its Affiliates) each hereby agree to process such Personal Data in compliance with the EU SCCs incorporating:
i. The general clauses (Clauses 1-6);
ii. Modules One (Transfer Controller to Controller), Two (Transfer Controller to Processor), and Four (Transfer Processor to Controller) as applicable and the relevant options as specified in the table set out in Section 10 herein; and
iii. With the Annexes populated as set out below:
b. Annex I of the EU SCCs (Details of Data Processing) will be pre-populated with the details set out in Section 11.01 herein; and
c. Annex II of the EU Standard Contractual Clauses (Security Measures) are described in Section 11.02 herein.
d. Before commencing any EU international transfer to or from a Sub-processor, GetWhy will ensure enforceable data subject rights and effective legal remedies for data subjects are available and appropriate safeguards are in place in relation to the transfer, as provided for by: (i) entering into the EU SCCs with such Sub-processor, incorporating the general clauses (Clauses 1-6) and Module 3 (Transfer Processor to Processor); or (ii) any other data transfer mechanisms permitted by Data Protection Laws, as appropriate.
e. EU SCCs: Modules and Options. As applicable, the Parties agree that the following modules and options of the EU SCCs are deemed to be incorporated:
| Clause 7 (Docking clause) | Clause 7 will not be incorporated. |
| Clause 8 (Data protection safeguards) | Modules 1, 2 and 4. |
| Clause 9 (Use of sub-processors) | Module 2, Option 2, and the specific time period will be as set out herein. |
| Clause 10 (Data subject rights) | Modules 1, 2 and 4. |
| Clause 11 (Redress) | Module 1 and 2, and the Option in Clause 11(a) will not be incorporated. |
| Clause 12 (Liability) | Modules 1, 2 and 4. |
| Clause 13 (Supervision) | Module 1 and 2, incorporating all paragraphs of Clause 13(a) as applicable. |
| Clause 14 (Local laws and practices affecting compliance with the Clauses) | Modules 1, 2 and 4. |
| Clause 15 (Obligations of the data importer in case of access by public authorities) | Modules 1, 2 and 4. |
| Clause 16 (Non-compliance with the Clauses and termination) | For Clause 16(d) the relevant parts for Modules 1, 2 and 4. |
| Clause 17 (Governing law) | Modules 1 and 2, Options 1 and 2 as applicable and the law inserted will be the laws of the EU Member State in which the data exporter is established, save that: (i) where such laws do not allow for third-party beneficiary rights; or (ii) the data exporter is not established in an EU Member State, the law will be the laws of Denmark. Module 4 and the law inserted will be the laws of the country stated in the governing law clause of the Agreement, save that where such law does not allow for third-party beneficiary rights, the law will be the laws of Denmark.. |
| Clause 18 (Choice of forum and jurisdiction) | Modules 1 and 2 and the courts inserted will be the courts in the Member State referred to in Clause 17 (Governing law). Module 4 and the country inserted will be the country stated to have jurisdiction in the Agreement, save that where the laws of that country do not allow for third- party beneficiary rights, the country will be the law of Denmark. |
f. EU SCCs: Details of Data Processing, Security Measures. As applicable, the Parties agree that Annex I of the EU SCCs will be pre-populated with the following details:
| List of Parties | Data Exporter:
Name: the person or entity agreeing to these terms (i.e., the Customer). Address: per Customer’s Service Order(s). Contact person’s name, position, contact details: per Customer’s Service Order(s). Activities relevant to the data transferred under these Clauses: per the Agreement. Role (Controller/Processor): Controller (or as applicable, Processor). Data Importer(s): Name: GetWhy A/S (for itself and its Affiliates Address: Langebrogade 4, 1411 Copenhagen, Denmark Contact person’s name, position, contact details: Niklas Laugesen, General Counsel, legal@getwhy.io, +45 77348685 Activities relevant to the data transferred under these Clauses: The Data Importer provides the web-based Software-as-a-Service (SaaS) application known as the GetWhy Research Agent (i.e., the “Platform”), and related Services. Role (Controller/Processor): Processor (or as applicable, Sub-processor). Notwithstanding the foregoing, GetWhy is the Controller in respect of Usage Metadata. |
| Description of Transfer | Categories of data subjects whose Personal Data is transferred:
