Data Processing Addendum

Revision History

15th April 2022 - Initial Notice Creation
1st December 2022 - Notice Revision Updates
1st August 2023- Sub-processor added
3rd October 2023- Updates to sensitive personal data

Notification Date

3rd October2023

Data Privacy Requirement

Posh Technologies Data Processing Addendum

Data Privacy Legislation concerning the processing of personal data and protection of privacy in electronic communication

Not limited to:
California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”),
‍
European Commission, European Data Protection Board and applicable national supervisor y authorities including without limitation the UK Data Protection Act 2018, UKGDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002

Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
Swiss Data Protection Act 2020

Systems

Software-as-a-Service platform providing Artificial Intelligence conversational agents through a B2B service.

Duration of Processing

As per the request of the data controller in line with the  terms of service

Purpose and Legal Basis For Processing

In accordance with GDPR Art.6, the lawful processor of data is done to meet the contractual terms of service. A Data Processing Impact Assessment (DPIA) to ensure personal identifiable information is not collected.

Nature of Processing







Right to Process







Rights of a Data Subject

Data defined by the Data Controller to optimize the service of the platform. Data Subject information, if inadvertently processed through our platform, is deleted through technological measures in a manner to where the data is irrecoverable. Data Subject information as defined in the personal data categories above is not persisted in Posh Systems.

The Processor retains the right to process Personal Data submitted by the Data Controller as part of the services. The duration of processing will exist for the term of the Services provided. The Personal Data Categories submitted as part of the Service will solely be determined by the Data Controller.


The Processor will respond to requests from the Data Controller as it relates to the right of a Data Subject. Data Controller will be solely responsible for (i) providing Data Subjects with contact information on how to submit a request to exercise their rights under the CCPA, (ii) verifying the identity of any Data Subject, and (iii) obtaining all necessary information from the Data Subject, in sufficient detail, to allow Processor to properly understand, evaluate, and respond to any request made by the Data Subject.  All requests from a Data Subject will be referred to the Data Controller as it relates to:

The right of access
The right to rectification The right to delete* 
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to a decision based solely on automated processing

*As applicable, Processor may deny a deletion request if, in Processor’s sole discretion, retaining the information is necessary for Processor or a Sub-Processor(s) to:

Provide a good or service that Data Controller requested, take actions reasonably anticipated within the context of the ongoing business relationship between Processor and Data Controller, fulfill the terms of a written warranty in accordance with federal law, or otherwise for Processor to perform its contractual obligations with Data Controller.

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

Debug Services to identify and repair errors that impair existing intended functionality.

Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if Data Controller previously provided informed consent.Enable solely internal uses that are reasonably aligned with consumer expectations based on the relationship between Processor and Data Controller.

Comply with a legal obligation.

Make other internal and lawful uses of that information that are compatible with the context in which the Data Controller provided it.Applicable Data Controller requests can be sent to: privacy@posh.tech

Personal Data Categories

Data Subject First Name
Data Subject Middle Name
Data Subject Last Name
Data Subject Email Address
Data Subject Geolocation Information (Cookies, IP, address, etc.)
Data Subject Non-Identifying Information (e.g. Redacted Data Subject Number)
Data Subject Phone Number
Data Subject voice based biometric information

For any Personal Data categories not described above, the Data Controller acknowledges and agrees that it will be solely responsible for ensuring all other sensitive, personal data categories will not be submitted or used by Data Subjects during the transmission of data to Posh. The Data Controller is solely responsible for informing their Data Subjects of their privacy rights. Posh will  only collect voice-based biometric information to perform voice-based authentication to the Services, as defined in this Addendum.

Other Data Categories






Special Categories of Personal Data


Duties of the Processor

The data controller acknowledges they will be responsible for ensuring sensitive data categories will not be used by data subjects during the transmission of data. The data controller is responsible for informing their members/end-users of their privacy rights. Posh Technologies may collect other data attributes if advised by the data controller.


Data Subject Account Number (only via authenticated mechanisms will this data be processed).

‍

Use of Sub-Processors

The Data Controller acknowledges and agrees that the following sub-processors will be used in the course of the Services provided.
‍
‍Current list of authorized Sub-Processors:
Google Inc 1600 Amphitheatre Parkway Mountain View, CA 94043 
‍Salesforce Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
‍Twilio 375 Beale Street, Suite 300. San Francisco, CA 94105
‍OpenAI 3180 18th St, San Francisco, CA 94110
‍Illuma Labs Inc. 7700 Windrose Ave. Ste G300 Plano, TX 75024
Atlassian 350 Bush Street Floor 13 San Francisco, CA 94104
‍Right to object: The Data Controller can object within 30 days upon notification of the use of Sub-Processors or a change of a Sub-Processor in course of the duration of the Services. 

