Data Protection Addendum

Effective: January 1, 2020

This Data Protection Addendum (“Addendum”) supplements the agreement between Customer and Kokomo24/7 Safety Cloud into which it is incorporated by reference (“Agreement”).

I. Introduction

  1. Definitions.

. “Applicable Data Protection Law" refers to all laws and regulations applicable to Kokomo24/7 Safety Cloud’s processing of personal data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) (“GDPR”).

. “controller”, "processor", "data subject", “personal data,” and "processing" (and "process") have the meanings given in accordance with Applicable Data Protection Law.

. “Customer Account Data” means personal data that relates to Customer’s relationship with Kokomo24/7 Safety Cloud, including the names and/or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data Kokomo24/7 Safety Cloud may need to collect for the purpose of identity verification, or as part of its legal obligation to retain subscriber records.

. “Customer Content” means (a) personal data exchanged by means of use of the Services, such as text, message bodies, voice and video media, images, email bodies, email recipients, and sound, and (b) data stored on Customer’s behalf such as communication logs within the Services or marketing campaign data Customer has uploaded to the Safety Cloud Services.

. “Customer Data” has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content and Sensitive Data, as defined in this Agreement.

. “Customer Usage Data” means data processed by Kokomo24/7 Safety Cloud for the purposes of transmitting or exchanging Customer Content; including data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication; and (b) activity logs used to identify the source of Service requests, optimize and maintain the performance of the Services, and investigate and prevent system abuse.

. “Privacy Shield Framework” means the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce.

. “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles).

. “Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

. “Safety Cloud Services” means the services enabling companies to develop, transmit, analyze, and manage email communications and other related digital communications and tools through the website at http://www.kokomo247.com, including all programs, features, functions and report formats, and subsequent updates or upgrades of any of the foregoing made generally available by Kokomo24/7 Safety Cloud, and excluding any Kokomo24/7 Safety Cloud Services.

. “Sensitive Data” has the meaning given in the Kokomo24/7 Safety Cloud Acceptable Use Policy available at https://www.kokomo247.com/aup, which may be updated from time to time as stated in the AUP.

. “Kokomo24/7 Safety Cloud Services” means the products and services that are ordered by Customer under an Order Form or by using the Kokomo24/7 Safety Cloud account, or provided by Kokomo24/7 Safety Cloud to Customer on a trial basis or otherwise free of charge. As of the Effective Date, Kokomo24/7 Safety Cloud Services generally consist of: (a) platform services, namely access to the Kokomo24/7 Safety Cloud application programming interface (referred to herein as Kokomo24/7 Safety Cloud APIs) and, where applicable, (b) connectivity services, that link the Kokomo24/7 Safety Cloud Services to the telecommunication providers’ networks via the Internet. The Kokomo24/7 Safety Cloud Services excludes any Safety Cloud Services.

Any capitalized term used but not defined in this Addendum has the meaning provided to it in the Agreement.

II. Controller and Processor

2. Relationship of the Parties.

2.1 Kokomo24/7 Safety Cloud as a Processor: The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and Kokomo24/7 Safety Cloud is a processor.

2.2 Kokomo24/7 Safety Cloud as a Controller of Customer Account Data: The parties acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and Kokomo24/7 Safety Cloud is an independent controller, not a joint controller with Customer.

2.3 Kokomo24/7 Safety Cloud as a Controller of Customer Usage Data: The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and Kokomo24/7 Safety Cloud is an independent controller, not a joint controller with Customer.

3. Purpose Limitation. Kokomo24/7 Safety Cloud will process personal data in order to provide the Services in accordance with the Agreement. Section 2.1 of Schedule 1 further specifies the duration of the processing, the nature and purpose of the processing, and the types of personal data and categories of data subjects. Kokomo24/7 Safety Cloud will process Customer Content in accordance with Customer’s instructions as outlined in Section 5. Kokomo24/7 Safety Cloud will process Customer Account Data and Customer Usage Data in accordance with Applicable Data Protection Law and consistent with the Privacy Policy, the Agreement, and this Addendum.

