Data Processing Addendum

Effective Date: January 1, 2023

This Data Processing Addendum (“DPA”) forms part of and is subject to the Terms of Service Agreement (“Agreement”) between Simply Voting Inc. (“Simply Voting”) and Customer.

1. Definitions

  1. Customer” means the legal entity or individual who accepted Simply Voting’s Agreement, which includes this DPA.
  2. Customer Data” means any personal data that is processed by Simply Voting on behalf of the Customer to perform the Services under the Agreement.
  3. “Applicable Data Protection Laws” means all laws applicable to the collection, storage, processing, and use of Customer Data as amended, replaced or superseded from time to time, including the GDPR, the UK GDPR, the Swiss DPA, the Canadian Personal Information Protection and Electronic Documents Act, the Quebec Act respecting the Protection of Personal Information in the Private Sector, the Privacy Act 1988 of Australia, the California Consumer Privacy Act, and the Brazilian General Data Protection Law.
  4. GDPR” means EU General Data Protection Regulation 2016/679.
  5. Services” means the use of the Simply Voting online voting system and related services provided to Customer pursuant to the Agreement.
  6. Standard Contractual Clauses” means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).
  7. Swiss DPA” means Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance.
  8. UK Addendum” means the latest version of the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
  9. UK GDPR” means the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
  10. The terms “consent“, “controller“, “data subject“, “member state“, “personal data“, “personal data breach“, “processor“, “sub-processor“, “processing“, and “supervisory authority“, and “third party” shall have the meanings given to them, under ascribed to them under Applicable Data Protection Laws or if not defined thereunder, Article 4 of the GDPR and may be lowercase or capitalized herein.

2. Roles and Purpose

  1. Customer authorizes Simply Voting to process Customer Data as needed to perform the Services for which Customer is contracting with Simply Voting in the Agreement, as described in Annex 1.
  2. The parties agree that Customer is the controller, and Simply Voting is the processor acting on behalf of Customer.
  3. The parties shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws with respect to the processing of Customer Data.
  4. The parties agree that Customer Data shall remain the property of Customer.
  5. For the avoidance of doubt, this DPA shall not apply to personal data for which Simply Voting is a controller.

3. Obligations of Simply Voting

  1. Simply Voting shall only process Customer Data for the specific purpose of providing the Services to Customer and in accordance with Customer’s instructions. Such Customer’s instructions shall be documented in the applicable services description, support request, other written communication or as directed by Customer using the self-service application interfaces.
  2. Simply Voting shall not retain, use, or disclose Customer Data for any purpose other than for the specific purpose of providing the Services to Customer as set out in the Agreement and this DPA.
  3. Simply Voting shall at all times have in place a Data Protection Officer who is responsible for ensuring compliance with this DPA and who is the primary contact for Customer when seeking assistance in meeting its obligations under Applicable Data Protection Laws.
  4. Simply Voting shall immediately inform Customer if, in its opinion, Customer’s processing instructions infringe Applicable Data Protection Law. In such event, Simply Voting is entitled to defer the performance of the relevant instruction until it has been amended by Customer or is mutually agreed by both Customer and Simply Voting.

4. Obligations of Customer

  1. Customer is and shall remain responsible for compliance with all requirements imposed on controllers, including but not limited to confirming the lawful basis for all processing activities conducted by Simply Voting on Customer’s behalf and obtaining consent from data subjects, where required. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.
  2. Customer agrees to limit any Customer Data it transfers to Simply Voting or to which Simply Voting is otherwise given access for processing to only Customer Data needed by Simply Voting in order to perform the Services.
  3. Customer shall ensure that Simply Voting’s processing of Customer Data in accordance with Customer’s instructions will not cause Simply Voting to violate any applicable law, regulation, or rule, including, without limitation, Applicable Data Protection Laws.

