We take data security very seriously at Shipyard. If you have specific questions about our DPA, reach out to us directly.
Last Updated: 3/25/2024
This Data Processing Addendum (the “Addendum”) is incorporated into and made part of the applicable agreement between Shipyard and Client (the “Agreement”) that references this Addendum. This Addendum describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Client Data. This Addendum will be effective as of the effective date of the Agreement, and will replace any terms previously applicable to the processing and security of Client Data.
Please read this Addendum carefully. Our Addendum includes:
The below terms shall have the following definitions in this Addendum. Any capitalized terms used in this Addendum but not defined herein shall have the meaning given in the Agreement.
A. “Adequate Jurisdiction” shall mean a country or jurisdiction that is found by a competent authority in the European Union, United Kingdom or Switzerland, as applicable, to ensure an adequate level of data protection within the meaning of the applicable European Data Privacy and Protection Laws.
B. “Applicable Data Privacy And Protection Laws” means all federal, state, territorial or provincial privacy, data protection and data security laws and regulations, as may be amended from time to time, that are applicable to the data Processed, collected, received, accessed, transmitted, disclosed or stored by Shipyard under the Agreement. “Applicable Data Privacy And Protection Laws” includes European Data Privacy and Protection Laws to the extent applicable to the data Processed, collected, received, accessed, transmitted, disclosed or stored by Shipyard under the Agreement.
C. “Authorized Employees” means Shipyard’s employees who have a need to know or otherwise access Personal Information to enable Shipyard to perform its obligations under the Agreement.
D. “Authorized Persons” means (i) Authorized Employees and (ii) Shipyard’s contractors, Subprocessors, agents, outsourcers and auditors who have a need to know or are otherwise required to access Personal Information in order to enable Shipyard to perform its obligations under the Agreement.
E. “Data Subject” means the identified or identifiable natural person to whom Personal Information relates.
F. “Data Subject Request” means valid exercises of a Data Subjects’ rights, such as to obtain, transfer, correct, delete, limit or control the Processing or use of Personal Information, as provided by Applicable Data Privacy And Protection Laws.
G. “Documented Instruction(s)” means any written communication authorized by Client and provided to Shipyard in order to instruct Shipyard regarding (i) Shipyard’s Processing of Personal Information, (ii) Shipyard’s handling of a Data Subject Request or (iii) any notifications or disclosures relating to a Security Incident.
H. “European Data Privacy and Protection Laws” means the EU GDPR, UK Data Privacy and Protection Laws and Swiss FADP.
I. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
J. “UK Data Privacy and Protection Laws” means all laws relating to data protection, the Processing of data about an identifiable individual, privacy and/or electronic communications in force from time to time in the United Kingdom, including the EU GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019, together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom.
K. “Personal Information” means “personal data,” “personal information,” “personally identifiable information,” “protected health information,” “nonpublic information,” “personal financial information,” or similar such term, each as defined by Applicable Data Privacy And Protection Laws, solely relating to Shipyard’s collection, use, sharing, storage, transmission, and/or disclosure of data pursuant to the Agreement. “Personal Information” shall be limited to that data provided by Client to Shipyard for Processing pursuant to the Agreement.
L. “Processing, Processes, or Process” means obtaining, recording, or holding Personal Information, or carrying out any operation or set of operations on Personal Information including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying Personal Information.
M. “Security Incident” means any confirmed act or omission that compromises the security of a Shipyard system that stores Client Personal Information or the physical or technical safeguards put in place by Shipyard that relate to the protection of Client Personal Information.
N. “Standard Contractual Clauses” or “SCCs” means the contractual clauses applicable to the Processing of Personal Information as required by applicable European Data Privacy and Protection Laws.
O. “Subprocessor” means any other entity engaged by Shipyard to assist Shipyard in Processing Personal Information to provide the Services and Platform to Client.
P. “Swiss FADP” means, as applicable, the Federal Act on Data Protection of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 14 June 1993) or the revised Federal Act on Data Protection of 25 September 2020 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022), as applicable.