The Platform requires the transfer and Processing of Personal Data about the following categories of data subjects: 1. Data Exporter’s administrators, for the purposes of managing the Agreement and the Data Exporter’s license to use the Platform and related Services. 2. Authorized Users of the Platform, for the purposes of facilitating their access to and use of the Platform and related Services. 3. Employees of the Data Exporter where they engage with the Platform and upload Customer Content to it. Categories of Personal Data transferred: The GetWhy Research Agent facilitates the transfer and Processing of the following categories of data, as outlined in the Parties’ Agreement and/or GetWhy’s Privacy Policy: 1. Usage Metadata, including data generated, collected and processed by Data Importer in connection with providing the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse. Usage Metadata (a) does not comprise Customer Content and (b) is collected by GetWhy on an anonymized or pseudonymized and aggregated basis, such that it does not allow GetWhy or any third party to determine that such data relates to or is derived from Customer or any Authorized User. Usage Metadata is not processed on behalf of the Data Exporter, and GetWhy is the data controller in respect of this data. 2. Customer Content, including Personal Data uploaded, submitted or otherwise transmitted to the Platform by the Data Exporter or any third party using the Data Exporter’s account. Such Personal Data includes without limitation: full name; physical address; email address; telephone number; bank information; gender; date of birth; occupation; and Feedback given or received. Sensitive data transferred: The Platform does not require the transfer or Processing of any special categories of data (as defined in Article 9(1) of the GDPR). The frequency of the data transfer: Continuous unless otherwise specified in the Agreement. Nature of the Processing: The Platform facilitates the following Processing of Personal Data on behalf of (and on the instructions of) the Data Exporter: 1. Collection of Customer Content, as outlined above, for the purposes of delivering Services; 2. Use and analysis of Customer Content, including without limitation by automated means, for the purposes of qualifying participating users for research studies, creating video and audio recordings and transcriptions of studies, and creating Insights (as defined in the Agreement), analytics and related reporting for the Data Exporter’s use; 3. Secure storage of Customer Content with Sub-processor, Amazon Web Services (AWS); 4. Retrieval of Customer Content on the request of the Data Exporter or the applicable data subject; and 5. Destruction of Customer Content either at the request of the Data Exporter or on the expiry or termination of the Agreement. As set out in the Agreement, GetWhy does not Process Customer Content for any purposes other than those requested by the Data Exporter and outlined in the Agreement and GetWhy’s Privacy Policy. Purpose(s) of the data transfer and further Processing: The purpose of the transfer or Processing of Customer Content is for provision of the Platform and related Services, as more particularly set forth in the Agreement (and Service Orders entered into thereunder). The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: The duration of the Processing of Customer Content described herein under the Agreement is for the term of such Agreement (and Service Orders entered into thereunder) as such term is defined therein, and not thereafter except if specifically instructed to do so by the Data Exporter. For transfers to Sub-processors, also specify the subject matter,nature and duration of the Processing: See Sub-processor notification at https://getwhy.io/sub-processors/. |
| Competent supervisory authority | Datatilsynet
Carl Jacobsens Vej 35 2500 Valby Tel. +45 33 1932 00 Email: dt@datatilsynet.dk Website: http://www.datatilsynet.dk/ |
g. EU SCCs: Security Measures. As applicable, the Parties agree that Annex II of the EU SCCs will be pre-populated with the following details:
Description of the technical and organisational measures implemented by the Data Importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons:
Information security policy statement: The future is human – and the future business is customer-centric. We take a customer-centric approach to everything we do, including our security policies, and we, therefore, understand how important data privacy and protection are to our customers. We trust the people we work with: our customers, employees and partners. With our security policies, we want to provide a clear set of guidelines and rules to make it easy for us to protect sensitive data in the interest of individuals and the companies that trust their data with us. Our application is built on a modern, scalable cloud infrastructure designed to ensure the safety of your data, and we have chosen proven third-party cloud providers with excellent track records and data centres in the EU. We ensure the safety and privacy of your data is backed into our everyday processes throughout our organisation. We do regular data backups and test recovery, run penetration tests, encrypt all data at rest and in transit, conduct static code analysis and vulnerability scanning, perform server hardening, audit trails, and many other cloud security techniques. Scroll down for information about specific security practices, read GetWhy’s Privacy Policy, support and availability agreement, and Data Processing Addendum which also contains a list of third-party data Sub-processors. Regarding GetWhy’s Privacy Policy or how we handle your data more generally, please contact us at privacy@getwhy.io.