4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data; and (b) it has, and will continue to have, the right to transfer, or provide access to, the personal data to Kokomo24/7 Safety Cloud for processing in accordance with the terms of the Agreement and this Addendum.

 

III. Kokomo24/7 Safety Cloud as a Processor - Processing Customer Content

5. Customer Instructions. Customer appoints Kokomo24/7 Safety Cloud as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse); (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties (“Permitted Purposes”).

5.1 Lawfulness of Instructions.Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer will ensure that its instructions relating to Kokomo24/7 Safety Cloud’s processing of the Customer Content will not cause Kokomo24/7 Safety Cloud to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. Kokomo24/7 Safety Cloud will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.

5.2 Additional Instructions. Additional instructions outside the scope of the Agreement, an Order Form, or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to Kokomo24/7 Safety Cloud for carrying out those instructions.

6. Confidentiality.

6.1 Responding to Third Party Requests. In the event that any request, correspondence, inquiry or complaint from a data subject, regulatory authority, or third party is made directly to Kokomo24/7 Safety Cloud in connection with Kokomo24/7 Safety Cloud’s processing of Customer Content, Kokomo24/7 Safety Cloud will promptly inform Customer and provide details of the same, to the extent legally permitted. Unless legally obligated to do so, Kokomo24/7 Safety Cloud will not respond to any such request, inquiry, or complaint without Customer’s prior consent except to confirm that the request relates to Customer.

6.2 Confidentiality Obligations of Kokomo24/7 Safety Cloud Personnel.Kokomo24/7 Safety Cloud will ensure that any person it authorizes to process the Customer Content has agreed to protect personal data in accordance with Kokomo24/7 Safety Cloud's confidentiality obligations under the Agreement.

7. Sub-processing.

7.1 Sub-processors. Customer agrees that Kokomo24/7 Safety Cloud may use sub-processors to fulfill its contractual obligations under the Agreement. Where Kokomo24/7 Safety Cloud authorizes any sub-processor as described in this Section 7, Kokomo24/7 Safety Cloud agrees to impose data protection terms on any sub-processor it appoints that require it to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

7.2 General Consent for Onward Sub-processing. Customer provides a general consent for Kokomo24/7 Safety Cloud to engage onward sub-processors, conditional on the following requirements:

(a) Any onward sub-processor must agree in writing to only process data in a country that the European Commission has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses, or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities, or pursuant to a compliant US–EU Privacy Shield certification; and

(b) Kokomo24/7 Safety Cloud will restrict the onward sub-processor’s access to personal data only to what is strictly necessary to provide the Services, and Kokomo24/7 Safety Cloud will prohibit the sub-processor from processing the personal data for any other purpose.

7.3 Current Sub-processors and Notification of New Sub-processors. If Kokomo24/7 Safety Cloud Ireland Limited or Kokomo24/7 Safety Cloud Japan G.K. is the Kokomo24/7 Safety Cloud party to the Agreement, then Customer consents to Kokomo24/7 Safety Cloud engaging Kokomo24/7 Safety Cloud Inc. as a sub-processor, which has its primary processing facilities in the United States of America. Customer consents to Kokomo24/7 Safety Cloud engaging additional third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that Kokomo24/7 Safety Cloud maintains an up-to-date list of its sub-processors for the Kokomo24/7 Safety Cloud Services at https://www.Kokomo247.com/legal/sub-processors and for the Safety Cloud Services at https://kokomo247.com/policies/privacy/sub-processors, which each contain a mechanism for Customer to subscribe to notifications of new sub-processors. If Customer subscribes to such notifications, Kokomo24/7 Safety Cloud will provide details of any change in sub-processors as soon as reasonably practicable. With respect to changes in infrastructure providers, Kokomo24/7 Safety Cloud will endeavor to give notice sixty (60) days prior to any change, but in any event will give notice no less than thirty (30) days prior to any such change. With respect to Kokomo24/7 Safety Cloud’s other sub-processors, Kokomo24/7 Safety Cloud will endeavor to give notice thirty (30) days prior to any change, but will give notice no less than ten (10) days prior to any such change.

