DATA PROCESSING ADDENDUM

1. Scope and order of precedence

This Data Processing Addendum, including its appendices (this “DPA”), is hereby incorporated into and made a part of the Developer Guidelines (for the purpose of this DPA, the “Agreement”) and will apply to Picsart’s Processing of Company Personal Data (as defined below)—but, only to the extent that Data Protection Laws (as defined below) apply to the Processing of Company Personal Data. If there is any conflict between this DPA and the Agreement, this DPA shall control to the extent of such conflict. This DPA will be effective until such time as Picsart is no longer Processing Company Personal Data. Capitalized terms not defined herein shall have the meanings set forth elsewhere in the Agreement.

2. Definitions

In this DPA, the following capitalized bold terms will have the following meanings: 

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Sell”, and “Share” each have the meaning set forth in the applicable Data Protection Laws. 

“CCPA” means the California Consumer Privacy Act of 2018, as amended and superseded from time to time, including by the California Privacy Rights Act of 2020, and the regulations promulgated thereunder.

“Company” means you (as also set forth in the Agreement). For the avoidance of doubt, if you are agreeing to this DPA on behalf of a business or entity, then Company also includes that business or entity.

“Company Personal Data” means Personal Data provided to Picsart by Company for Processing by Picsart in connection with the Services.

“Contracted Business Purposes” means the business purposes for which Picsart is processing Personal Data, as further described in Appendix 3 to this DPA.

“Data Protection Laws” means all applicable regional, national and international laws, orders, regulations and regulatory guidance now or in the future relating to information security, privacy and data protection, including without limitation, the CCPA, US Privacy Laws, GDPR and laws in the EU or UK implementing or supplementing the GDPR.

“GDPR” means European Union (“EU”) General Data Protection Regulation 2016/679.

“Model Clauses” means together, the UK and EU Model Clauses (as defined in Section 7, below).

“Picsart” means PicsArt, Inc.

“Picsart Affiliates” mean the subsidiaries of Picsart that may assist in the provision of Services.

“Services” means the services to be provided by Picsart for the benefit of Company, as specified in the Agreement.

“Third Party Sub-processor” means a third party subcontractor, other than a Picsart Affiliate, engaged by Picsart which, as part of the subcontractor’s role of providing Services, will Process Company Personal Data.

"US Privacy Laws” means any applicable state privacy laws, excluding CCPA, that are in effect or go into effect in the United States (“US”) during the term.

3. Categories of Personal Data & Data Subjects

In order to perform the Services, Company hereby authorizes and requests that Picsart Process the categories of Company Personal Data that are set out in Annex 1 of Appendix 1 (attached hereto).

In order to perform the Services, Company hereby authorizes and requests that Picsart Process the categories of Data Subjects that are set out in Annex 1 of Appendix 1 (attached hereto). 

4. Company’s Instructions; Data Protection Impact Assessments

Company may provide instructions in writing to Picsart in addition to those specified in the Agreement with regard to Processing of Company Personal Data. Picsart will comply with all such instructions without additional charge to the extent necessary for Picsart to comply with its obligations to Company in the Agreement. The parties will negotiate in good faith with respect to any change in the Services and/or fees resulting from any additional instructions.

In addition, taking into account the nature of the Processing and the information available to Picsart, Picsart will assist Company in meeting its obligations to carry out data protection impact assessments (“DPIA”s) when required by Data Protection Laws.

5. Roles and Restrictions on Processing of Company Personal Data

5.1 Company Representations and Warranties. Company acknowledges, represents and warrants that it will at all times (i) remain the Controller of Company Personal Data pursuant to Data Protection Laws; (ii) determine the purposes and means of its Processing of Company Personal Data; and (iii) comply with the obligations applicable to it pursuant to Data Protection Laws regarding the Processing of Company Personal Data, including, without limitation, establishing a legal basis for Processing of Company Personal Data and with respect to the transfer and provision of Company Personal Data to Picsart for Processing hereunder, providing all necessary notices and disclosures to End Users, and acquiring the necessary End User consents.

5.2 Picsart Permitted Uses of Personal Data. Picsart is a Processor with respect to its Processing of Company Personal Data hereunder. Picsart may Process Company Personal Data for purposes set forth in the Agreement, including without limitation, monitoring usage and performance of the Services, updating and improving the Services, and conducting other Service Analyses. “Service Analyses” means (i) compiling statistical and other information related to the performance, operation, and use of the Services, and (ii) using data from the Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes. For clarity, Service Analyses will not intentionally incorporate Company Personal Data in a form that could identify or serve to identify Company or any Data Subject. Picsart retains all intellectual property rights in and to such Service Analyses, and Picsart may make Service Analyses publicly available.