Product Security:
Permissions: Global access roles allow GetWhy admins to set role-based permission levels for each user account, and project-level access controls allow permission levels to be set for specific projects.
Secure passwords: GetWhy enforces a password complexity standard, and credentials are stored using BCrypt with unique salts.
Account verification for users: Users are required to validate their accounts via a link provided in an automated e-mail.
Permanent deletion: Users can delete projects and study data from GetWhy if they have the appropriate access rights. The platform has all the features necessary for users to delete data and be compliant with GDPR. When a customer is conducting its own studies using the self-service platform, the customer is a Controller and must delete Personal Data from the platform according to the customer’s own data privacy policy. When GetWhy is conducting a study on behalf of a customer and/or when GetWhy generates, collects or Processes Usage Metadata, GetWhy acts as a Controller, and Personal Data is protected and deleted according to GetWhy’s Privacy Policy.
High availability: We ensure high availability with automated and manual testing, production monitoring, logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.
Infrastructure Security:
Hosting and storage: GetWhy services and data are hosted in Amazon Web Services (AWS) facilities in the EU.
Encryption: Data is encrypted while moving between us and the browser with Transport Level Security (TLS). At Rest: Your data only resides in the production environment encrypted with AES-256. In Transit: Network communication uses TLS, and it is encrypted and authenticated.
Vulnerability scanning: GetWhy uses third-party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10.
Penetration testing: We perform independent third-party manual penetration testing at least once per year, and depending on the risk assessment also when we have bigger systems changes. Contact us for a copy of the latest report.
Backup policy: Our backup processes ensure data and information consistency with the highest standards. We use AWS backup solution for data stores that contain customer data. Data is automatically backed up every 15 minutes, and we keep daily backups for 14 days. On an application level, we store logs of activity on a centralised log solution based on AWS Elasticsearch, Kibana and Logstash. Logs are stored for up to 15 days.
Monitoring & incident response: Production alerts are captured and automatically escalated. Outside of office hours, our engineering team has a best-effort and escalation policy. Security and confidentiality incidents submitted to support@getwhy.io or our in-app support chat will be resolved in accordance with the established incident policy.
Logging & audit trail: We log every user action performed in the system with a full audit trail.
Continuous delivery: We have a state-of-the-art agile software development lifecycle methodology and change management procedures. Our deployment method requires no downtime for the application.
Compliance:
ISO 27001: GetWhy is compliant with the Information Security Management System ISO/IEC 27001 standard.
VSA: We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.
OWASP: The most recent penetration test reported no vulnerabilities on the OWASP Top 10.
SSL Labs score: “A+“ on their SSL Server test.
GDPR ready: GDPR is backed into our business processes, security policies and employee training. GDPR check is part of our risk assessment and internal audit. See GetWhy’s Privacy Policy.
Personnel:
Roles-based access: An employee’s level of access is determined by the role and follows the least privilege principle.
Secure access: GetWhy uses SSO, an enforced password policy, and VPN to ensure employees have secure access to the system.
Multi-factor authentication: We enforce this for all privileged access and on all critical systems.
Employee asset control: Our employees’ devices are monitored in real-time and have antivirus, disk encryption, and security patches via an active directory.
Employee training: All employees complete annual Security and Awareness training and Secure Development Practices.
Confidentiality: All employee and contractor agreements include a confidentiality clause.
Policies: Our internal security policies cover a range of topics and are shared with all employees and contractors. GetWhy may update the above security measures from time to time, as set forth in GetWhy’s Public Security Declaration available at https://getwhy.io/security/.
With respect to UK-U.S. transfers of Personal Data, GetWhy (acting on its own behalf and as agent for each GetWhy Affiliate) and Customer (acting on its own behalf and as agent for each of its Affiliates) each hereby agree to Process such Personal Data in compliance with the UK SCCs, i.e., the EU SCCs as implemented under this Addendum, with the following modifications:
a. The EU SCCs will be deemed amended as specified by Part 2 of the UK Addendum;
b. Tables 1, 2 and 3 in Part 1 of the UK Addendum will be deemed completed respectively with the information set out in Section 11 of this Addendum (as applicable); and
c. Table 4 in Part 1 of the UK Addendum will be deemed completed by selecting “importer” and “exporter.