Q. The terms “Business Purpose,” “Processor,” “Sale,” “Service Provider,” “Share”, “Targeted Advertising”, “Cross-Context Behavioral Advertising”, and “Controller” shall have the same meaning as in Applicable Data Privacy And Protection Laws, and their cognate terms shall be construed accordingly.
A. Shipyard Compliance:
i. All Personal Information that is provided by Client to Shipyard, or that is otherwise collected or maintained by Shipyard or its Authorized Persons on Client’s behalf, pursuant to the Agreement shall be considered Client’s Personal Information. Client shall have and retain all right, title and interest in the Personal Information and Shipyard shall have no rights with respect thereto, other than as specifically contemplated by the Agreement and this Addendum.
ii. To the extent applicable, Client is disclosing Personal Information to Shipyard only for provision of Services and the Platform, and for Business Purposes. Shipyard agrees that it is Client’s Service Provider and Processor with regards to the Processing of such Personal Information.
iii. Shipyard acknowledges that, to the extent it is Processing Personal Information subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), such Processing is subject to the applicable provisions of the CCPA. Shipyard acknowledges that it is obligated to provide the Data Subject the same level of privacy protection as is required of Client by the CCPA.
iv. To the extent prohibited by Applicable Data Privacy And Protection Laws, Shipyard certifies that it will not:
(a) Sell, Share or use for Targeted Advertising or Cross-Context Behavioral Advertising Client Personal Information;
(b) retain, use, or disclose Client Personal Information for any purpose other than the performance of Services unless permitted by Applicable Data Privacy And Protection Laws;
(c) retain, use, or disclose Client Personal Information outside of the direct business relationship between Shipyard and Client; and
(d) combine Client Personal Information that Shipyard receives from, or collects on behalf of, Client with Personal Information that Shipyard receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject unless Shipyard is acting in both (i) furtherance of a Business Purpose and (ii) in compliance with Applicable Data Privacy And Protection Laws.
v. Shipyard shall notify Client if Shipyard makes a determination that Shipyard can no longer meet its obligations as required by Applicable Data Privacy And Protection Laws with regards to Personal Information and, in the event of such determination, Client shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of the affected Personal Information. The parties agree that Client discontinuing use of the Services and Platform and deletion of all Client Personal Information from the Platform constitutes reasonable and appropriate steps under this sub-Section.
vi. Shipyard shall cooperate with Client with regards to Data Subject Requests as provided in Section 7 of this Addendum.
vii. Client is hereby notified that Shipyard will engage its own service providers and contractors to assist Shipyard in the processing of Client Personal Information as provided in Section 4 of this Addendum.
B. Client Compliance; Representations and Warranties.
i. Client represents and warrants that all Client Data provided to Shipyard for Processing has been collected and provided to Shipyard for Processing pursuant to the Agreement in compliance with Applicable Data Privacy And Protection Laws.
ii. With regards to Personal Information that Client collects from a source other than Shipyard or an agent of Shipyard, Client shall provide any notices and collect any consents that are required by Applicable Data Privacy And Protection Laws. These notices and consents shall contain all disclosures necessary to comply with Applicable Data Privacy And Protection Laws for the provision of the Personal Information to Shipyard for Processing under the Agreement.
C. Assessments. Upon request, Shipyard shall make available information that is necessary for Client to fulfil its obligations under Applicable Data Privacy And Protection Laws, including where Client is obligated under Applicable Data Privacy And Protection Laws to conduct a data transfer, data privacy or security impact assessment. The parties agree to cooperate with each other to promptly and effectively handle inquiries, complaints, audits, or claims from any court, governmental officials or supervisory authority(ies).