7.4 Objection Right for new Sub-processors. Customer may object to Kokomo24/7 Safety Cloud's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such event, the parties agree to discuss commercial reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days, Customer may suspend or terminate the affected service in accordance with the termination provisions of the Agreement. Such termination will be without prejudice to any fees incurred by Customer prior to suspension or termination. If no objection has been raised prior to Kokomo24/7 Safety Cloud replacing or appointing a new a sub-processor, Kokomo24/7 Safety Cloud will deem Customer to have authorized the new sub-processor.

7.5 Sub-processor Liability. Kokomo24/7 Safety Cloud will remain liable for any breach of this Addendum that is caused by an act, error or omission of its sub-processors.

8. Data Subject Rights.

8.1 Kokomo24/7 Safety Cloud Services. As part of the Kokomo24/7 Safety Cloud Services, Kokomo24/7 Safety Cloud provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Content, which may be used by Customer to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the Kokomo24/7 Safety Cloud Services at no additional cost. In addition, upon Customer’s request, Kokomo24/7 Safety Cloud will provide reasonable additional and timely assistance (at Customer’s expense only if complying with the Customer’s request will require Kokomo24/7 Safety Cloud to assign significant resources to that effort) to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.

8.2 Safety Cloud Services. Kokomo24/7 Safety Cloud will, taking into account the nature of the processing, provide reasonable assistance to Customer to the extent possible to enable Customer to respond to requests from a data subject seeking to exercise its rights under Applicable Data Protection Law with respect to Customer Content being processed via the Safety Cloud Services.

9. Impact Assessments and Consultations. Kokomo24/7 Safety Cloud will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Kokomo24/7 Safety Cloud to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.

10. Return or Deletion of Customer Content. Kokomo24/7 Safety Cloud will, in accordance with Section 2 of Schedule 1, delete or return to Customer any Customer Content stored in the Services.

10.1 Extension of Addendum. Upon termination of the Agreement, Kokomo24/7 Safety Cloud may retain Customer Content in storage for the time periods set forth in Schedule 1, provided that Kokomo24/7 Safety Cloud will ensure that Customer Content is processed only as necessary for the Permitted Purposes, and Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.

10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, Kokomo24/7 Safety Cloud may retain Customer Content or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.

 

IV. Security and Audits

 

11. Security Measures. Kokomo24/7 Safety Cloud has implemented and will maintain appropriate technical and organizational measures to protect personal data from a Security Incident. Measures to protect Customer Content from a Security Incident are provided in the Security Overview referenced in Appendix 2. Additional information about the technical and organizational security measures involving (a) the Kokomo24/7 Safety Cloud Services are described at https://www.kokomo247.com/security and (b) the Safety Cloud Services are described at https://www.kokomo247.com/policies/security.

11.1 Determination of Security Requirements: Customer acknowledges that the Services include certain features and functionalities that Customer may elect to use that impact the security of the data processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Services account or optional TLS encryption within the Safety Cloud Services. Customer is responsible for reviewing the information Kokomo24/7 Safety Cloud makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Kokomo24/7 Safety Cloud to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Services.

11.2 Security Incident Notification: Kokomo24/7 Safety Cloud will provide notification of a Security Incident in the following manner:

a. Kokomo24/7 Safety Cloud will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after, Kokomo24/7 Safety Cloud’s confirmation or reasonable suspicion of a Security Incident impacting Customer Data of which Kokomo24/7 Safety Cloud is a processor;

b. Kokomo24/7 Safety Cloud will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which Kokomo24/7 Safety Cloud is a controller; and

c. Kokomo24/7 Safety Cloud will notify the email address of Customer’s account owner.

Kokomo24/7 Safety Cloud will make reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by Kokomo24/7 Safety Cloud, remediate the cause of such Security Incident. Kokomo24/7 Safety Cloud will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.

12. Audits. The parties acknowledge that Customer must be able to assess Kokomo24/7 Safety Cloud’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Kokomo24/7 Safety Cloud is acting as a processor on behalf of Customer.

