As part of delivering Sydkic services, Sydkic processes certain personal data related to customers, their representatives, end users, and subscribers. Sydkic performs this processing both as a processor on behalf of a customer and as a controller. This Data Processing Addendum (“DPA”) outlines the terms and conditions governing such processing by Sydkic.
The DPA is a key component of the Terms of Service (“Agreement”) between Sydkic, Inc., its subsidiaries, or affiliates, as applicable (“Sydkic”) and the customer, who is a party to the Agreement (“Customer”).
Table of Contents
- 1.1. Definitions
- 1.2. Roles and Responsibilities
- 1.3. Use of Subprocessors
- 1.4. Protective Measures for Data Security
- 1.5. Security Evaluation and Reporting
- 1.6. Data Breach Management and Notification
- 1.7. Rights of Data Subjects and Cooperation
- 1.8. Data Return or Deletion Procedures
- 1.9. Additional Provisions
ANNEX 1. Details of Processing
- 1A. Sydkic as a Processor
- 1B. Sydkic as a Controller
ANNEX 2. Security Measures
ANNEX 3. International Provisions and Jurisdiction-Specific Terms
1. Definitions
Controller: An individual or entity that decides on the purposes and methods for processing Personal Data.
Customer Content: Personal Data related to End Users and the Customer’s Subscribers, which Sydkic processes on behalf of the Customer as a Processor, as outlined in this DPA.
Processing: Any operation or series of operations performed on Personal Data, whether by automated or manual means, including collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
Personal Data: Any information relating to a Data Subject, defined under Applicable Data Protection Laws as “personal data,” “personal information,” or similar terms. This includes both Customer Content and Customer Account Data.
Customer Account Data: Personal Data related to the Customer, their representatives, and End Users, processed by Sydkic as a separate Controller, as described in this DPA.
Data Subject: An individual who is identified or identifiable by the Personal Data.
Data Privacy Frameworks: Refers to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the Swiss-U.S. Data Privacy Framework (Swiss DPF), and the UK Extension to the EU-U.S. DPF (UK Extension), administered by the U.S. Department of Commerce.
Subprocessor: Any Processor appointed by Sydkic to assist in fulfilling its obligations related to the Service under the Agreement or this DPA.
Applicable Data Protection Laws: Refers to all relevant privacy and data protection regulations that apply to either party under the Agreement. Each party determines its own Applicable Data Protection Laws, which may differ between Sydkic and the Customer.
Data Breach: Any confirmed unauthorized or illegal access, destruction, loss, alteration, or disclosure of Personal Data processed by Sydkic. This does not include failed attempts or activities that do not compromise data security, such as failed logins or network attacks.
Standard Contractual Clauses: (i) For GDPR, the standard clauses in the European Commission's Implementing Decision 2021/914 of June 4, 2021 (the “EU SCCs”); (ii) For UK GDPR, the standard clauses adopted under Article 46(2)(c) or (d) of the UK GDPR and issued by the commissioner (the “UK Addendum”); (iii) For Swiss DPA, the standard clauses issued or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”), each as detailed in Annex 3.
Customer’s Subscribers: Individuals whose data is managed by the Customer through the Service or uploaded to the Service, including current and prospective customers, social media and messaging platform contacts, or other individuals.
Service: Any product or service provided by Sydkic to the Customer under the Agreement.
End Users: The Customer and other individuals who lawfully access the Service on behalf of or authorized by the Customer.
Processor: An entity that processes Personal Data on behalf of a Controller.
Capitalized Terms: Any capitalized terms not defined within this DPA will have the meanings set forth in the Agreement.
2. Roles and Responsibilities
2.1. Sydkic as a Processor
The parties agree that when it comes to processing Customer Content, Sydkic acts as a Processor on behalf of the Customer (whether the Customer is a Controller or a Processor themselves). Sydkic will only process Customer Content following the Customer's instructions, as outlined in Section 2.4, and will do so solely for the purposes described in this Data Processing Addendum (DPA).
2.2. Sydkic as a Controller
The parties acknowledge that when processing Customer Account Data, Sydkic acts as an independent Controller, separate from the Customer. Sydkic will process Customer Account Data as a Controller to fulfill necessary functions like executing the agreement, managing accounts, ensuring compliance with laws, handling accounting and taxes, conducting audits, and performing sales and marketing communications with the Customer. This processing will be in line with Sydkic’s Privacy Policy, which can be accessed at www.sydkic.com/legal/privacy, and relevant sections of this DPA.
2.3. Data Processing Details
Details regarding the processing of both Customer Content and Customer Account Data are provided in Annex 1. This annex further outlines the nature and purpose of the processing, its duration, types of personal data, categories of data subjects, sources of personal data, and the Processors and Subprocessors engaged by Sydkic.
