We value the trust you place in us to handle personal data responsibly. This Data Processing Addendum (“DPA”) explains how we process personal data when providing VSCO Workspace (“Workspace”). This DPA supplements and is incorporated into the VSCO Workspace Agreement (the “Agreement”). By outlining our shared responsibilities regarding personal data, this DPA is intended to provide you with confidence and clarity about how VSCO manages personal data. In the event of a conflict between this DPA and the Agreement regarding our processing of personal data, this DPA will apply.

1. Definitions

1. The “Cessation Date” means the date of termination of the Agreement or Customer’s access to VSCO Workspace.
2. "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020).
   
3. “Controller” means the entity that determines the purposes or means of Processing Personal Data. 
4. “Consumer,” “Business,” “Business Purpose”, “Commercial Purpose,” “Sell,” “Service Provider,” and “Share” have the meanings given to them in the CCPA.
   
5. “Customer Personal Data” means Personal Data contained within Customer Data that VSCO Processes as a Processor on behalf of Customer.
   
6. “Data Protection Laws” means the privacy, data protection, and data security laws applicable to the Processing of Customer Personal Data pursuant to VSCO’s provision of Workspace to Customer that are applicable to VSCO.
   
7. “Data Subject” means the identifiable natural person connected to the Customer Personal Data.
8. “EEA” means European Economic Area.
9. “FADP” means the Swiss Federal Act on Data Protection.
   
10. “GDPR” means the General Data Protection Regulation.
11. “Personal Data” has the meaning assigned to the terms “Personal Data” or “Personal Information” under applicable Data Protection Laws.
    
12. “Security Incident” means a contravention of VSCO’s security leading to the actual and confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
    
13. “Process” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    
14. “Processor” means the party that Processes Personal Data on behalf of the Controller.
    
15. “Restricted Data” means any sensitive data, including, without limitation (i) Social Security numbers or other government-issued identification numbers; (ii) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (iii) health insurance information; (iv) biometric information; (v) passwords to any online accounts; (vi) credentials to any financial accounts; (vii) tax return data; (viii) any payment card information subject to the Payment Card Industry Data Security Standard; (ix) Personal Data of children under 13 years of age; or (x) any other information that falls within any special categories of Personal Data (as defined in GDPR) and/or data relating to criminal convictions and offenses or related security measures.
    
16. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the FADP applies, a transfer of Personal Data from Switzerland to any other country which has not been determined to have a legislation that guarantees an adequate level of data protection, and (iii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
    
17. "SCCs" means the standard contractual clauses approved by the European Commission⁠, as may be amended, superseded, or replaced from time to time.
    
18. “Subprocessor” means a third party appointed by VSCO to Process Customer Personal Data. 
19. “Technical and Organizational Measures” means technical and organizational measures to protect the Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to the Customer Personal Data.
    
20. “UK Addendum” means the United Kingdom’s International Data Transfer Addendum, as may be amended, issued by the Information Commissioner’s Office of the UK Protection Act, as may be amended, superseded, or replaced from time to time.‍
21. “UK GDPR” means the United Kingdom’s General Data Protection Regulation.

2. Data Use and Processing

1. Processor and Service Provider. In the context of VSCO’s processing of Customer Personal Data in the course of VSCO providing Workspace to Customer, VSCO will act as a Processor or Service Provider.
2. Controller. In the context of VSCO’s processing of Customer Personal Data in the course of VSCO providing Workspace to Customer, Customer will act as Controller.
   

3. Processing Instructions

Customer instructs VSCO to Process Customer Personal Data only as necessary to provide Workspace to Customer. VSCO may not process Customer Personal Data for any other purpose, except as required by law. The details of VSCO’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 and Annex 2 to this DPA.

4. Restricted Data

Customer agrees to not input any Restricted Data into VSCO Workspace or otherwise directly provide any Restricted Data into VSCO Workspace.