12.1 Kokomo24/7 Safety Cloud’s Audit Program: Kokomo24/7 Safety Cloud uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at Kokomo24/7 Safety Cloud’s expense by independent third party security professionals at Kokomo24/7 Safety Cloud’s selection and result in the generation of a confidential audit report (“Audit Report”). A description of Kokomo24/7 Safety Cloud’s certifications and/or standards for audit of the (a) Kokomo24/7 Safety Cloud Services can be found at https://www.kokomo247.com/security; and (b) Safety Cloud Services can be found at https://kokomo247.com/policies/security.

12.2 Customer Audit: Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Kokomo24/7 Safety Cloud will make available to Customer a copy of Kokomo24/7 Safety Cloud’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law (including, where applicable, Article 28(3) of the GDPR or Clauses 5(f) and 12(2) of the Standard Contractual Clauses) will be satisfied by these Audit Reports. To the extent that Kokomo24/7 Safety Cloud’s provision of an Audit Report does not provide sufficient information or to the extent that Customer must respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Kokomo24/7 Safety Cloud that: (a) ensures the use of an independent third party; (b) provides notice to Kokomo24/7 Safety Cloud in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Kokomo24/7 Safety Cloud’s then-current rates unless Customer is on Kokomo24/7 Safety Cloud’s Enterprise Edition; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law, to keep confidential any information gathered that, by its nature, should be confidential.

 

V. International Provisions

13. Processing in the United States. Customer acknowledges that, as of the Effective Date of this Addendum, Kokomo24/7 Safety Cloud’s primary processing facilities are in the United States of America.

14. Cross Border Data Transfer Mechanisms for Data Transfers. To the extent that Customer’s use of the Kokomo24/7 Safety Cloud Services requires transfer of personal data out of the European Economic Area ("EEA"), Switzerland, or a jurisdiction set forth in Schedule 4, then Kokomo24/7 Safety Cloud will take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.

14.1 Order of Precedence. In the event that the Services are covered by more than one transfer mechanism, the transfer of personal data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) Kokomo24/7 Safety Cloud’s binding corporate rules as set forth in Section 14.2; (b) EU–US and Swiss–US Privacy Shield Framework self-certifications as set forth in Section 14.3; and (c) the Standard Contractual Clauses as set forth in Section 14.4.

14.2 Kokomo24/7 Safety Cloud BCRs - Kokomo24/7 Safety Cloud Services. The parties agree that Kokomo24/7 Safety Cloud will process personal data in the Kokomo24/7 Safety Cloud Services in accordance with Kokomo24/7 Safety Cloud’s Binding Corporate Rules as set forth at https://www.kokomo247.com/legal/binding-corporate-rules (“Kokomo24/7 Safety Cloud BCRs”). The parties further agree that, with respect to the Kokomo24/7 Safety Cloud Services, the Kokomo24/7 Safety Cloud BCRs will be the lawful transfer mechanism of Customer Account Data, Customer Content and Customer Usage Data from the EEA, Switzerland, or the United Kingdom to Kokomo24/7 Safety Cloud in the United States, or any other non-EEA Kokomo24/7 Safety Cloud entity subject to the binding corporate rules. For avoidance of doubt, the Kokomo24/7 Safety Cloud BCRs do not apply to Safety Cloud Services.

14.3 Privacy Shield. To the extent Kokomo24/7 Safety Cloud processes (or causes to be processed) any personal data via the Services originating from the EEA, Switzerland, or the United Kingdom, Kokomo24/7 Safety Cloud represents that it is self-certified to the Privacy Shield Framework and agrees that it will comply with the Privacy Shield Principles when handling any such data. To the extent that Customer is (a) located in the United States of America and is also self-certified to the Privacy Shield Framework or (b) located in the EEA, Switzerland or United Kingdom, Kokomo24/7 Safety Cloud further agrees to (x) provide at least the same level of protection to such data as is required by the Privacy Shield Principles; (y) notify Customer without undue delay if its self-certification to the Privacy Shield Framework is withdrawn, terminated, revoked, or otherwise invalidated and to cooperate in good faith to put in place such alternative data export mechanisms as are required under Applicable Data Protection Law; and (z) upon notice, to work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of personal data.

14.4 Standard Contractual Clauses. This Addendum hereby incorporates by reference (a) the Standard Contractual clauses for data controller to data processor transfers approved by the European Commission in decision 2010/593/EU, provided that Appendices 1 and 2 of the Standard Contractual Clauses are set forth in Schedule 2 to this Addendum; and (b) the Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC, provided that Annex B of the Standard Contractual Clauses are set forth in Schedule 3 to this Addendum. The parties further agree that the Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area, the United Kingdom, and/or Switzerland to outside the European Economic Area, the United Kingdom, and Switzerland, either directly or via onward transfer, to any country or recipient: (x) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive) and (y) not covered by the Kokomo24/7 Safety Cloud BCRs or by the Privacy Shield certification.

15. Jurisdiction Specific Terms. To the extent Kokomo24/7 Safety Cloud processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4, then the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.

 

VI. Miscellaneous

16. Cooperation and Data Subject Rights. In the event that either party receives: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator or other third party, (collectively, "Correspondence") then, where such Correspondence relates to processing of Customer Account Data or Customer Usage Data conducted by the other party, it will promptly inform such other party and the parties agree to cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Applicable Data Protection Law.

17. Sensitive Data. Customer acknowledges that the Services are not intended for the processing of Sensitive Data. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing any Sensitive Data over the Services, or prior to permitting End Users to transmit or process Sensitive Data over the Services. Except in the context of a specific agreement between the parties regarding processing Sensitive Data, any transmission or processing of Sensitive Data is at Customer's own risk. Kokomo24/7 Safety Cloud will have no additional liability whatsoever for Sensitive Data sent via the Services, even if that is in connection with a Security Incident.

18. Failure to Perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement’s termination provisions.

19. Notification Cooperation. Customer acknowledges that Kokomo24/7 Safety Cloud, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Usage Data. If the regulatory authority requires Kokomo24/7 Safety Cloud to notify impacted data subjects with whom Kokomo24/7 Safety Cloud does not have a direct relationship (e.g., Customer’s end users), Kokomo24/7 Safety Cloud will notify Customer of this requirement. Customer will provide reasonable assistance to Kokomo24/7 Safety Cloud to notify the impacted data subjects.

20. GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

21. Conflict. If there is any conflict between this Addendum and the Agreement and/or Privacy Policy, then the terms of this Addendum will control. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

22. Updates. Kokomo24/7 Safety Cloud may update the terms of this Data Protection Addendum from time to time; provided, however, Kokomo24/7 Safety Cloud will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.

SCHEDULE 1

DETAILS OF PROCESSING

1. Nature and Purpose of the Processing. Kokomo24/7 Safety Cloud will process personal data as necessary to provide the Services under the Agreement. Kokomo24/7 Safety Cloud does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

1.1 Customer Content. Kokomo24/7 Safety Cloud will process Customer Content in accordance with Section 5 of the Addendum.

1.2 Customer Account Data. Kokomo24/7 Safety Cloud will process Customer Account Data as a controller (a) in order to manage the relationship with Customer; (b) carry out Kokomo24/7 Safety Cloud’s core business operations, such as accounting and filing taxes; and (c) in order to detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of the Services.

1.3 Customer Usage Data. Kokomo24/7 Safety Cloud will process Customer Usage Data as a controller in order to carry out necessary functions as a communications service provider including, but not limited to, (a) Kokomo24/7 Safety Cloud’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the services and platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; and/or (c) as required by applicable law.