D. Personal Information of European Residents. If, in fulfilling obligations under the Agreement, Personal Information must be transferred, directly or via an onward transfer, from the European Union, United Kingdom or Switzerland to any country that the European Commission (or its respective equivalent in the United Kingdom and Switzerland) has not recognized as providing an adequate level of protection for Personal Information under applicable European Data Privacy and Protection Laws, the parties agree to comply with the appropriate Standard Contractual Clauses, as described below:
i. For Personal Information transfers to Shipyard for Processing in a non-Adequate Jurisdiction that are subject to the EU GDPR, the EU Standard Contractual Clauses based on the Commission Implementing Decision (EU) 2021/914 as of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, Module 2 Controller to Processor or Module 3 Processor to Processor, as applicable to the transfer, (the “EU GDPR SCCs”), are deemed incorporated by reference into this Addendum in their entirety and without alteration, except as described in this Section 2(D), and shall apply to such Processing of Personal Information. The official EU GDPR SCCs are available at the following link: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
ii. With respect to the EU GDPR SCCs, for both Modules 2 and 3, the Parties hereby further agree that:
(a) Clause 7 (Docking Clause) applies.
(b) The following provision under Clause 9(a) applies:
OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 calendar days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(c) The optional clause of Clause 11 shall not apply.
(d) The following provision under Clause 17, as modified below, applies:
“These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland”.
(e) The following provision under Clause 18(b), as modified below, applies:
“The Parties agree that those shall be the courts of the Republic of Ireland”.
(f) Annex I, Part A (List of Parties) shall be, as follows:
I. Data Exporter: Client.
II. Contact details: The email address(es) and address(es) designated by Client in Client’s account with Shipyard.
III. Data Exporter Role: The Data Exporter’s role is set forth in Section 2(A)(ii) of this Addendum. The parties acknowledge and agree that with regard to the processing of Client Personal Information, Client may act either as a Controller or Processor and Shipyard is a Processor. Shipyard will Process Client Personal Information in accordance with Client’s instructions.
IV. Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses, as incorporated and described herein, including their Annexes, as of the effective date of the Agreement.
V. Data Importer: Shipyard, 2845 West 7th Street, Fort Worth, TX 76107, United States.
VI. Contact details: dataprivacy@shipyardapp.com.
VII. The Data Importer’s role is set forth in Section 2(A)(ii) of this Addendum. The parties acknowledge and agree that with regard to the processing of Client Personal Information, Client may act either as a Controller or Processor and Shipyard is a Processor. Shipyard will Process Client Personal Information in accordance with Client’s instructions.
VIII. Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, as incorporated and described herein, including their Annexes, as of the effective date of the Agreement.
(g) Annex I, Part B (Description of Transfer): The description of transfer shall be as described in Appendix 1 to this Addendum.
(h) Annex I, Part C (Competent Supervisory Authority): The competent supervisory authority shall be the Irish Data Protection Commission.
(i) Annex II (Technical And Organisational Measures): The technical and organizational measures shall be as described in Appendix 2 to this Addendum.
(j) Annex III (List of Sub-processors): Approved Subprocessors shall be as identified at https://www.shipyardapp.com/legal/subprocessors, as may be updated from time to time.
iii. For Personal Information transfers to Shipyard for Processing in a non-Adequate Jurisdiction that are subject to UK Data Privacy And Protection Laws, the parties agree that the UK International Data Transfer Addendum To The European Commission’s Standard Contractual Clauses For International Data Transfers (the “UK IDTA”) will apply. The UK IDTA can be found at: https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx. For applicable transfers, the UK IDTA will be deemed entered into (and incorporated into this Addendum by reference) and completed as follows:
(a) Table 1: Parties:
I. The Start Date is the effective date of the Agreement.
II. The parties and contacts are as set forth in Annex I.A of the EU GDPR SCCs as described in this Addendum.
(b) Table 2: Selected SCCs, Modules and Selected Clauses.
I. The version of the EU GDPR SCCs, as modified by Section 2(D)(ii), including the Appendix information, applies.
(c) Table 3: Appendix Information.
I. Annex 1A (List of Parties): The parties are as set forth in Annex I.A of the EU GDPR SCCs as described in this Addendum.
II. Annex 1B (Description of Transfer): The Description of the Transfer is as set forth in Annex I.B of the EU GDPR SCCs as described in this Addendum.
III. Annex II (Technical and organisational measures): The technical and organizational measures are as set forth in Annex II of the EU GDPR SCCs, as described in this Addendum.
IV. Annex III (List of Sub-processors): Subprocessors are as set forth in Annex III of the EU GDPR SCCs, as described in this Addendum.
