Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement (“Agreement”) between the Customer (“Controller”) and Clockwork Platform, Inc. (doing business as HiTide) (“Processor”) (collectively, the “Parties”).

This DPA reflects the Parties’ agreement with regard to the processing of Personal Data under the Agreement in compliance with applicable data protection laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”).

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing,” “Controller,” “Processor,” and “Data Subject” shall have the meanings given under GDPR.
  • “Sub-processor” means any third party engaged by Processor to process Personal Data.

2. Scope and Roles

  • Processor will process Personal Data only on behalf of and in accordance with Controller’s documented instructions.
  • Controller determines the purposes and means of Processing Personal Data.

3. Processor Obligations

  1. Process Personal Data only as instructed by Controller and only for the purposes set out in the Agreement and this DPA.
  2. Ensure that persons authorized to process the Personal Data are subject to appropriate confidentiality obligations.
  3. Implement appropriate technical and organizational security measures to protect Personal Data.
  4. Assist Controller, insofar as possible, to fulfill Controller’s obligations under GDPR regarding data subject rights, data breaches, and data protection impact assessments.
  5. Engage Sub-processors only with appropriate protections and provide Controller with notice of any changes.
  6. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services.
  7. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-Processors

Processor may engage Sub-processors to process Personal Data. Processor will ensure that Sub-processors are subject to data protection obligations equivalent to those set out in this DPA. Processor will provide Controller with notice of any intended changes concerning the addition or replacement of Sub-processors, giving Controller the opportunity to object on reasonable grounds.

5. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Processor shall ensure such transfers are made in compliance with GDPR requirements, including by executing Standard Contractual Clauses if necessary.

6. Data Breach Notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Personal Data. Such notification will describe the nature of the breach, the likely consequences, and the measures taken to address it.

7. Miscellaneous

Except as amended by this DPA, the Agreement remains in full force and effect. In the event of any conflict between this DPA and the Agreement, the terms of this DPA will prevail with regard to data protection matters.

Annex 1: Details of Processing

1. Subject Matter and Duration of Processing

HiTide will process Personal Data on behalf of the Customer as necessary to provide the services described in the Agreement between the parties. Processing will continue for the duration of the Agreement, unless otherwise agreed in writing.

2. Nature and Purpose of Processing

HiTide will process Personal Data as necessary to provide direct messaging automation services, social messaging integration, analytics, customer support, and related technical and business services to Customer.

3. Categories of Data Subjects

  • End users/customers of Customer (e.g., social media followers, message senders)
  • Customer’s employees, contractors, or agents (if applicable)
  • Other individuals interacting with Customer’s messaging channels

4. Categories of Personal Data

  • Contact Information (e.g., name, email address, phone number, social media handle)
  • Communication Content (e.g., message texts, user responses)
  • Metadata (e.g., timestamps, message status)
  • Device or Usage Information (if collected, such as IP address or browser type)

Special Categories of Data

HiTide does not intentionally collect or process special categories of personal data. Customer agrees not to transmit such data through the services.

5. Instructions for Data Processing

HiTide will process Personal Data only in accordance with the Customer's documented instructions, as set forth in the Agreement and this DPA.

6. Duration of Processing and Retention

Upon termination or expiration of the Agreement, HiTide will delete or return Personal Data to Customer, unless otherwise required by applicable law to retain it.