5. Sub-processing

  1. Customer agrees that Simply Voting may engage sub-processors to process Customer Data on Customer’s behalf. The sub-processors currently engaged by Simply Voting and authorized by Customer are listed in Annex 3. Simply Voting shall notify Customer if it adds or removes sub-processors at least 10 days prior to any such changes if Customer opts in to receive such notifications by emailing privacy@simplyvoting.com.
  2. If within 5 days of receipt of that notice, Customer notifies Simply Voting in writing of any objections to the proposed appointment on reasonable grounds relating to data protection, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, either party shall have the right to terminate the Agreement for cause.
  3. Simply Voting shall enter into a written agreement with each sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA.
  4. Simply Voting shall be responsible for the acts and omissions of any sub-processors as it is to the Customer for its own acts and omissions in relation to the matters provided in this DPA.

6. Security

  1. Simply Voting shall implement and maintain appropriate technical and organizational measures to protect Customer Data against personal data breaches, as described under Annex 2. Notwithstanding any provision to the contrary, Simply Voting may modify or update the technical and organizational measures at its discretion provided that such modification or update does not result in a material degradation of the overall security of the Services.
  2. Simply Voting shall ensure that any person who is authorized by Simply Voting to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
  3. Simply Voting shall notify Customer in accordance with Applicable Data Protection Laws, without undue delay, but in any event within forty-eight (48) hours, in the event of a confirmed personal data breach affecting Customer Data and shall take appropriate measures to mitigate its possible adverse effects. Upon written request, Simply Voting shall promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant personal data breaches to competent authorities and/or affected data subjects, if it is required to do so under Applicable Data Protection Laws.
  4. Customer is responsible for reviewing the information made available by Simply Voting relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.
  5. Customer is responsible for its secure use of the Services, including securing its user authentication credentials, protecting the security of Customer Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

7. Security Reports and Audit

  1. Simply Voting shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section and where applicable, the Standard Contractual Clauses) and any audit rights granted by Applicable Data Protection Laws, by instructing Simply Voting to comply with the audit measures described in Sections 7.2 and 7.3 below.
  2. Customer acknowledges that Simply Voting is regularly audited against SOC 2 and PCI standards by independent third party auditors. Upon written request, Simply Voting shall supply, on a confidential basis and without charge, a summary copy of its most current audit reports to Customer, so that Customer can verify Simply Voting’s compliance with the audit standards against which it has been assessed and this DPA.
  3. In addition to the reports described in Section 7.2 above, Simply Voting shall respond to all reasonable requests for information made by Customer to confirm Simply Voting’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request, provided that Customer shall not exercise this right more than once per calendar year. Customer shall be responsible for all costs relating to an audit as described within this Section, including for any time Simply Voting spends on such audit at Simply Voting’s then-current professional service rates.

8. Data Subject Requests

  1. As part of the Services, Simply Voting provides specific tools in order to assist customers in replying to requests received from data subjects exercising their rights under Applicable Data Protection Laws. These include professional services as well as self-service application interfaces to retrieve, correct, delete, or restrict the use of Customer Data. In addition, Simply Voting shall (considering the nature of the processing) provide reasonable additional assistance to Customer to the extent possible to enable Customer to comply with its obligations with respect to data subject rights under Applicable Data Protection Laws.
  2. In the event that Simply Voting receives any such requests directly from a data subject, it shall, unless prohibited by law, direct the data subject to contact Customer (to the extent Simply Voting is able to associate the data subject with Customer). In the event Customer is unable to address the data subject request, Simply Voting shall, on Customer’s request, address the data subject directly, as required under Applicable Data Protection Laws.

9. Data Protection Impact Assessment

  1. To the extent required under applicable Applicable Data Protection Laws, Simply Voting shall (considering the nature of the processing and the information available to Simply Voting) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Applicable Data Protection Laws. Simply Voting shall comply with the foregoing by: (i) complying with Section 7 above; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-Sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance. Customer shall be responsible for all costs relating to such additional assistance, including for any time Simply Voting spends on such assistance at Simply Voting’s then-current professional service rates.