(d) Table 4: Ending this Addendum when the Approved Addendum Changes:
I. Either the Data Exporter or Importer may end this IDTA as set out in Section 19 of the IDTA.
(e) Mandatory Clauses
I. The parties agree that the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses shall be incorporated by reference herein, without alteration.
iv. For Personal Information transfers to Shipyard for Processing in a non-Adequate Jurisdiction that are subject to Swiss FADP, the EU GDPR SCCs, as modified by Section 2(D)(ii) and as further modified by this Section 2(D)(iv), shall apply to such Processing:
(a) The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU GDPR SCCs shall be interpreted to include the Swiss FADP.
(b) Insofar as the Personal Information transfer is only subject to the Swiss FADP, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland is the exclusive supervisory authority. Insofar as the transfer of Personal Information is governed by both the EU GDPR and the Swiss FADP, the competent supervisory authority with parallel supervision (in accordance with Annex I.C of the EU GDPR SCCs) is the FDPIC and insofar as the transfer is governed by the EU GDPR, the criteria of Clause 13(a) for the selection of the competent authority must be observed.
(c) Clause 17: The EU GDPR SCCs shall be governed by Swiss law, if the transfer is subject solely to Swiss FADP, or, in other cases, the law of the Republic of Ireland.
(d) Clause 18(b): Any dispute arising from the EU GDPR SCCs shall be resolved by the courts of Switzerland, if the transfer is subject solely to Swiss FADP, or courts of the Republic of Ireland in other cases.
(e) Clause 18(c): The term “Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU GDPR SCCs.
A. Protection of Personal Information. Shipyard will implement and maintain technical, organizational, and physical measures to protect Client Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2.
B. Enhancement Of Services. In order to facilitate the provision of Services, Shipyard and its Authorized Persons may use Client Data to improve the Services being provided to Client or the Platform, including by applying technologies and by developing and enhancing the efficiencies and means by which Shipyard provides the Services to Client, so long as such use is in furtherance of a Business Purpose, if applicable.
C. Return and Deletion of Client Data. Shipyard will enable Client to delete or download Client Data during the Effective Term in a manner consistent with the functionality of the Services and Platform. Client is solely responsible for maintaining any backups or archives of Client Data. Shipyard will not retain any Client Data following Client’s deletion of Client Data from the Platform or Services.
D. Locations of Processing. Shipyard will Process Client Data in the United States or in any country where Shipyard or its Subprocessors maintain Processing locations.
A. Subprocessors. Client acknowledges that Shipyard may engage the Subprocessors listed here: https://www.shipyardapp.com/legal/subprocessors, as may be amended from time to time. If Shipyard engages any new Subprocessor during the Term, Shipyard will, at least 10 days before the new Subprocessor starts Processing any Client Data, notify Client of the engagement through the Platform. Customer may object by immediately terminating the Agreement for convenience pursuant to the applicable provisions of the Agreement.
B. Authorized Employees. During the term of each Authorized Employee’s employment by Shipyard, Shipyard shall at all times cause Authorized Employees to abide strictly by Shipyard’s obligations under this Addendum and Shipyard’s standard policies and procedures.
A. Notification. Shipyard shall notify Client of a Security Incident without undue delay following Shipyard’s confirmation that a Security Incident has occurred.
B. Investigation. Shipyard shall use industry standard efforts to remedy any Security Incident and shall act in compliance with Applicable Data Privacy And Protection Laws. Promptly following Shipyard’s notification to Client of a Security Incident, the Parties shall coordinate with each other to remediate the Security Incident. Shipyard agrees to reasonably cooperate with Client in Client’s handling of the matter and make available to Client sufficient materials for Client to comply with Applicable Data Privacy And Protection Laws. This provision shall not be construed as expanding Client’s audit rights under the Agreement or this Addendum. Notwithstanding the foregoing, Shipyard shall have no obligation to disclose or make available any confidential or proprietary information of Shipyard which is not directly related to the Security Incident performed under the Agreement or which constitutes the confidential information of any third parties and shall have the right to redact or provide summary level reports to protect the confidentiality and security of other customers and third parties.