5.3 CCPA and US Privacy Laws. Notwithstanding the permitted uses set forth in Section 5.2, for purposes of CCPA and US Privacy Laws, the following shall apply with regard to Personal Data collected from data subjects in California and states with applicable US Privacy Laws. Capitalized terms not defined herein shall have the meanings set forth in the CCPA and/or applicable US Privacy Laws: 

(i) Picsart shall not Sell or Share the Personal Data; 

(ii) Picsart shall only Collect, use, retain, disclose or otherwise Process Personal Information for the Contracted Business Purposes; 

(iii) Picsart shall not Collect, use, retain, disclose, or otherwise Process Personal Information (a) outside the direct business relationship between Picsart and Company, or (b) for any purpose, including for any commercial purpose, other than the Contracted Business Purposes or a Business Purpose expressly permitted by the CCPA or applicable US Privacy Laws. If Picsart believes it is permitted under the CCPA or US Privacy Laws to Collect, retain, use, disclose or otherwise Process Personal Information for a Business Purpose not specifically identified as a Contracted Business Purpose, Picsart will notify Company before Collecting, retaining, using, disclosing or Processing Personal Information for such Business Purpose. If a law requires Picsart to disclose personal information for a purpose other than a Contracted Business Purpose, Picsart must first inform the Company of the legal requirement and give the Company an opportunity to object or challenge the requirement, unless the law prohibits such notice; 

(iv) Picsart shall limit its Collection, use, retention, disclosure and Processing of the Personal Information to those activities reasonably necessary and proportionate to achieve the Contracted Business Purposes; 

(v) Unless expressly permitted by the Agreement and applicable privacy laws, including but not limited to, CCPA or US Privacy Laws, Picsart shall not combine or update Personal Information that it Collects pursuant to this Addendum with Personal Information that it receives (a) from another source, or (b) through its independent interactions and relationships with consumers unrelated to the Agreement; 

(vi) Picsart shall comply with all applicable sections of the CCPA or US Privacy Laws, including providing the same level of privacy protection to the Personal Information that it Collected pursuant to this Addendum as is required of Businesses by the CCPA or US Privacy Laws.

6. Rights of Data Subjects

Picsart will follow Company’s detailed written instructions to meet its obligations pursuant to Data Protection Laws to respond to Data Subject requests to access, delete, release, correct, or block access to Company Personal Data held in Picsart’s information technology environment. Company agrees to pay Picsart’s reasonable out-of-pocket costs and expenses and standard hourly fees that may be associated with Picsart’s performance of any such access, deletion, release, correction, or blocking of access to Company Personal Data on behalf of Company. Picsart will pass on to Company any requests of an individual Data Subject to access, delete, release, correct, or block Company Personal Data Processed by Picsart in connection with the Services; provided, however, that Picsart will not be responsible for responding directly to the request, unless otherwise required by Data Protection Laws.

7. Cross Border and Onward Data Transfers

a. Applicable Model Clauses. Transfers of Company Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to Picsart Affiliates or Third Party Sub-processors located in countries outside the EEA, the United Kingdom or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national data protection authority, are subject to (i) the terms of the applicable Model Clauses: (A) for transfers out of the EEA and Switzerland, the parties will enter into the European Commission’s decision 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data from processors to processors established in third countries which do not ensure an adequate level of data protection (the “EU Model Clauses”), which are incorporated herein by reference; and (B) for transfers out of the United Kingdom, the parties will enter into the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) of the Data Protection Act 2018, for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, which are incorporated herein by reference, but as permitted by Clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum as noted in Section 7(b), herein (the “UK Model Clauses”); or (ii) other appropriate transfer mechanisms pursuant to Data Protection Laws. For the purposes of the EU and UK Model Clauses, the parties agree that (a) Company will act as the data exporter on Company’s own behalf and on behalf of any of its entities and customers (b) Picsart will act on its own behalf and/or on behalf of the relevant Picsart Affiliates as the data importers. The terms of this DPA shall be read in conjunction with the Model Clauses or other appropriate transfer mechanisms.

b. UK Model Clauses Options. For the purposes of Table 2 of the UK Model Clauses, (i) the EU Model Clauses shall apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply; and (iv) in Clause 11, the optional language will not apply. For the purposes of Table 4, neither party may terminate this DPA when the UK Model Clauses approved addendum changes. For Part 2 of the UK Model Clauses: both parties acknowledge and agree to the mandatory clauses of the UK Model Clauses, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

c. Docking clause. The option under Clause 7 of the EU Model Clauses shall apply.

d. General authorisation for use of Sub-processors. Option 2 under Clause 9 of the EU Model Clauses shall apply and the parties agree to abide by Section 8 of the DPA.

e. Complaints - Redress. For the purposes of Clause 11 of the EU Model Clauses, Company shall inform Picsart if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Picsart. The option under Clause 11 of the EU Model Clauses shall not apply.

f. Supervision. Clause 13 of the EU Model Clauses shall read as follows:

The supervisory authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer, shall be Ireland.

The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with the EU Model Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

g. Governing Law. The governing law for the purposes of Clause 17 of the Model Clauses shall be the law that is designated in the Agreement. If the Agreement is not governed by an EU member state’s law, the Model Clauses will be governed by (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom; or (iii) where the Agreement is governed by the laws of Switzerland, the laws of Switzerland.

h. Choice of forum and jurisdiction. The courts under Clause 18 of the Model Clauses shall be those in the venue designated in the Agreement. If the Agreement does not designate an EU member state court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the EU Model Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

i. Appendices. The Appendices of the EU Model Clauses and UK Model Clauses are to be completed as follows:

The contents of Appendix 1 to this Exhibit will form Annex I.A, Annex I.B, and Annex I.C to the EU Model Clauses and Tables 1 and 3 to the UK Model Clauses.

The contents of Appendix 2 to this Exhibit will form Annex II to the EU Model Clauses and Table 3 of the UK Model Clauses.

 j. Data Exports under exclusive jurisdiction of Switzerland data protection laws. In case of any transfers of Personal Data from Switzerland subject exclusively to Swiss data protection laws, (i) general and specific references in the EU Model Clauses to GDPR, EU or member state law shall refer to the equivalent Swiss data protection laws, as applicable; and (ii) any other obligation in the EU Model Clauses determined by the member state in which the data exporter or Data Subject is established shall refer to the equivalent obligation under Swiss data protection laws, as applicable. In respect of data transfers governed by Swiss data protection laws, the EU Model Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similar to Personal Data under Swiss data protection laws, but only until such laws are amended to no longer apply to a legal entity.

k. Conflict. The EU and UK Model Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the EU and UK Model Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the EU or UK Model Clauses, the applicable Model Clauses shall prevail.

 8. Affiliates and Third Party Sub-processors

Some or all of Picsart’s obligations under the Agreement may be performed by Picsart Affiliates and Third Party Sub-processors, and Company consents to and hereby authorizes (both generally and specifically, as applicable) Picsart’s use of Picsart Affiliates and Third Party Sub-processors in the performance of the Services in accordance with the terms of this DPA. Picsart maintains a list of Picsart Affiliates and Third Party Sub-processors that may Process Company Personal Data.

The list of sub-processors can be found at picsart.io/subprocessors/ . By entering into this DPA, Company agrees to the engagement of the listed sub-processors. Picsart will notify Company of any additions to the list by providing at least 30 days’ notice.

The Picsart Affiliates and Third Party Sub-processors will be required to enter into written contracts that comply with applicable Data Protection Laws and obligates such Affiliate(s) or Third Party Sub-processor(s) to abide by substantially the same obligations as Picsart under this DPA that areapplicable to their Processing of Company Personal Data.

Picsart remains responsible at all times for compliance with the terms of this DPA by Picsart Affiliates and Third Party Sub-processors.

9. Technical and Organizational Measures 

Picsart has implemented and will maintain appropriate technical and organizational security measures for the Processing of Company Personal Data, including the measures specified in this Section 9 to the extent applicable to Picsart’s Processing of Company Personal Data. These measures are intended to protect Company Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure, or access, and against all other unlawful forms of Processing. Additional measures, and information concerning such measures, including the specific security measures and practices for the particular Services ordered by Company, may be specified in the Agreement.

Physical Access Control. Picsart employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Company Personal Data is Processed, such as the use of security personnel, secured buildings, and data center premises.