2. Duration of the Processing.

2.1 Customer Content.

a. Kokomo24/7 Safety Cloud Services. Prior to the termination of the Agreement, Kokomo24/7 Safety Cloud will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Kokomo24/7 Safety Cloud Services. Prior to the termination of this Agreement, Customer agrees that it is solely responsible for deleting Customer Content via the Kokomo24/7 Safety Cloud Services. Upon termination of the Agreement, Kokomo24/7 Safety Cloud will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Kokomo24/7 Safety Cloud Services; (ii) automatically delete any stored Customer Content thirty (30) days after the termination effective date; and (iii) automatically delete any stored Customer Content on Kokomo24/7 Safety Cloud’s back-up systems sixty (60) days after the termination effective date. Any Customer Content archived on Kokomo24/7 Safety Cloud’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law.

b. Safety Cloud Services. Upon termination of the Agreement, Kokomo24/7 Safety Cloud will (a) at Customer’s election, delete or return to Customer the Customer Content (including copies) stored in the Safety Cloud Services and (b) automatically delete any stored Customer Content on Kokomo24/7 Safety Cloud’s back-up systems one (1) year after the termination effective date.

2.2 Customer Account Data. Kokomo24/7 Safety Cloud will process Customer Account Data as long as needed to provide the Services to Customer as required for Kokomo24/7 Safety Cloud’s legitimate business needs, or as required by law. Customer Account Data will be stored in accordance with Kokomo24/7 Safety Cloud’s Privacy Policy.

2.3 Customer Usage Data. Upon termination of the Agreement, Kokomo24/7 Safety Cloud may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 of this Schedule, subject to the confidentiality obligations set forth in the Agreement. Kokomo24/7 Safety Cloud will anonymize or delete Customer Usage Data when Kokomo24/7 Safety Cloud no longer requires it for the purposes set forth in Section 1.3 of this Schedule 1.

3. Categories of Data Subjects.

3.1 Customer Content. Customer’s end users.

3.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s Kokomo24/7 Safety Cloud account or make use of Customer’s telephone number assignments received from Kokomo24/7 Safety Cloud.

3.3 Customer Usage Data. Customer’s end users.

4. Type of Personal Data. Kokomo24/7 Safety Cloud processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data as defined in the Addendum.

SCHEDULE 2

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is the Customer and the user of the Services.

Data importer

The data importer is Kokomo24/7 Safety Cloud Inc, a provider of (a) business communications services that enable communications features and capabilities to be embedded into web, desktop and mobile software applications; and (b) cloud-based transactional and marketing email delivery, management and analytics services.

Data subjects

The personal data transferred concern the following categories of data subjects:

Data exporter’s end-users. The data importer will receive any personal data in the form of Customer Content that the data exporter instructs it to process through its cloud communications products and services. The precise personal data that the data exporter will transfer to the data importer is necessarily determined and controlled solely by the data exporter.

Categories of data

The personal data transferred concern the following categories of data (please specify):

Customer Content: As defined in Section 1 of this Addendum.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Kokomo24/7 Safety Cloud does not intentionally collect or process any special categories of data in the provision of its products or services.

However, special categories of data may from time to time be processed through the Services where the data exporter or its end users choose to include this type of data within the communications it transmits using the Services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

For the Kokomo24/7 Safety Cloud Services, the provision of programmable communication products and services, primarily offered in the form of APIs, on behalf of the data exporter, including transmittal to or from data exporter’s software application from or to the publicly-switched telephone network (PSTN) or by way of other communications networks.

For the Safety Cloud Services, the provision of products and services which allow the sending and delivering email communications on behalf of the data exporter to its recipients. Kokomo24/7 Safety Cloud will also provide the data exporter with analytic reports concerning the email communications it sends on the data exporter's behalf.

Storage on Kokomo24/7 Safety Cloud’s network.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or documentation/legislation attached):

See Kokomo24/7 Safety Cloud Security Overview available at www.kokomo247.com/legal/security-overview

SCHEDULE 3

ANNEX B TO THE STANDARD CONTRACTUAL CLAUSES

DESCRIPTION OF THE TRANSFER

This Annex forms part of the Standard Contractual Clauses and must be completed and signed by the parties.

Data Subjects

The personal data transferred concern the following categories of data subjects:

Data exporter and data exporter’s end users.