C. Remediation. Shipyard shall provide assistance with any obligation of Client under Applicable Data Privacy and Protection Laws, as reasonably requested, to make notifications to the affected Data Subjects, regulatory authorities, or the public, regarding the Security Incident. Shipyard shall not make any statement or notification to any Data Subjects who are the subject of the affected Personal Information or any supervisory authority regarding the Security Incident, to the extent such notifications would mention Client, without the prior written approval of Client. Nothing in this Section shall be construed to prevent Shipyard from making notifications and disclosures (i) to an Authorized Person who is necessary for the mitigation, investigation or remediation of a Security Incident, (ii) as required by an applicable contract with such third-party (including Shipyard’s insurer or other customers), or (iii) as required by Applicable Data Privacy and Protection Laws, provided that Shipyard shall not disclose the identity of Client or that Client Personal Information has been affected by the Security Incident unless required by Applicable Data Privacy and Protection Laws. Shipyard shall have no liability or responsibility arising from Shipyard’s compliance with Client’s Documented Instructions, including with regards to notifying impacted Data Subjects, supervisory authorities or Client’s end users or customers of a Security Incident.
A. Client Direction. Client agrees that Shipyard and its Authorized Persons will be acting at the direction of and on behalf of Client with regards to the Processing of Personal Information to provide the Services pursuant to the Agreement.
B. Client Responsibility for Data. Client acknowledges that Shipyard provides the Services and Platform for Client’s use and that Shipyard has no ability or obligation to evaluate data supplied to the Services or Platform by Client. Shipyard does not have the responsibility to verify, inquire, or investigate as to whether Client has the right to utilize the Client Data provided to Shipyard under the Agreement. Client agrees that it has the responsibility for the accuracy, quality, completeness, and appropriateness of Client Data that Client, or for any third party acting on behalf of Client, provides to Shipyard.
A. Data Subject Requests. During the Effective Term, Shipyard will enable Client, in a manner consistent with the functionality of the Services and Platform, to comply with Data Subject Requests with respect to Client Personal Information within the Services or Platform. If Client becomes aware that any Client Personal Information is inaccurate or outdated, Client will be responsible for using such functionality to rectify or delete that data if required by Applicable Data Privacy and Protection Laws.
B. Direct Receipt by Shipyard. During the Effective Term, if Shipyard receives a Data Subject Request from a Data Subject that Shipyard knows is related to Client Personal Information and is able to identify Client, Shipyard will:
i. advise the Data Subject to submit their request to Client;
ii. promptly notify Client; and
iii. not otherwise respond to the Data Subject request without written authorization from Client unless required by Applicable Data Privacy And Protection Laws.
Client will be responsible for responding to any Data Subject Request including, where necessary, by using the functionality of the Services and Platform.
A. No Shipyard Assessment. Shipyard has no obligation to assess Client Data in order to identify information subject to any specific legal requirements.
B. Details Processing. Processing by Shipyard pursuant to the Agreement is determined solely by Client’s use of the Services and Platform. The nature and purpose of the Processing, the type of data subject to Processing, the duration of the Processing are as described in Appendix 1.
C. Compliance with Laws. Client shall have the sole responsibility to determine the laws applicable to Client Data and Client’s use of the Platform and Services. It is solely Client’s responsibility to ensure that Client’s use of the Platform and Services complies with any particular law to which Client is subject. Other than as specifically enumerated herein or in the Agreement, Shipyard makes no representation or warranty that Shipyard, the Platform or Services comply with any law or is suitable for any particular purpose.
A. Indemnification. Except as modified by this Section 9, the indemnification obligations of Client shall be those set out in the Agreement. However, notwithstanding anything in the Agreement, Shipyard shall have no obligation to defend, hold harmless and indemnify Client against losses, liabilities, claims, or causes of action relating to or arising from acts or omissions by Shipyard that were undertaken at the express direction of Client.
B. Limit of liability. Nothing in this Addendum shall be construed to extend Shipyard’s liability under the Agreement beyond the liability contemplated by Agreement’ Liability Cap section.
