Data Processing Addendum

This Data Processing Addendum (“DPA”) amends the Tread Terms of Subscription to which it is an addendum.  Terms used and not defined in this DPA have the meanings given to them in the Agreement, as defined in the Tread Terms of Subscription.

1. Definitions

Data Protection Legislation” means European Union Regulation 2016/679 (the “General Data Protection Regulation”) or California Civil Code Section 1798.100-1798.199 (the “California Consumer Privacy Act of 2018”), as applicable, and any legislation and/or regulation implementing or made pursuant to it, or which amends or replaces any of it, and any other applicable legislation;

Data Processor”, “Data Controller”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with the General Data Protection Regulation;

Service Provider” shall be interpreted in accordance with the California Consumer Privacy Act of 2018;

Personal Data” as used in this DPA means information that relates to, or could reasonably be linked with, to an identifiable or identified Data Subject who engages in transactions with Customer in relation to the Services (an “End User”), which Tread Processes as a Data Processor or Service Provider in the course of providing Customer with the Services. Notwithstanding the foregoing sentence, Personal Data does not include information that Tread Processes in the context of services that it provides directly to an End User, for example if that End User is also a customer of Tread;

Data Subject Request” as used in this DPA means a request for access, erasure, rectification, or portability of an End User’s Personal Data; and

All other capitalized terms in this DPA shall have the same definition as in the Agreement.

2. Data Protection

2.1 Where a Data Subject is located in the European Economic Area, that Data Subject’s Personal Data will be Processed by Tread. As part of providing the Services, this Personal Data may be transferred to other regions, including to Canada and the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation.

2.2 When Tread Processes Personal Data in the course of providing the Services, Tread will:

2.2.1 Process the Personal Data as a Data Processor and/or Service Provider, only for the purpose of providing the Services in accordance with the Agreement and documented instructions from Customer (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by Customer. If Tread is required by law to Process the Personal Data for any other purpose, Tread will provide Customer with prior notice of this requirement, unless Tread is prohibited by law from providing such notice;

2.2.1.1 Customer acknowledges that Tread acts as an independent Data Controller with regards to End User Personal Data that it collects directly from End Users, for example if that End User is also a customer of Tread;

2.2.1.2 As part of providing the Services, Tread may transfer Personal Data at Customer’s instruction to third parties. In this capacity, such third parties act as independent Data Controllers with regards to any End User Personal Data that they may process and we are not responsible for how they process such data;

2.2.2 Notify Customer if, in Tread’s opinion, Customer’s instruction for the Processing of Personal Data infringes applicable Data Protection Legislation;

2.2.3 Notify Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Tread’s Processing of the Personal Data;

2.2.4 Implement reasonable technical and organizational measures enabling Customer to execute Data Subject Requests that Customer is obligated to fulfil;

2.2.5 Implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;

2.2.6 Upon request, provide reasonable information to help the End User complete the End User’s data protection impact assessments.

2.2.7 Provide Customer, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Tread’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable Customer to assess compliance with the terms of this DPA;

2.2.8 Notify Customer without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;

2.2.9 Ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the End User Personal Data; and

2.2.10 Upon termination of the Agreement, Tread will promptly initiate its purge process to delete or anonymize the Personal Data. If Customer requests a copy of such Personal Data within 60 days of termination, Tread will provide Customer with a copy of such Personal Data.

2.3 In the course of providing the Services, Customer acknowledges and agrees that Tread may use Subprocessors to Process the Personal Data. Tread’s use of any specific Subprocessor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Tread and Subprocessor that requires comparable protections to this Data Processing DPA. 

3. Miscellaneous

3.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this DPA, including limitations thereof, will be governed by the relevant provisions of the Agreement. 

3.2 Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this DPA. If any provision of the DPA is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this DPA shall remain operative and binding on the parties.

3.3 The terms of this DPA shall be construed and governed by the laws of the Province of Ontario. Any dispute or claim arising out of or in connection with this DPA or the performance, breach or termination thereof, shall be subject to the exclusive jurisdiction of the courts of the Province of Ontario. This Section shall not prevent either party from seeking immediate injunctive relief in any court of competent jurisdiction.