Synadia Communications Data Processing Addendum

Last Updated: May 1, 2024

This Data Processing Addendum (“DPA”) supplements the Multi-Level Support & Management Agreement or other written or electronic subscription agreement (the “Agreement”) by and between Customer (“Customer”) and Synadia Communications Inc. (“Company” or “Synadia”). To the extent required under Data Protection Laws (defined below) and where Company processes Personal Data on behalf of Customer when providing Services under the Agreement, Customer enters into this DPA on behalf of itself and its Affiliates (defined below), if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.

  1. Definitions

  2. Relationship of the Parties; Processing of Data

  3. Confidentiality

  4. Authorized Sub-Processors

  5. Security of Personal Data.

    Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about Company’s technical and organizational security measures

  6. Transfers of Personal Data

  7. Rights of Data Subjects

  1. Actions and Access Requests; Audits
  1. Company’s Role as a Controller. The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement. Company may also process Company Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any processing by the Company as a controller shall be in accordance with the Company’s privacy policy set forth at https://www.synadia.com/legal/privacy.

  2. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) the Company’s privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

Exhibit A

Details of Processing

Nature and Purpose of Processing: Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement (including any applicable Order Form(s)), for the purposes specified in the Agreement and this DPA.

Duration of Processing: As between Company and Customer, the duration of Personal Data processed under this DPA is for the term of the Agreement.** Company Account Data and Company Usage Data will be processed and stored as set forth in Company’s privacy policy and data management policy.

Categories of Data Subjects: May include Customer’s end users, employees, contractors, and other third parties.

Categories of Personal Data: Categories of Personal Data include name, location, email address, phone number, address, and title.

Sensitive Data or Special Categories of Data: None

Exhibit B

The following information is required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.

1. Parties

Data exporter (if applicable): Customer (Controller)

Data importer (if applicable):

Synadia Communications Inc. (Processor)
400 Concar Drive, San Mateo, CA 94402
security@synadia.com

2. Description of the Transfer

Data Subjects

See Exhibit A of the DPA

Categories of Personal Data
Nature and Purposes of the Processing
Duration of Processing and Retention (or the criteria to determine such period)
Frequency of transferAs necessary to provide perform all obligations and rights with respect to Personal Data as provided in the Agreement or DPA.
Recipients of Personal Data Transferred to the Data ImporterCompany will maintain and provide a list of its Subprocessors upon request or at .

3. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The supervisory authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Officer.

Exhibit C

Description of the Technical and Organizational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum.

Technical and Organizational Security MeasureDetails
Measures of pseudonymisation and encryption of personal dataCompany has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Company’s customer agreements contain strict confidentiality obligations. Additionally, Company requires any downstream sub-processors to have confidentiality provisions that are substantially similar to those contained in Company’s customer agreements.

Company has undergone a SOC 2 Type 1 audit.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

As required by Data Protection Law(s), Company will delete all personal data after the end of the provision of Services (to the extent such data is still in the Company’s possession) unless applicable Data Protection Law requires the storage of such information, in which case Company will only retain and such information for the limited duration and purposes required by such Data Protection Law.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Company has undergone a SOC 2 Type 1 audit, third-party penetration testing and code review, and maintains automated vulnerability checking for its services.
Measures for user identification and authorizationCompany uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication (MFA) and Single Sign On (SSO). All production access requires the use of two-factor authentication, and network infrastructure is securely configured to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmissionCompany has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit.
Measures for the protection of data during storageEncryption-at-rest is automated using transparent disk encryption from relevant cloud service providers (e.g. AWS, Google Cloud, Azure), which uses industry standard encryption to secure all volume (disk) data. All keys are managed by the cloud service provider.

Measures for ensuring physical security of locations at which personal data are processed

All Company processing occurs in physical data centers that are managed by the relevant cloud service providers. Company does not maintain physical data centers.
Measures for ensuring events loggingCompany monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.

Measures for ensuring system configuration, including default configuration

All production changes are automated through CI/CD tools to ensure consistent configurations
Measures for internal IT and IT security governance and managementCompany maintains a risk-based information security governance program. The framework for Company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data

Measures for certification/assurance of processes and products

Company has received SOC 2 Type 1 certification.

Measures for ensuring data minimization

Company’s Customers unilaterally determine what data they route through the Services. As such, Company operates on a shared responsibility model. Company gives Customers control over exactly what data enters the platform.

Measures for ensuring limited data retention

Customers unilaterally determine what data they route through the Services and Company has no visibility or understanding of that data. As such Company’s Customers may remove Personal Data from the Services themselves as needed, but Company is not able to do so on their behalf. All of the Customer’s data is deleted from the Services following service termination, in accordance with Company’s retention policy.

Measures for ensuring accountability

Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Personal Data Breaches, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts third-party audits to ensure compliance with our privacy and security standards.
Technical and organizational measures of sub-processorsCompany requires any downstream sub-processors to have confidentiality provisions that are substantially similar to those contained in Company’s customer agreements.

Exhibit D

UK Addendum

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Start DateThis UK Addendum shall have the same effective date as the DPA
The PartiesExporterImporter
Parties’ DetailsCustomerSynadia Communications Inc.
Key Contact*See* Exhibit B of this DPA

Table 2: Selected SCCs, Modules and Selected Clauses

EU SCCsThe Version of the Approved EU SCCs which this UK Addendum is appended to as defined in the DPA and completed by Section 6.2 and 6.3 of the DPA.

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex 1A: List of PartiesAs per Table 1 above
Annex 2B: Description of TransferSee Exhibit B of this DPA
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data:See Exhibit C of this DPA
Annex III: List of Sub processors (Modules 2 and 3 only):See Exhibit B of this DPA

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes

Ending this UK Addendum when the Approved UK Addendum changes

☐ Importer

☐ Exporter

☒ Neither Party

UK Addendummeans this International Data Transfer Addendum incorporating the EU SCCs, attached to the DPA as Exhibit D.
EU SCCsmeans the version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information
Appendix Informationshall be as set out in Table 3
Appropriate Safeguardsmeans the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making an ex-UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved UK Addendummeans the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as may be revised under Section 18 of the UK Addendum.
Approved EU SCCsmeans the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
ICOmeans the Information Commissioner of the United Kingdom.
ex-UK Transfershall have the same definition as set forth in the DPA.
UKmeans the United Kingdom of Great Britain and Northern Ireland
UK Data Protection Lawsmeans all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPRshall have the definition set forth in the DPA.

The UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

If the provisions included in the UK Addendum amend the Approved EU SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in the UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and the UK Addendum, UK Data Protection Laws applies.

If the meaning of the UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after the UK Addendum has been entered into.

Hierarchy

Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for ex-UK Transfers, the hierarchy in Section 10 below will prevail.

Where there is any inconsistency or conflict between the Approved UK Addendum and the EU SCCs (as applicable), the Approved UK Addendum overrides the EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum.

Where this UK Addendum incorporates EU SCCs which have been entered into to protect ex-EU Transfers subject to the GDPR, then the parties acknowledge that nothing in the UK Addendum impacts those EU SCCs.

Incorporation and Changes to the EU SCCs:

This UK Addendum incorporates the EU SCCs which are amended to the extent necessary so that:

Unless the parties have agreed alternative amendments which meet the requirements of Section 12 of this UK Addendum, the provisions of Section 15 of this UK Addendum will apply.

No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 of this UK Addendum may be made.

The following amendments to the EU SCCs (for the purpose of Section 12 of this UK Addendum) are made:

Amendments to the UK Addendum

The parties may agree to change Clauses 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

If the parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may issue a revised Approved UK Addendum which:

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum.

The parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.