C. Defense and Indemnity of Shipyard. Client shall defend, hold harmless and indemnify Shipyard against any and all claims and/or regulatory actions relating to, arising from, or based on breaches of Client’s obligations in this Addendum or allegations of:
i. defects in Personal Information collection and attendant disclosures or consents by Client, including Client exceeding the scope of consent or disclosure;
ii. provision of Personal Information to Shipyard for Processing pursuant to the terms and disclosures of the Agreement and this Addendum in violation of any law or regulation, including Applicable Data Privacy and Protection Laws;
iii. acts or omissions by Shipyard that were undertaken at the express direction of Client, including defects in Client’s Documented Instructions;
iv. failures of Client to provide opt-out or Data Subject Request features required by Applicable Data Privacy and Protection Laws;
v. decisions by Client to not inform a regulator or Data Subject of a Security Incident or breach of Personal Information; or
vi. decisions by Client relating to Shipyard’s or Client’s response or handling of a Data Subject Request.
ll other terms and conditions of the Agreement shall remain in full force and effect. Regardless of whether the Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, all Client Data has been deleted from the Platform and the Services. However, Section 9 shall survive the termination or expiration the Agreement or this Addendum.
Unless prohibited by Applicable Data Privacy And Protection Laws, the Parties agree that any disputes under this Addendum will be governed by the dispute resolution provision of the Agreement.
Shipyard may update this Addendum from time to time to reflects changes made to either Party’s obligations under Applicable Data Privacy And Protection Laws. The Parties acknowledge that substantial changes to a Party’s obligations may result in changes in fees for the Services or alteration in the manner and means by which Shipyard performs the Services or provides the Platform.
To the extent there is a conflict between this Addendum, the Standard Contractual Clauses or the Agreement, the terms and conditions set forth in the Standard Contractual Clauses shall govern and control to the extent of the conflict, followed by this Addendum and then the Agreement.
Categories of data subjects whose personal data is transferred
Data subjects include the individuals about whom data is provided to Shipyard via the Services by (or at the direction of) Client or by its Authorized End Users.
Categories of personal data transferred
Data relating to individuals provided to Shipyard via the Services, by (or at the direction of) Client or by its Authorized End Users.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Data relating to individuals provided to Shipyard via the Services, by (or at the direction of) Client or by its Authorized End Users.
The restrictions and safeguards specified in Appendix 2 apply to these categories of Personal Information (if any).
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The Client Personal Information is transferred on a continuous basis.
Nature of the processing
Shipyard will process Client Personal Information for the purposes of providing the Services and to Client in accordance with the Agreement
Purpose(s) of the data transfer and further processing
Shipyard will process Client Personal Information for the purposes of providing, securing and monitoring the Platform and the Services
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The Effective Term of the Agreement plus the period until deletion of all Client Personal Information in accordance with this Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
As above.
As from the effective date of this Addendum, Shipyard will implement and maintain the below security measures:
1. Physical Security Controls
To implement appropriate physical security controls within its premises to prevent unauthorized persons from gaining access to data and systems, Shipyard has implemented the following measures:
2. Access Control
To prevent unauthorized access to data processing systems, Shipyard has implemented the following measures for electronic access control:
3. Authorization Process
To ensure that authorized members of staff have access only to the data which they require in the course of their work duties and to which they have a right of access, and must prevent any unauthorized access outside of the granted permissions, Shipyard has implemented the following measures:
4. Transmission Control
To ensure that Personal Information is protected against any unauthorized reading, modification, copying, or removal during electronic transmission or transport, Shipyard has implemented the following measures during transport, transfer, and transmission or storage on data carriers:
5. Input Control
To ensure that it is possible to verify what Personal Information is entered into processing systems, modified, or removed, at what time, and by whom, Shipyard has implemented the following to allow for retrospective review of whether and by whom Personal Information is entered, modified, or removed:
6. External Parties
To ensure that in the case of subcontracting personal information will be processed only in accordance with the instructions of Client or the upstream data controller, Shipyard has implemented the following measures:
7. Availability Control
To take measures to protect Personal Information against accidental loss or destruction, Shipyard has implemented the following measures for availability control:
8. Data Segregation
Measures taken by Shipyard for separation control are: