This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement or other agreement to which it is linked between SWYM Enterprises Inc. (“SWYM”) and the SWYM client executing an agreement with SWYM (“Company”, and collectively, the “Parties”) for the provision of Services by SWYM (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Company Personal Information. 

In the course of providing the Services to Company, SWYM may Process Company Personal Information on behalf of Company, and in such case, the Parties agree to comply with the following provisions with respect to Company Personal Information.

1. DEFINITIONS

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.  In this DPA, the following terms shall have the meanings set out below:

“Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household. 

“Company Personal Information” means any Personal Information provided by or on behalf of Company to SWYM in connection with the Services, excluding business contact information. 

“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Information and the rights of Data Subjects, which may also be called a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.

“Data Protection Laws” means any and all applicable U.S. data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (b) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (c) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (d) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (e) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; (f) the Texas Data Privacy and Security Act, 11 Tex. Bus. & Com. Code § 541.001 et seq.; (g) the Oregon Consumer Privacy Act, Or. Rev. Stat. § 646A.570 et seq.; (h) the Montana Consumer Data Privacy Act, Mont. Code Ann. § 30-14-2801 et seq.; (i) the Iowa Consumer Data Protection Act, Ia. Code Ch. 715D; (j) the New Hampshire Data Privacy Act, N.H. Rev. Stat. Ann. 507-H; (k) the Nebraska Data Privacy Act, Neb. Rev. Stat. § 87-1101 et seq.; (l) the Delaware Personal Data Privacy Act, Del. Code § 12D-101 et seq.; (m) the New Jersey Data Privacy Act, N.J. Rev. Stat. § 56:8-166.4 et seq.; (n) the Tennessee Information Protection Act, Tenn. Code Ann. § 47-18-3201 et seq.; (o) the Minnesota Consumer Data Privacy Act, Minn. Stat. § 325O.01 et seq.; (p) the Maryland Online Data Privacy Act of 2024, Md. Code Ann., Com. Law § 14-4601 et seq.; (q) the Kentucky Consumer Data Protection Act, Ky. Rev. Stat. § 367.3611 et seq.; (r) the Indiana Consumer Data Protection Act, Ind. Code § 24-15; (s) the Rhode Island Data Transparency and Privacy Protection Act, R.I. Gen. Laws § 6-48.1-1 et seq.; (t) the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (“Washington and Nevada Consumer Health Data Laws”); and (u) all other equivalent or similar laws and regulations in the United States relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.

“Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed. The term “Data Subject” shall refer to a “Consumer” as that term is defined under Data Protection Laws.

“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.

“Personal Information” means information that is protected by applicable Data Protection Laws or that otherwise that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household. 

“Personnel” means officers, directors, employees, Subprocessors, agents and representatives.

“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, including, but not limited to: the California Privacy Protection Agency; and U.S. state attorneys general.

“Security Breach” means any security incident that adversely impacts the security of Company Personal Information.

“Subprocessor” means any third party appointed by SWYM to Process Company Personal Information as a SWYM or Processor on behalf of Company in connection with the Agreement.

The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2. PROCESSING OF PERSONAL INFORMATION 

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Company Personal Information, Company is the Controller or Business (as applicable), SWYM is the Processor or Service Provider (as applicable), and that SWYM will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Law. For clarity, SWYM is not responsible for compliance with any Data Protection Laws applicable to Company or Company’s industry that are not otherwise generally applicable to SWYM.