10. Return or Destruction of Data

  1. Customer may, by written notice to Simply Voting, request the return of all copies of Customer Data in the control or possession of Simply Voting and sub-processors. Simply Voting shall promptly provide a copy of Customer Data in a form that can be read and processed further.
  2. Customer may, by written notice to Simply Voting, request the certificate of deletion of all copies of the Customer Data in the control or possession of Simply Voting and sub-processors. Within 30 days of receipt of that notice, Simply Voting shall delete all Customer Data processed pursuant to this DPA and provide Customer with a certificate of deletion.
  3. Within 15 days following termination of Customer’s account, Simply Voting shall delete all Customer Data processed pursuant to this DPA.
  4. These provisions shall not apply to the extent Simply Voting is required by applicable law to retain some or all of Customer Data.
  5. Customer acknowledges and agrees that the certification of deletion of Customer Data described in the Standard Contractual Clauses or any Applicable Data Protection Laws shall be provided by Simply Voting to Customer only upon Customer’s written request.

11. International Transfers

  1. Customer authorizes the transfer, processing and storage of Customer Data to and in anywhere in the world where Simply Voting and its sub-processors maintain data processing operations in order to fulfill the purpose of the Services. Simply Voting shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.
  2. For transfers of Customer Data that is subject to the GDPR, the Standard Contractual Clauses shall be incorporated by reference and form an integral part of the Agreement as follows:
    1. the Module 2 (Controller-to-Processor) terms shall apply with Customer as a controller and Simply Voting as a processor;
    2. in Clause 7, the optional docking clause shall apply;
    3. in Clause 9(a), Option 2 applies and changes to sub-processors shall be notified in accordance with Section 5 (Sub-processing) above;
    4. in Clause 11, the optional language shall not apply;
    5. in Clause 17, Option 1 shall apply and the laws of the Republic of Ireland shall govern;
    6. in Clause 18(b), disputes shall be resolved before the courts of Dublin;
    7. the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and
    8. if the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
  3. For transfers of Customer Data that is subject to the UK GDPR, the Standard Contractual Clauses shall be incorporated by reference in accordance with Section 11.2 above and the following modifications:
    1. the Standard Contractual Clauses shall be modified and interpreted in accordance with the UK Addendum, which shall be incorporated by reference and form an integral part of the Agreement;
    2. Tables 1, 2 and 3 of the UK Addendum shall be deemed completed with the information set out in the Annexes of this DPA and Table 4 shall be deemed completed by selecting “neither party”; and
    3. any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
  4. For transfers of Customer Data that is subject to the Swiss DPA, the parties hereby incorporate the Standard Contractual Clauses by reference in accordance with Section 11.2 above and the following modifications:
    1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
    2. references to specific articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA;
    3. references to “EU”, “Union” and “Member State” shall be replaced with “Switzerland”;
    4. references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner” and “relevant courts in Switzerland”;
    5. Clause 13(a) and Part C of Annex I shall be deleted;
    6. Clause 17 shall be replaced to state “The Clauses are governed by the laws of Switzerland”; and
    7. Clause 18 shall be replaced to state “Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The parties agree to submit themselves to the jurisdiction of such courts”.

12. Limitation of Liability

  1. Each party’s liability arising out of or related to this DPA (including the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
  2. Any claims made against Simply Voting under or in connection with this DPA (including the Standard Contractual Clauses) shall be brought solely by the Customer entity that is a party to the Agreement.
  3. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.

13. General Provisions

  1. This DPA shall remain in effect for as long as Simply Voting processes Customer Data or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 10 above).
  2. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.
  3. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.
  4. If any provision of this DPA is found by a court of competent jurisdiction to be invalid, it is agreed that such court should endeavour to give full effect to the parties’ intentions as reflected in such provision, and it is agreed that other provisions of this DPA remain in full effect.
  5. The governing law and jurisdiction will be governed by the Agreement, unless otherwise stated herein. Any and all disputes concerning the construction and interpretation of this DPA and/or the parties’ obligations under this DPA will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Agreement.

 

ANNEX 1

 

A. LIST OF PARTIES

Data Exporter: Provided in the Agreement signature block
Address: Provided in the Agreement signature block
Contact Person: Customer’s Data Protection Office or other legal representative. Customer shall make these details available upon Simply Voting’s request.
Activities Relevant to the Transfer: Consuming the Services as further specified in the Services documentation.
Role: Controller

Data Importer: Simply Voting Inc.
Address: 5160 Decarie Boulevard, Suite 502, Montreal, QC H3X 2H9 Canada
Contact Person: Brian Lack, Data Protection Officer, privacy@simplyvoting.com
Activities Relevant to the Transfer: Providing the Services as further specified in the Services documentation.
Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects

Customer may submit Customer Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of data subjects:

  • Customer’s users authorized by Customer to use the Services
  • Candidates
  • Electors (e.g. members, students, residents, partners, shareholders, customers, participants)

Categories of Personal Data

Customer may submit Customer Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:

  • Contact information (e.g., name, email address, mailing address, organization name, cellphone number)
  • Electoral information (e.g. ID, password, voting segment, vote weight)

Sensitive Data Transferred

  • Customer Data transferred is determined and controlled by the data exporter and may include sensitive data such as political affiliation or trade union membership or any other sensitive data necessary to be processed in order to perform the Services.
  • The technical and organizational security measures described in Annex 2 ensure a level of security appropriate to protect sensitive data.

Frequency of the Transfer

Continuous basis depending on the use of the Services by Customer.

Nature of the Processing

Customer Data will be processed in accordance with the Agreement (including this DPA) and may be subject to storage and other processing necessary to provide the Services and any related technical support to the Customer.

Purpose of the Transfer and Further Processing

Simply Voting will process Customer Data as necessary to perform the Services, as further specified in the Services documentation, and as further instructed by Customer in its use of the Services.

Retention Period

Subject to Section 10 of this DPA, Customer Data shall be retained until Customer terminates their account or instructs Simply Voting to destroy the data earlier, except as otherwise required by applicable law.

Sub-Processor Transfers

Transfers to sub-processors shall be of the same subject matter, nature and duration as the data importer.

C. COMPETENT SUPERVISORY AUTHORITY

Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the Supervisory Authority of Ireland shall act as competent supervisory authority.

 

ANNEX 2

INFORMATION SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES

Simply Voting implements the following measures to protect Customer Data.

Physical Access Control

To prevent unauthorized persons from gaining physical access to data processing systems:

  • Simply Voting leverages industry-leading cloud infrastructure providers. Access to their data centres is strictly controlled. All data centres are equipped with surveillance and access control systems. Additionally, all providers have industry standard certifications.
  • Simply Voting’s corporate headquarters is equipped with surveillance, intruder alarm, and access control systems. Guests and visitors must be accompanied by authorized Simply Voting personnel.

System Access Control

To prevent data processing systems from being used without authorization:

  • Simply Voting personnel are granted system access to internal and externally hosted systems on a need-to-know basis based on job role, and reviews of access are performed quarterly. Onboarding and offboarding processes are documented to ensure access is properly managed.
  • Unique identifiers are utilized and are not permitted to be shared or re-assigned to another person. Where possible, third-party services leverage single sign-on (SSO) functionality which allows for centralized management and enforces two-factor authentication (2FA).
  • Simply Voting personnel utilize a password management system that enforces minimum password length and complexity, and stores passwords in encrypted form.
  • Simply Voting applications enforce minimum password length and complexity for Customer users. Customers who interact with the applications must authenticate before accessing non-public Customer Data.
  • Workstations automatically lock after a prolonged period of inactivity. Simply Voting applications log out users after a prolonged period of inactivity.
  • Firewalls with strict traffic rules are used to limit unwanted ingress and egress traffic to and from Simply Voting infrastructure. These firewalls include intrusion detection systems (IDS) used to detect and prevent potential unauthorized access.
  • Simply Voting applications are protected by a web application firewall (WAF) to identify and prevent attacks.
  • Network access is protected by a virtual private network (VPN) and two-factor authentication (2FA).
  • Security patch management and routine vulnerability scanning occurs on all workstations and servers to provide regular deployment of relevant security updates and an expedited response to the disclosure of critical vulnerabilities.
  • Up-to-date antivirus software is utilized to ensure workstations and servers are protected against known viruses.
  • Code stored in Simply Voting source code repositories is checked for vulnerabilities with an industry recognized static code analysis provider.
  • Simply Voting engages an industry recognized penetration testing provider for annual penetration tests of the application and infrastructure layers.

Data Access Control

To ensure authorized users entitled to use data processing systems have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing, use, and storage:

  • Customer environments are logically separated at all times. Customers have access only to their own data.
  • Customers access their data via self-service application interfaces. Customers are not allowed direct access to the underlying application infrastructure. The user permissions model is designed to ensure that only the appropriately assigned individuals can access relevant features and data.
  • Simply Voting personnel require access to Customer Data in order to deliver services, provide effective customer support, product development and research, and to troubleshoot potential problems. Personnel are granted data access on a need-to-know basis based on job role, and reviews of permissions are performed quarterly.

Transmission Control

To ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport:

  • Customer Data is encrypted in transit to and from Simply Voting systems over public networks. TLS 1.2 with industry standard cipher suites is used to protect against current and future encryption attacks.
  • Customer Data stored in Simply Voting systems is encrypted at rest using AES-256 encryption.
  • Backups of Customer Data are encrypted in transit and at rest using AES-256 encryption.
  • Simply Voting is alerted to encryption issues through periodic internal risk assessments, third-party SSL strength tests, and third-party penetration tests.

Input Control

To ensure that it is possible to check and establish whether and by whom personal data have been entered, modified or removed from data processing systems:

  • Simply Voting infrastructure is designed to log extensive information about the system behaviour, traffic received, system authentication, and other technical events. A log aggregation system centrally stores and indexes system log events and alerts appropriate personnel of malicious, unintended, or anomalous activities.
  • Simply Voting applications log detailed events including the entering, updating and deletion of Customer Data. Such events include the unique usernames and timestamps to investigate nonconformities or security events.

Availability Control

To ensure personal data is protected from accidental or unauthorized destruction or loss:

  • Data centres are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
  • Network protections have been deployed to mitigate the impact of distributed denial of service (DDoS) attacks.
  • Simply Voting infrastructure is designed to have redundancy and avoid single points of failure.
  • All data is backed up every 15 minutes, and point-in-time recovery is available.
  • Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up offsite and replicated across multiple geographic regions.
  • Simply Voting maintains and regularly tests a disaster recovery plan to help ensure availability of information following interruption to, or failure of, critical infrastructure.

Security Certifications

Simply Voting holds the following security-related certifications from independent third-party auditors:

  • SOC 2 Type 1 report
  • PCI-DSS compliance

 

ANNEX 3

AUTHORIZED SUB-PROCESSORS AS OF THE DPA EFFECTIVE DATE

Company Data Location Description of Activities Safeguards for Transfers
Hut 8 High Performance Computing, Inc.
Duncan St, Suite 500
Toronto, ON M5V 2B8
Canada		 Canada Cloud Computing Infrastructure SOC 2 Type II
Master Services Agreement
GDPR Adequacy Determination
Amazon Web Services Canada, Inc.
120 Bremner Blvd, 26th Floor
Toronto, ON M5J 0A8
Canada		 Canada Cloud Storage SOC 2 Type II
ISO 27001
DPA
SCCs
Mailgun Technologies
112 E. Pecan Street #1135
San Antonio, Texas, 78205
USA		 USA Email Processing SOC 2 Type II
DPA
SCCs
Twilio Inc.
101 Spear Street, 5th Floor
San Francisco, California, 94105
USA		 USA Email Processing SOC 2 Type II
DPA
SCCs
Tresorit AG
Franklinstrasse 27
8050 Zurich
Switzerland		 Canada File Transfer and Storage ISO 27001
DPA
GDPR Adequacy Determination