‍Security of Processing

In processing Personal Data, the Processor and Sub-Processor will utilize the following industry accepted security standards to safeguard such data:
Encrypt Personal Data processed and (if applicable) stored. Use industry accepted security standards to ensure the confidentiality and integrity of Personal Data
Provide periodic testing and auditing of system and technological measures to evaluate the effectiveness of the Processor’s internal controls

Processor and Sub-Processor Security Measures

Measures  taken by Posh Technologies Inc. and our cloud service providers to maintain  the confidentiality of data. (Article 32(1)(b) GDPR).
Posh Technologies uses  technical measures to delete data subject information once transmitted to  Posh Systems. The following controls (albeit not all controls) may apply in  some manner during the processing of information.

Access control to premises and facilities

Measures  must be taken to prevent unauthorized physical access to premises and  facilities holding End User Personal Data:
·          Access control system
·          ID reader, magnetic card, chip card
·          (Issue of) keys
·          Door locking (electric door openers etc.)
·          Surveillance facilities
·          Alarm system, video/CCTV monitor
·          Logging of facility exits/entries

Access to Control Data

·       Differentiated access rights
·       Access rights defined according to duties
·       Automated log of user access via IT systems
·       Measures to prevent the use of automated data- processing systems by unauthorized persons using data communication equipment
-         Data Obfuscation and/or Data Deletion
-         Access Reviews

Integrity

(Article32(1)(b) GDPR)
·       Compulsory use of encrypted private networks for all data transfers
·       Creating an audit trail of all data transfers
-       File Integrity Monitoring

Disclosure Control

·       Compulsory use of encrypted private  networks for all data transfers
·       Creating an audit trail of all data  transfers

Input Control

·     Logging user activities on IT systems
·     That it is possible to verify and establish to which bodies End User Personal Data have been
·       or may be transmitted or made available using data communication equipment.
·       That it is possible to verify and establish which End User Personal Data have been input into
·           automated data-processing systems and when and by whom the data have been inputted for processing (data controller party).

Job Control

·   Unambiguous wording of contractual instructions
·   Monitoring of contract performance

Segregation Control

·      Restriction of access to data stored for different purposes according to staff duties
·      Segregation of business IT systems
·      Segregation of IT testing and production environments -      Role-based access control / least privilege access

Availability Control

·   Installed systems may, in the case of interruption, be restored
·   Systems are functioning, and that faults are reported
·   Data is processed while incorporating security measures to mitigate corruption
·   Uninterruptible power supply (UPS)
·   Business Continuity procedures
·   Remote storage
·   Antivirus/firewall systems

Right to Access Personal Data

Right to Access Personal Data Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is  responsible for ensuring data subject’s rights are maintained.

Right to Rectification.

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Erasure

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Restrict Data Processing

The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.

Right to be Notified

The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech

Right to Data Portability

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Object

The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies LLC within 30 days of being notified of this action. All requests can be sent to our privacy: privacy@posh.tech

Right to Reject Automated Individual Decision-Making

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right To Audit

Posh performs annual independent audits to test the effectiveness of its security, privacy and availability controls. Upon the Data Controller’s reasonable request and upon Posh’s prior consent, not to exceed once annually, Posh agrees to share such audit reports. In the event this action is requested, the Data Controller can contact the Posh Data Privacy team: privacy@posh.tech.

Data Protection Officer

Please contact our Data Protection Officer at privacy@posh.tech

Compliance with Data Protection Legislation

Each party  will comply with their applicable obligations under the Data Protection  Legislation as it relates to the processing of personal data or data owned by  the controller. All parties will include compliance with Data Protection  Legislation for example but not limited to Article 31 of GDPR

Right to Restrict Data Processing

The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.

Data Transfer





Data Breach Notification

Processors shall not transfer data outside of the United States without the prior written consent of the Data Controller.

In the event of discovery of a security related data breach directly affecting the Personal Data of a Data Subject or confidential information of the Data Controller, the Posh Legal Team will inform the impacted Data Controller(s) within 72 hours of discovery.

Data Controller Obligations

The Data Controller shall at all times recognize and use a legal basis for processing Personal Data through the Processor or Subprocessor systems. Data Controller is responsible for notifying the Processor in the event any data privacy rights are exercised by their end-users (or members).