2.2 SWYM’s Processing of Personal Information. SWYM shall treat Company Personal Information as confidential and shall only Process Company Personal Information as necessary to perform its obligations on behalf of and in accordance with Company’s documented instructions for the following permitted purposes: (i) in accordance with the Agreement and applicable order or scope of work and applicable Data Protection Laws (including without limitation, the CCPA); and/or (ii) as applicable, if initiated by Data Subjects in their use of the Services. SWYM shall not (A) Sell, Share, or otherwise make available Company Personal Information to any third party in exchange for monetary or other valuable consideration, and (B) retain, use or disclose Company Personal Information outside of the direct business relationship with the Company or for any other purpose than what is specified in the Agreement and/or this DPA. When acting as a Service Provider under the CCPA, SWYM shall not combine Company Personal Information with Personal Information it receives from, or on behalf of, another person or persons, or that it processes as a Business, except as expressly permitted by Data Protection Laws. SWYM shall promptly notify Company after it makes a determination that it can no longer meet its obligations under applicable Data Protection Laws. Nothing herein shall limit or restrict SWYM’s right to use Aggregate Data and/or Deidentified Data or limit SWYM’s right to use Company Personal Information in any manner that is not restricted by specific Data Protection Laws. 

2.3 Company’s Processing of Personal Information. Company shall, in its use of the Services, Process Personal Information in accordance with the requirements of Data Protection Laws. Company’s instructions to SWYM related to the Processing of Company Personal Information shall comply with Data Protection Laws. Company instructs SWYM (and authorizes SWYM to instruct each Subprocessor) to Process Company Personal Information, and in particular, transfer Company Personal Information to any jurisdiction, as necessary for the provision of the Services and consistent with the Agreement and this DPA. Company represents and warrants that it shall (i) not provide SWYM with (or instruct SWYM to Process) any Personal Information unless it shall first have given and received the necessary notices and consents (and honored any opt-out rights) under Data Protection Laws; (ii) not provide SWYM with Personal Data of Data Subjects outside the United States; and (iii) comply with any other requirements under applicable Data Protection Laws. 

2.4 Details of the Processing. The subject matter of Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Company Personal Information, and categories of Data Subjects Processed under this DPA are specified in Annex I attached hereto, the Agreement or otherwise in writing between the Parties. 

2.5 Processing of Sensitive Data Prohibited. Company shall not disclose, transfer, or otherwise make available to SWYM any of the following categories of information: 

• Any information that constitutes “sensitive personal information,” “sensitive data,” “sensitive data inferences,” or “special categories of personal data” as those terms are defined under Data Protection Laws;
• Any information that constitutes “consumer health data” under the CTDPA or the Washington and Nevada Consumer Health Data Laws; 
• Any information that constitutes “protected health information” under the Health Insurance Portability and Accountability Act of 1996, 5 U.S.C. § 553 et seq., together with any amending legislation and any regulations promulgated thereunder; and

• Any Personal Information that is deemed by Regulatory Authorities as meriting sensitive or other heightened treatment under applicable Data Protection Laws or U.S. state or federal consumer protection laws.  

3. RIGHTS OF DATA SUBJECTS

3.1 The Parties shall reasonably cooperate in responding to Data Subject rights requests (“Data Subject Request”) and complying with requirements of Data Protection Laws in relation thereto.

3.2 If a Data Subject Request is made directly to SWYM, SWYM will promptly inform Company and will advise the Data Subject to submit the request to Company. Company will be solely responsible for responding substantively to any such Data Subject Requests or other communications involving Personal Information.

4. SWYM PERSONNEL

4.1 Confidentiality. SWYM shall ensure that its Personnel engaged in the Processing of Company Personal Information are informed of the confidential nature of the Company Personal Information, and have received appropriate training regarding the Processing of Company Personal Information. 

4.2 Reliability. SWYM shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Personnel engaged in the Processing of Company Personal Information.

4.3 Limitation of Access. SWYM shall ensure that SWYM’s access to Company Personal Information is limited to those Personnel performing the Services in accordance with the Agreement.

5. SUBPROCESSORS

5.1 Appointment of Subprocessors. With respect to the Processing of Company Personal Information, Company authorizes SWYM to appoint Subprocessors to Process Company Personal Information for a business purpose on behalf of Company, and consistent with the business purpose set forth herein, pursuant to a written contract that includes obligations that are at least as protective as those set out in this DPA and as required by Data Protection Laws. 