To the extent that GetWhy Processes “Personal Information” subject to the CCPA:
a. Customer is a “Business” and GetWhy is a “Service Provider”, each as defined under the CCPA.
b. GetWhy will not: (i) retain, use, disclose or otherwise Process “Personal Information” for any purpose, including a “Commercial Purpose”, other than for the specific purposes as provided for in the Agreement or as needed to perform the Services, including to build or improve the quality of the Services, to detect Security Incidents, to protect against fraudulent or illegal activity, to retain Sub- processors in compliance with this Addendum, or as otherwise required or permitted by applicable Laws; (ii) “sell” or “share” Personal Information; (iii) Process Personal Information in any manner outside of the direct business relationship between Customer and GetWhy; or (iv) combine Personal Information from Customer with Personal Information that GetWhy received from or on behalf of another personal or entity or that GetWhy collected from its own interactions with an individual.
c. Customer will only disclose Personal Information in connection with the Agreement, and only for the limited and specified purposes of receiving the Services.
d. Upon written request from Customer, GetWhy will provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to GetWhy’s Processing of Personal Information necessary to confirm GetWhy’s compliance with this Addendum; provided that Customer will not exercise this right more than once in any 12-month rolling period. Notwithstanding the foregoing, Customer (or its appointed representatives) may also exercise such audit right of GetWhy’s operations and facilities if Customer is expressly requested or required to provide this information to a data protection authority, if GetWhy has experienced a Security Incident, or as may be required under applicable Data Protection Laws. Such inspections will take place during normal business hours and will be subject to reasonable prior notice. In addition, upon written request from Customer, GetWhy will provide documentation verifying that it no longer retains or uses any Personal Information that Customer has made a valid request to GetWhy to cease using and/or delete. If, under the circumstances, the foregoing steps are insufficient (i) to ensure that GetWhy uses the Personal Information collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA and this Addendum or (ii) to stop and remediate GetWhy’s unauthorized use of Personal Information, then the Parties will promptly coordinate to determine any additional reasonable and appropriate steps that will be taken to ensure
compliance. In furtherance of the foregoing, upon written request from Customer, GetWhy will provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to GetWhy’s Processing of Personal Information necessary to confirm GetWhy’s compliance with this Addendum, provided that Customer will not exercise this right more than once in any 12-month rolling period. Notwithstanding the foregoing,
Customer (or its appointed representatives) may also exercise such audit right of GetWhy’s operations and facilities in the event that Customer is expressly requested or required to provide this information to a data protection authority, if GetWhy has experienced a Security Incident, or as may be required under applicable Data Protection Laws. Such inspections will take place during normal business hours and be subject to reasonable prior notice. In addition, upon written request from Customer, GetWhy will provide documentation verifying that it no longer retains or uses any Personal Information that Customer has made a valid request to GetWhy to cease using and/or delete. GetWhy certifies that it understands the restrictions contained in this paragraph and will comply with them.
e. Each Party certifies that it understands the requirements under the CCPA.
f. As used in this Section 11, the following terms have the meanings set forth in the CCPA: (1) Personal Information; (2) Business; (3) Service Provider; (4) Commercial Purpose; (5) Sell; and (6) Share.
Except as expressly set forth in this Addendum, all other terms and conditions of the Agreement will continue and remain in full force and effect. In the event of any conflict between the provisions of this Addendum and the Agreement, the provisions of this Addendum will prevail.
This Addendum will be governed by and construed in accordance with the Laws of Denmark, without prejudice to the provisions of the Laws of the country where the Customer has its principal place of business that cannot be derogated from contractually and without regard to conflict of law principles (as such Laws are applied to agreements entered into and to be performed entirely within Denmark between residents of Denmark).
If any variation is required to this Addendum as a result of a change in or subsequently applicable Data Protection Laws or if the SCCs, as clarified, fail as a lawful data transfer mechanism, then either party may provide written notice to the other party of that change in laws. The parties then will discuss and negotiate in good faith any variations to this addendum necessary to address such changes, with a view to agreeing and implementing those or alternative variations as
soon as practicable.