2.4. Customer Instructions
Sydkic will only process Customer Content according to the Customer's instructions. By agreeing to the terms of this Agreement, including this DPA, the Customer instructs Sydkic to process Customer Content as needed to provide the Service.
2.5. Customer as a Processor
If the Customer acts as a Processor on behalf of another Controller, the Customer guarantees that the relevant Controller has authorized (i) the instructions outlined in this DPA and the appointment of Sydkic as a Subprocessor, and (ii) Sydkic’s engagement of Subprocessors as described in Section 3. The Customer is responsible for promptly forwarding any notices from Sydkic (such as notices regarding the engagement of a new Subprocessor, a Data Breach, or data subject requests) to the relevant Controller.
2.6. Legal Compliance
Both parties will fulfill their obligations under their respective Applicable Data Protection Laws concerning the processing of Personal Data.
2.7. Customer’s Responsibilities
The Customer agrees to comply with their obligations under their Applicable Data Protection Laws regarding the processing of Personal Data and any instructions they provide to Sydkic. Specifically, the Customer must ensure that they have provided all necessary notices and obtained all required consents (or have other legal grounds) and rights under their Applicable Data Protection Laws to (i) engage Sydkic to process Customer Content on their behalf and (ii) transfer Customer Account Data to Sydkic under the Agreement and this DPA.
The Customer must also inform Sydkic of any specific requirements related to the processing of Customer Content that are imposed by the Customer’s Applicable Data Protection Laws and are not directly addressed in this DPA.
3. Use of Subprocessors
3.1. Authorized Subprocessors
Customer explicitly authorizes and agrees that Sydkic may engage Subprocessors to handle Customer Content. The current list of Subprocessors engaged by Sydkic and authorized by Customer can be found at www.sydkic.com/legal/serviceproviders. Additionally, Customer generally authorizes Sydkic to engage new Subprocessors to process Customer Content, subject to the procedure outlined in Section 3.3 of this DPA.
3.2. Subprocessor Obligations
For all Subprocessors, Sydkic will:
- Enter into a legally binding agreement with the Subprocessor, which imposes data protection obligations that are substantially similar to those outlined in this DPA.
- Remain responsible for the Subprocessor’s compliance with the obligations in this DPA and for any actions or omissions by the Subprocessor that result in Sydkic breaching any of its obligations under this DPA.
3.3. Engagement of New Subprocessors
Sydkic will inform the Customer about the engagement of any new Subprocessor if the Customer subscribes to receive such updates at www.sydkic.com/legal/subscribesubprocessorupdates. Sydkic will send this notification at least ten (10) calendar days before the new Subprocessor accesses Customer Content. If Sydkic reasonably believes that engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity, or availability of Customer Content or to avoid significant disruption to the Service, Sydkic will provide notice as soon as reasonably possible.
3.4. Objection to Subprocessors
If, within five (5) calendar days of receiving notice from Sydkic, the Customer notifies Sydkic of their objection to the appointment of a new Subprocessor based on legitimate data protection concerns, both parties will discuss these concerns in good faith to determine if they can be resolved. If a mutual resolution cannot be reached, the Customer’s sole and exclusive remedy will be to terminate the Agreement and DPA for convenience, with no refunds. The Customer will still be responsible for paying any fees committed to in an order form, order, statement of work, or other similar ordering documents.
If the Customer does not notify Sydkic of any objections within the specified period, Sydkic is deemed authorized to engage the new Subprocessor.
4. Protective Measures for Data Security
4.1. Adequate Security Measures
Sydkic will maintain technical and organizational security measures as outlined in Annex 2 ("Security Measures") to protect Personal Data from breaches and ensure its security and confidentiality.
4.2. Confidentiality of Processing
Sydkic will ensure that individuals authorized to process Personal Data are bound by confidentiality obligations.
4.3. Customer Responsibilities
The Customer must review and assess the Security Measures and ensure they are adequate. They are responsible for securely using the Service and protecting account credentials and data during transmission.
4.4. Updates to Security Measures
Sydkic may update Security Measures over time. The Customer should review these updates and assess whether the Service continues to meet their needs and legal obligations.
6. Data Breach Management and Notification
6.1. Notification Timeframe
Sydkic will notify the Customer of a Data Breach within 52 hours of discovery, unless law prohibits or delays are required for investigation.
6.2. Content of Notification
The notification will include details of the breach, actions taken, and recommendations for the Customer.
6.3. Cooperation by Sydkic
Sydkic will assist the Customer in investigating and resolving the Data Breach. Notification does not imply liability.
6.4. Data Breach Notification to Authorities and Data Subjects
The Customer is responsible for notifying third parties and Data Subjects as required by applicable laws.