5.2 Notification of New Subprocessors and Company’s Right to Object. Company generally authorizes SWYM’s engagement of Subprocessors.  Upon request, SWYM shall give Company written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. With the exception of commonly engaged vendors over whom SWYM exercises little control (such as Google, Amazon, or Facebook), if, within fifteen (15) business days of receipt of that notice, Company (acting reasonably and in good faith) notifies SWYM in writing of any objections to the appointment, SWYM shall cease disclosing any Company Personal Information to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Company and Company has been provided with notice thereof. SWYM remains fully liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessor.

6. SECURITY 

6.1 Controls for the Protection of Company Personal Information. SWYM shall maintain appropriate physical, technical and organizational measures designed to protect the security, confidentiality, and integrity of Company Personal Information. In the event of any (i) unauthorized acquisition, alteration, or disclosure of Company Personal Information that requires notification to an individual, government or regulatory body, or law enforcement authority under Data Protection Laws, or (ii) breach of Data Protection Laws with respect to Company Personal Information, SWYM shall notify Company promptly.  

6.2 Data Security Incident Management and Notification. SWYM shall maintain security incident management policies and procedures, and if at any time SWYM determines that there has been a Security Breach, SWYM shall promptly: (i) notify Company in writing of such Security Breach; (ii) investigate and take steps to remediate the Security Breach, and (iii) provide information regarding the specific Company Personal Information adversely impacted by the Security Breach as reasonably requested by Company. 

7. INFORMATION PROVISION AND COOPERATION

7.1 Audits and Assessments.

1. If required of SWYM under applicable Data Protection Laws, SWYM shall reasonably cooperate with Company at Company’s expense, in relation to any audit of SWYM reasonably necessary to enable Company to comply with its obligations under Data Protection Laws (“Audit”), and shall seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) subject to a mutually agreed upon scope; (ii) conducted by an independent third party who has signed a nondisclosure agreement with SWYM or the Subprocessor, as the case may be; and (iii) subject to the confidentiality obligations set forth in the Agreement. Company shall use reasonable endeavours to minimize any disruption caused to the SWYM’s (or, Subprocessor’s, as the case may be) business activities as a result of an Audit. Audits shall take place no more than once in any calendar year except as otherwise required of SWYM under applicable Data Protection Laws. In addition, if required of SWYM under applicable Data Protection Laws, SWYM shall allow Company to take reasonable and appropriate steps to (a) ensure that SWYM’s Use of Company Personal Information is consistent with Company’s obligations under applicable Data Protection Laws, and (b) stop and remediate unauthorized use of Company Personal Information.
2. Any information disclosed in connection with an Audit shall be the Confidential Information of SWYM (and/or Subprocessor, as the case may be). 
   

7.2 Data Protection Assessments. Upon Company’s request and to the extent required of SWYM under applicable Data Protection Laws, SWYM shall provide Company, at Company’s reasonable expense with the reasonably necessary information needed for Company to carry out a Data Protection Assessment related to Company’s use of the Services, to the extent that Company does not otherwise have access to the relevant information and that such information is reasonably available to SWYM. 

8. RETURN AND DELETION OF COMPANY PERSONAL INFORMATION 

SWYM shall, on the written request of Company, return all Company Personal Information to Company and/or at Company’s request delete the same from its systems, except as otherwise permitted by applicable Data Protection Laws.

ANNEX I

Details of Processing Activities

1. Subject Matter of Processing of Personal Information.
   • The subject matter of Processing of Personal Information is to use and enhance Company’s use of the Services
2. Duration of Processing of Personal Information.
   • The duration of Processing of Personal Information is as long as necessary to provide Company with the Services requested.
3. Nature of Processing of Personal Information.
   • SWYM will Process Personal Information for the purposes of providing the Services to Company in accordance with Company’s instructions. 
4. Purpose of Processing of Personal Information.
   • Personal Information will be Processed solely for the purposes expressly set forth in the Agreement.
5. Types of Personal Information Processed.
   • IP addresses and other persistent identifiers of consumers.
6. Categories of Data Subjects included in the Processed Personal Information
   • Consumers who are actual or potential targets for Company’s advertisements.