System Access Control. The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels. For Services hosted at Picsart: (i) log-ins to Services Environments by Picsart employees and Third Party Sub-processors are logged; (ii) logical access to the data centers is restricted and protected by firewall/VLAN; and (iii) intrusion detection systems, centralized logging and alerting, and firewalls are used.

Data Access Control. Company Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced. 

Input Control. The Company Personal Data source is under the control of the Company, and Company Personal Data integration into the system is managed by secured file transfer (i.e., via web services or entered into the application) from the Company to the extent possible.

Data Backup. For Services hosted at Picsart: back-ups are taken on a regular basis; backups are secured using a combination of technical and physical controls, depending on the particular Service.

Data Segregation. Company Personal Data from different Picsart customers’ environments is logically segregated on Picsart’s systems to the extent possible.

Confidentiality. All Picsart employees and Third Party Sub-processors that may have access to Company Personal Data are subject to appropriate confidentiality arrangements.

10. Audit Rights; Compliance

Picsart shall maintain an audit program to help ensure compliance with its obligations set out in this Addendum and shall make available to Company information to demonstrate its compliance with the obligations set out in this Addendum, including a summary of any third party audit reports.

11. Incident Management and Breach Notification

Picsart will notify Company without undue delay, and in any event within any notice period required pursuant to Data Protection Laws, if Picsart has determined that a Personal Data Breach has occurred that involves Company Personal Data. In the event a Personal Data Breach is caused by Picsart, Picsart will promptly investigate the Personal Data Breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by applicable law, Picsart will provide Company with a description of the Personal Data Breach, the type of Personal Data that was the subject of the Personal Data Breach, and other information Company may reasonably request concerning the affected Data Subjects. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant data protection authorities.

12. Return and Deletion of Personal Data upon End of Services

Following termination of the Services, Picsart will return or otherwise make available for retrieval to Company all Company Personal Data then available in Picsart’s information technology environment that holds Company Personal Data. Following return of such Company Personal Data, or as otherwise specified in the Agreement, Picsart will promptly delete or otherwise render inaccessible all copies of Company Personal Data then available in Picsart’s information technology environment that holds Company Personal Data, except as may be required by applicable law or routine data back-ups performed in the normal course of business. 

13. Legally Required Disclosures

Except as otherwise required by applicable law, Picsart will promptly notify Company of any subpoena or other judicial, administrative, or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives and which relates to the Processing of Company Personal Data. At Company’s request, Picsart will provide Company with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Company to respond to the Demand in a timely manner. Company acknowledges that Picsart has no responsibility to interact directly with the entity making the Demand.

APPENDIX 1 to DPA

The following annexes form part of the Model Clauses and must be completed by the parties.

The EU member states and/or the UK may complete or specify, according to their national procedures, any additional necessary information to be contained in these annexes.

ANNEX I 

A. LIST OF PARTIES

Data exporter

Name: ___________________________________________

Address: _________________________________________

Contact person’s name, position and contact details, including email: _________________________

___________________________________________________________________

Activities relevant to the data transferred under these Clauses: Processing of End User (as defined in the Agreement) data associated with use of the Services (as defined in the DPA)

Role (controller/processor): Controller 

Data importer

Data importer is PicsArt, Inc. and any affiliated entity that processes Personal Data disclosed or transferred by, or otherwise on behalf of, the data exporter.

Address: Optima Onyx Tower, 1010 South Federal Highway, Suite 1103, Hallandale Beach, Florida 33009

Contact person’s name, position and contact details, including email: Armen Baghdasaryan, Data Protection Officer, DPO@picsart.com

Activities relevant to the data transferred under these Clauses: Processing of End User (as defined in the Agreement) data associated with use of the Services (as defined in the DPA)

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

End Users (as defined in the Agreement) that directly or indirectly utilize the Services (as defined in the DPA).

Categories of data

The personal data transferred concern the following categories of data (please specify):

Data exporter may submit Personal Data to Picsart, which may include, but is not limited to the following categories of Personal Data:

Personal Data uploaded to the Services by end users (e.g., personal contact details, business contact details, images, audio/video content, etc.)

Metadata related to the Services (e.g., IP address used to determine the country where an end user is located, etc.)

Usage and performance data (e.g., server logs, error logs, cookies, pixels, etc.)

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): N/A

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): The processing operations are defined by Company through its instructions.

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of Ireland.

APPENDIX 2 to DPA
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The technical and organizational security measures implemented by the data importer are described in Section 9 of the DPA.

APPENDIX 3 to DPA
Contracted Business Purposes