7. Data Subject Rights and Collaboration
7.1. Data Subject Requests
Sydkic will assist the Customer with Data Subject requests to exercise their rights, if the Customer cannot handle them independently.
7.2. Authorization for Direct Requests to Sydkic
If Sydkic receives requests from Data Subjects regarding Customer Content, the Customer authorizes Sydkic to fulfill these requests.
7.3. Assistance by Sydkic
Sydkic will assist the Customer with obligations under data protection laws, including security, breach notifications, impact assessments, and consultations. Significant resource allocation for assistance will be at the Customer's expense.
8. Data Return or Deletion Protocols
8.1. Data Deletion or Return
Upon receiving a request from the Customer and following the termination of the Agreement, Sydkic will delete or return all Customer Content from its systems. However, Sydkic may retain some data to comply with legal obligations. Retained data will continue to be subject to the terms of this DPA.
9. Additional Provisions
9.1. Processing in the United States
The Customer acknowledges that Sydkic may process Personal Data through Subprocessors or Processors in countries outside the EEA, including the United States.
9.2. Communication Methods
Notifications will be sent to the email provided by the Customer or posted in the Service's user interface. Any objections or requests should be sent to the same email or to privacy@sydkic.com.
9.3. Claims
Claims under this DPA are subject to the terms and conditions of the Agreement, including exclusions and limitations.
9.4. No Third-Party Beneficiary Rights
This DPA is for the benefit of the parties involved and their successors, not any third parties.
9.5. Governing Law
This DPA is governed by the law and jurisdiction provisions in the Agreement, unless otherwise required by the Customer’s data protection laws or specified in Annex 3.
9.6. Termination
This DPA terminates automatically with the Agreement's expiration or termination.
9.7. Liability
Any regulatory penalties related to Personal Data due to the Customer’s failure to comply will reduce Sydkic’s liability under the Agreement. Sydkic is liable for penalties resulting from its failure to comply. Neither party is responsible for fines imposed due to the other party's data protection law violations.
9.8. Relationship with the Agreement
This DPA is part of the Agreement. Except as stated in this DPA, the Agreement remains unchanged. If there is a conflict, the DPA terms will prevail. This DPA replaces any previous DPA related to the Service.
ANNEX 1. Details of Processing
1A. Sydkic as a Processor
Purpose and Nature of Processing
Provision of the Service, including support, communication, and service improvement. This includes sending announcements, technical notices, updates, security alerts, responding to requests, tracking activities, logging errors, fixing bugs, and ensuring accessibility, security, and usability.
Retention Period for Personal Data
Personal data will be retained until the termination or expiration of the Agreement.
Categories of Data Subjects
- End Users
- Customer’s Subscribers
Categories of Personal Data
- End Users: Identification info (name, email), social media profiles, IT info (IP addresses, location, usage data), financial info (credit card details).
- Customer’s Subscribers: Identification info, social media profiles (photo, name, DOB, gender, location), chat history, usage info, IT info.
Sensitive Data
No sensitive data is processed, and other Personal Data does not reveal sensitive information about racial or ethnic origin, political opinions, religious beliefs, health, or sexual orientation.
Frequency of Data Transfer
Data transfer occurs continuously until it is deleted as per the Agreement and DPA.
Data Source
Data is sourced from the Customer (or End Users) during signup and use of the Service, including third-party integrations (e.g., Facebook, Instagram, Telegram) linked by the Customer.
Onward Transfer
Refer to the list of Subprocessors at www.sydkic.com/legal/serviceproviders. Subprocessing duration is limited to the retention period specified.
1B. Sydkic as a Controller
Purpose and Nature of Processing
Processing for entering into the Agreement, managing accounts, compliance with laws, handling accounting, tax, billing, auditing, and sales/marketing communications with the Customer.
Retention Period for Personal Data
Personal data will be retained until the termination of the Agreement, unsubscribe requests, and legally required retention periods.
Categories of Data Subjects
- Customer and its representatives
- End Users
Categories of Personal Data
- Customer and its Representatives: Full name, title, company, email address.
- End Users: Identification info (ID, name, email), linked pages, products in use, IT info, financial info.
Sensitive Data
No sensitive data is processed, and no other Personal Data is used to indirectly reveal sensitive information.
Frequency of Data Transfer
Data is transferred continuously until it is deleted according to the Agreement and DPA.
Data Source
Data is sourced from the Customer's signup process and use of the Service.
Onward Transfer
Refer to the list of Service Providers at www.sydkic.com/legal/serviceproviders. Personal data may also be disclosed to public authorities if legally required.