5. CCPA Requirements

To the extent the CCPA applies to VSCO’s Processing of Customer Personal Data, the parties agree that VSCO is a “Service Provider” as defined under CCPA. The Business Purpose and services for which VSCO is Processing Customer Personal Data is VSCO’s provision of Workspace to Customer and as otherwise provided for in the Agreement. VSCO acknowledges that Customer Personal Data is disclosed by Customer only for the limited and specific purposes described in the Agreement. Customer may take reasonable and appropriate steps to help ensure that VSCO Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations. Additionally, Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data. Additionally, VSCO agrees to:

1. Comply with its obligations under the CCPA;
2. Provide the same level of protection to Customer Personal Data as required under the CCPA;
3. Notify Customer if it can no longer meet its obligations under the CCPA;
4. Not "Sell" or “Share” Customer Personal Data;
5. Not retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose specified under this DPA or as otherwise permitted by the CCPA;
6. Not retain, use, or disclose the Customer Personal Data for a Commercial Purpose other than the Business Purpose specified above, or as otherwise permitted by CCPA;
7. Not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and VSCO; and
8. Not combine Customer Personal Data with Personal Data that VSCO (i) receives from, or on behalf of, another person or (ii) collects from its own, independent consumer interaction, except, in either case, as permitted under the CCPA.

6. Subprocessing

1. Authorization to Use Subprocessors. Customer provides general authorization to VSCO to engage Subprocessors to Process Customer Personal Data. VSCO remains fully liable for any breach of this DPA caused by an act or omission of a Subprocessor and will enter into written agreements with Subprocessors that impose data protection requirements for Customer Personal Data that are consistent with this DPA. Customer acknowledges that VSCO may be restricted from disclosing Subprocessor agreements to Customer due to confidentiality obligations. Where VSCO cannot disclose a Subprocessor agreement to Customer, VSCO agrees to provide all information (on a confidential basis) it reasonably can in connection with such agreement.
2. Current Subprocessors. VSCO’s current Subprocessors are listed here. Customer consents to VSCO’s use of its current Subprocessors.
3. New Subprocessors. Prior to utilizing any new Subprocessors that Process Customer Personal Data, VSCO will notify Customer of these changes by posting its proposed new Subprocessors on this page. It is Customer’s responsibility to check this page for updates to VSCO’s Subprocessors. Alternatively, Customer may choose to subscribe to receive email notifications of new Subprocessors using the form available here. Customer may, within 10 calendar days of receiving the notification, reasonably object to VSCO’s proposed use of a new Subprocessor based on the Subprocessor’s ability to comply with this DPA by emailing privacy@vsco.co and detailing Customer’s objection that is reasonably related to privacy and cybersecurity. If VSCO, in its sole discretion, requires use of the Subprocessor and is unable to satisfy Customer’s objection, then Customer, as Customer’s sole and exclusive remedy, may terminate its Workspace Account.

7. International Transfers

1. EEA Transfers. To the extent that the transfer of Customer Personal Data from Customer to VSCO involves a Restricted Transfer of Customer Personal Data originating from the EEA, the SCCs are incorporated by reference, subject to the provisions below regarding UK and Swiss transfers), and form an integral part of this Addendum, with Customer as the Data Exporter and VSCO as the Data Importer.
2. SCC Modules and Options. For the purposes of the SCCs incorporated into this DPA:
   
   1. The module 2 (controller to processor) terms apply and the terms of modules 1, 3, and 4 are deleted in their entirety;
   2. The optional “Docking Clause” in Clause 7 is not used;
   3. In Clause 9, Option 2 applies and Option 1 is not used and that optional language is deleted;
   4. In Clause 11, the optional language is deleted;
   5. In Clause 13, all square brackets are removed and all text in those brackets is retained;
   6. In Clause 17, Option 1 applies and the SCCs are to be governed by Irish law and Option 2 is not used and that optional language is deleted;
   7. In Clause 18(b), disputes arising out of the SCCs related to a Restricted Transfer will be resolved before the courts of Ireland;
   8. The Annexes of the SCCs will be populated with the information set out in the Annexes to this DPA; and
   9. If and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs control to the extent of such conflict.
3. UK Transfers. To the extent that the transfer of Personal Data from Customer to VSCO involves a Restricted Transfer of Customer Personal Data originating from the United Kingdom, the SCCs apply with the following modifications:
   
   1. the SCCs are amended as specified by the UK Addendum, which is incorporated by reference;
   2. Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed using the information contained in the Annexes of this DPA;
   3. Table 4 in Part 1 of the UK Addendum is to be deemed completed by selecting "importer"; and
   4. Any conflict between the SCCs and the UK Addendum are to be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
4. Swiss Transfers. To the extent that the transfer of Personal Data from Customer to VSCO involves a Restricted Transfer of Customer Personal Data originating from Switzerland, the SCCs apply with the following modifications:
   
   1. References to “Regulation (EU) 2016/679” are to be interpreted as references to the Swiss DPA;
   2. References to “EU,” “Union,” and “Member State” are replaced with “Switzerland”;
   3. References to the “competent supervisory authority” and “competent courts” are to be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and
   4. The SCCs are to be governed by the laws of Switzerland and disputes arising out of the SCCs related to a Restricted Transfer are to be resolved before the competent Swiss courts.

8. Confidentiality of Processing

VSCO agrees to use commercially reasonable efforts to ensure that any person that VSCO authorizes to process Customer Personal Data is subject to a contractual or statutory duty of confidentiality.

9. Security

VSCO shall implement Technical and Organizational Measures as described in the annex below. Customer acknowledges that VSCO may update or modify the Technical and Organizational Measures from time to time without notice or consent from Customer, provided that such updates or modifications do not materially decrease the overall security of Customer Personal Data.

10. Data Subject Rights

VSCO agrees to provide reasonable assistance, at Customer’s cost, to Customer to enable Customer to respond to any request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws.

11. Data Protection Impact Assessments

When required by Data Protection Laws, VSCO agrees to provide Customer with reasonable and timely assistance required by Customer in order to comply with Customer’s obligations under Data Protection Laws to conduct data protection impact assessments.

12. Security Incidents

Upon becoming aware of a Security Incident, VSCO agrees to inform Customer of the Security Incident within the timeframe required by Data Protection Laws. When possible and not in conflict with VSCO’s confidentiality obligations, VSCO agrees to provide all such information and cooperation as Customer may reasonably require in order for Customer to fulfil its data breach reporting obligations under Data Protection Laws. VSCO’s notification of or response to a Security Incident will not be construed as an acknowledgement by VSCO of any fault or liability with respect to the Security Incident.

13. Deletion and Return of Customer Personal Data

To the extent technically possible (as determined by VSCO in its sole discretion), and upon the Cessation Date, VSCO agrees to delete or return to Customer all Customer Personal Data in its possession or control, provided that Customer requests this deletion or return in writing within 10 calendar days of the Cessation Date. This requirement will not apply to the extent that VSCO is required or permitted by law to retain any of the Customer Personal Data. Additionally, VSCO may continue to retain the Customer Personal Data in aggregated, de-identified, or anonymized form.

14. Audits

Customer shall have the right to verify VSCO’s processing of Customer Personal Data strictly as set forth in this section and solely as necessary to ensure compliance with Data Protection Laws. Customer’s audit rights under this DPA are expressly limited to written inquiries. Upon written request and no more than once annually, VSCO agrees to provide Customer with written responses to reasonable and relevant questions regarding VSCO’s Processing activities and data protection measures. Customer acknowledges and agrees that this audit provision does not grant any right to conduct physical inspections or on-site audits of VSCO’s premises, systems, or personnel. Customer agrees to treat all documentation and information received in connection with any audit as strictly confidential and use it solely for the purpose of meeting its data protection obligations with respect to Customer Personal Data. Unless otherwise required by Data Protection Laws, Customer agrees to be responsible for all costs in relation to audits performed under this section.