Purposes of the Transfer(s)

The transfer is made for the following purposes:

The provision of cloud communication services.

and

For provision of a portion of the Kokomo24/7 Safety Cloud Services under which data exporter adds an additional factor for verification of data exporter’s end users’ identity in connection with such end users’ use of data exporter’s software applications or services (“2 Factor Authentication Services”)

Categories of data

The personal data transferred concern the following categories of data:

  1. Personal data transferred by data exporter to data importer to provide 2 Factor Authentication Services, namely data subjects' telephone numbers and email addresses and any other personal data provided by the data exporter and/or needed for authentication purposes.

  2. Customer Account Data: As defined in Section 1 of the Addendum.

  3. Customer Usage Data: As defined in Section 1 of the Addendum.

Recipients

The personal data transferred may only be disclosed to the following recipients or categories of recipients:

  • Employees, agents, affiliates, advisors and independent contractors of data importer with a reasonable business purpose for needing such personal data

  • Vendors of data importer that, in their performance of their obligations to data importer, must process such personal data acting on behalf of and according to instructions from data importer.

  • Any person (natural or legal) or organization to whom data importer may be required by applicable law or regulation to disclose personal data, including law enforcement authorities, central and local government.

Sensitive data

N/A

Data protection registration of the data exporter

SCHEDULE 4

JURISDICTION SPECIFIC TERMS

  1. Australia:

1.1. The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2. The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.

1.3. The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2. California:

2.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).

2.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Customer Content, and Customer Usage Data.

2.3 The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 8 of the Addendum, apply to Consumer rights. In regards to data subject requests, Kokomo24/7 Safety Cloud can only verify a request from Customer and not from Customer’s end user or any third party.

2.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.

2.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.

2.6 Kokomo24/7 Safety Cloud will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Kokomo24/7 Safety Cloud agrees not to (a) sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. Kokomo24/7 Safety Cloud understands its obligations under the Applicable Data Protection Law and will comply with them.

2.7 Kokomo24/7 Safety Cloud certifies that its sub-processors, as described in Section 7 of the Addendum, are Service Providers under Applicable Data Protection Law, with whom Kokomo24/7 Safety Cloud has entered into a written contract that includes terms substantially similar to this Addendum. Kokomo24/7 Safety Cloud conducts appropriate due diligence on its sub-processors.

2.8 Kokomo24/7 Safety Cloud will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 11 of the Addendum.

3. Canada:

3.1. The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

3.2. Kokomo24/7 Safety Cloud’s sub-processors, as described in Section 7 of the Addendum, are third parties under Applicable Data Protection Law, with whom Kokomo24/7 Safety Cloud has entered into a written contract that includes terms substantially similar to this Addendum. Kokomo24/7 Safety Cloud has conducted appropriate due diligence on its sub-processors.

3.3. Kokomo24/7 Safety Cloud will implement technical and organizational measures as set forth in Section 11 of the Addendum.

4. Chile:

4.1. The definition of “Applicable Data Protection Law” includes Law 19.628.

5. Israel:

5.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).

5.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.

5.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.

5.4 Kokomo24/7 Safety Cloud will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Kokomo24/7 Safety Cloud in accordance with Section 6 of the Addendum.

5.5 Kokomo24/7 Safety Cloud must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 11 of the Addendum and complying with the terms of the Agreement.

5.6 Kokomo24/7 Safety Cloud must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with Kokomo24/7 Safety Cloud pursuant to Section 7.1 of this Addendum.

6. Japan:

6.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

6.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.

6.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Kokomo24/7 Safety Cloud is responsible for the handling of personal data in its possession.

7. Mexico

7.1. The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

7.2. When acting as a processor, Kokomo24/7 Safety Cloud will:

(a) treat personal data in accordance with Customer’s instructions as outlined in Section 5 of the Addendum;

(b) process personal data only to the extent necessary to provide the Services;

(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 of the Addendum;

(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;

(e) delete all personal data upon termination of the Agreement in accordance with Section 10 of the Addendum; and

(f) only transfer personal data to sub-processors in accordance with Section 7 of the Addendum.

8. Singapore:

8.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

8.2 Kokomo24/7 Safety Cloud will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 of the Addendum and complying with the terms of the Agreement.

9. United Kingdom:

9.1 The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.