ANNEX 2. Security Measures
1. Security Program and Policies
Sydkic maintains a comprehensive security program based on ISO 27001 standards, covering various areas like Policies and Procedures, Asset Management, Access Management, Cryptography, Physical and Operations Security, and more.
- Documented policies reviewed annually.
- Clear documentation of responsibilities and authority.
- Regular testing of key controls and procedures.
2. Risk and Asset Management
- Integrated risk management approach with ongoing risk assessment.
- Identification and categorization of assets for effective protection.
3. Personnel Security and Awareness
- Personnel must maintain confidentiality even post-employment.
- Security awareness training provided annually.
- Pre-employment verification for all new hires.
4. Access Management
- Access controls based on “Need to Know” and “Least Privilege” principles.
- Immediate deactivation of credentials upon termination.
- Unique usernames, passwords, and multifactor authentication required.
- Monitoring and logging of access to critical systems.
5. Technical and Application Security Measures
- Segregation of Environments: Development and production environments are separated.
- Encryption: Data in transit and at rest are encrypted using industry-standard protocols.
- Redundancy: IT infrastructure includes redundant systems and strict Disaster Recovery SLAs.
- Vulnerability Assessment: Regular security testing and patching.
- Penetration Testing: Annual tests by independent providers.
- Software Development: Security-by-design principles are followed.
- Change Management: Documented procedures for implementing changes.
- Network Security: Access restricted and protected against DDoS attacks.
6. Third-Party Provider Management
- Assessment of third-party providers for security and quality.
- Written agreements include confidentiality and security obligations.
7. Physical and Environmental Security
- AWS data centers with stringent controls (video surveillance, redundant power).
- Office security includes visitor management and video surveillance.
- Review of third-party audit reports for physical access controls.
8. Resilience and Service Continuity
- Backup Procedures: Redundant and encrypted backups.
- Performance Monitoring: Tools for monitoring and alerting on service performance.
- Disaster Recovery Plans: Established plans for data availability issues.
9. Security Certifications and Attestations
- ISO 27001 Certification: Valid for 3 years with annual audits.
- SOC 2 Type 2 Report: Annual renewal evaluating controls for security, availability, and confidentiality.
10. Information Security Incident Management
- Policies and procedures in place for managing data breaches and security incidents.
- Prompt investigation and notification of breaches to the Customer, as permitted by law.
ANNEX 3. International Provisions and Jurisdiction-Specific Terms
1. California
For Customers under the California Consumer Privacy Act (CCPA):
- Sydkic is considered a service provider under the CCPA.
- Sydkic agrees not to sell, retain, use, or disclose Customer Data for purposes beyond providing the Service.
- Sydkic may deidentify or aggregate Customer Content for Service performance.
- Subprocessors must comply with CCPA or be exempt from its definition of "sale."
- Sydkic processes Customer Account Data according to its Privacy Policy available at www.sydkic.com/legal/privacy.
2. European Economic Area, Switzerland, and the United Kingdom
For Customers subject to GDPR, FADP, or UK GDPR:
- Transfers of Personal Data will adhere to the Data Privacy Framework (DPF) principles.
- Sydkic agrees to provide at least the same level of protection required by the Data Privacy Principles and notify Customers of any changes to its self-certification under the DPF.
- If the DPF is not applicable, Sydkic will use Standard Contractual Clauses (SCC) for data transfers.
- For GDPR-regulated Personal Data, SCCs apply as follows:
- Module Two (Controller to Processor) or Module Three (Processor to Processor) for Customer Content.
- Module One (Controller to Controller) for Customer Account Data.
- Specific clauses for EU SCCs:
- The optional docking clause in Clause 7 does not apply.
- Option 2 in Clause 9 applies, with notice periods for subprocessor changes as detailed in Section 3.3 of the DPA.
- The optional complaint lodging in Clause 11 does not apply.
- Clause 17 (Option 1) is governed by German law.
- Disputes under Clause 18(b) are resolved in German courts.
- Annex I, Part A details the List of Parties.
- Annex I, Part B includes the Description of Transfer (see Annex 1A and 1B of the DPA).
- Annex I, Part C specifies the Customer's competent supervisory authority.
- Annex II details technical and organizational measures (from Annex 2 of the DPA).
- Annex III lists authorized subprocessors at www.sydkic.com/legal/serviceproviders.
- For FADP, EU SCCs apply with modifications:
- References to "EU" and related terms are replaced with "Switzerland."
- Clause 18 allows data subjects to exercise rights in Switzerland.
- References to authorities are replaced with the Swiss Federal Data Protection and Information Commissioner.
- For UK GDPR, SCCs are supplemented by the International Data Transfer Addendum (available at https://ico.org.uk/media/for-organisations/documents/4019539/internationaldatatransferaddendum.pdf).