This Twitter Data Processing Addendum (“DPA”) shall amend and apply to all of your agreements (“Agreements”) with Twitter, Inc., Twitter International Company (“TIC”), and their affiliates and/or subsidiaries (collectively, “Twitter”) to the extent that Twitter processes (i) as Your processor, any personal data originating from the European Union, the European Free Trade Association States (“EFTA”), the United Kingdom, or Brazil, or (ii) as Your service provider, any personal information of California consumers (collectively, “Your Data”).

1. Definitions

Words and expressions used in this DPA but not defined herein shall have the meanings given to such words and expressions in (i) the General Data Protection Regulation (2016/679) (“GDPR”), including any EFTA or Member State law made under or pursuant to the GDPR, (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (“UK Data Protection Law”), (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"), (iv) the Brazilian General Data Protection Law (Federal Law 13.709/2018) (“LGPD”), and (v) the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. (“CCPA”) (collectively, “Applicable Data Protection Law”). “You” refers to the controller or business who has agreed to this DPA with Twitter.

2. Details of the Processing Operations

The subject matter of the processing, including the processing operations carried out by Twitter on your behalf, the instructions from You to Twitter, and the security measures deployed by Twitter, are described in the relevant Agreements between You and Twitter. Twitter acts as a data processor or service provider (as applicable) for, and on behalf of, You and conducts its processing operations in accordance with Your instructions.

3. Your Obligations

3.1 You determine the purposes for and means by which Your Data is being or will be processed, and the manner in which they are or will be processed.

3.2 You represent, warrant and agree that with respect to Your Data provided to Twitter pursuant to this DPA You:

3.2.1 comply with personal data security and other obligations prescribed by Applicable Data Protection Law for controllers or businesses;

3.2.2 confirm that the provision of Your Data to Twitter complies with Applicable Data Protection Law;

3.2.3 have established a procedure for the exercise of the rights of the individuals/consumers whose personal data or personal information is collected;

3.2.4 only process personal data or personal information that has been lawfully and validly collected and ensure that such data or information is relevant and proportionate to the respective uses;

3.2.5 disclose Your Data to Twitter for a business purpose consistent with the disclosures You make to Your consumers in Your privacy policies, and You do not sell Your Data to Twitter;

3.2.6 ensure that after assessment of the requirements of Applicable Data Protection Law, the security and confidentiality measures implemented are suitable for protection of Your Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and

3.2.7 take reasonable steps to ensure compliance with the provisions of this DPA by Your personnel and by any person accessing or using Your Data on Your behalf.

4. Obligations of Twitter.

4.1 Twitter carries out the processing of Your Data on your behalf.

4.2 Accordingly, Twitter agrees that it will:

4.2.1 process Your Data only on Your behalf and in compliance with Your instructions (including relating to international data transfers), including instructions in this DPA and all Agreements between You and Twitter, unless otherwise required by EU or Member State law (where GDPR applies) or any other applicable law (in all other cases) to which Twitter is subject;

4.2.2 immediately inform You if in Twitter’s opinion an instruction from You infringes Applicable Data Protection Law;

4.2.3 implement appropriate technical and organizational security measures as provided for in Your Agreements with Twitter prior to the commencement of the processing activities for Your Data, maintain such security measures (or better security measures) for the duration of this DPA, and provide You with reasonable evidence of its privacy and security policies;

4.2.4 take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Your Data are aware of and comply with this DPA;

4.2.5 comply with confidentiality obligations in respect of Your Data as detailed in all Agreements and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Your Data, including after the end of their employment, contract or at the end of their assignment;

4.2.6 inform You of:

4.2.6.1 any legally binding request for disclosure of Your Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities, and you acknowledge that Twitter may disclose Your Data to comply with such a legally binding disclosure request;

4.2.6.2 any personal data breach or security incident (or analogous concept) under Applicable Data Protection Law relating to Your Data (“Security Incident”);

4.2.6.3 any relevant notice, inquiry or investigation by a supervisory authority relating to Your Data; and

4.2.6.4 any requests from a data subject to exercise its data protection rights under Applicable Data Protection Law without responding to that request, unless You have authorized a response or such a response is required by law;

4.2.7 provide reasonable co-operation and assistance to You in respect of Your obligations regarding:

4.2.7.1 requests from data subjects in respect of the exercise of their data protection rights under Applicable Data Protection Law with respect to Your Data;

4.2.7.2 the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;

4.2.7.3 the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority, in each case where and to the extent required by Applicable Data Protection Law;

4.2.7.4 the security of Your Data, including by implementing the technical and organizational security measures detailed in Your Agreements with Twitter;

4.2.8 if Twitter is required by law to process Your Data, take reasonable steps to inform You of this requirement in advance of any processing, unless Twitter is prohibited from informing You on grounds of important public interest; and

4.2.9 upon reasonable request, make available to You all information necessary to demonstrate compliance with the obligations in this Clause 4.2. Twitter will further comply with its audit responsibilities set out in Clause 4.4 below.

4.3 Pursuant to the CCPA, Twitter agrees that:

4.3.1 Twitter is acting solely as a service provider with respect to Your Data;

4.3.2 Twitter shall not retain, use or disclose Your Data  for any purpose other than for the specific purpose of performing the services specified in this DPA or any other Agreement between You and Twitter;

4.3.3 Twitter may deidentify or aggregate Your Data as part of performing the services specified in this DPA and any other Agreement between You and Twitter; and

4.3.4 Twitter certifies that it understands and will comply with the requirements and restrictions set forth in Clause 4.3 of this DPA.

4.4 Twitter will, upon Your request (not to exceed one request per calendar year unless required by Applicable Data Protection Law) by email to [email protected], certify compliance with Clauses 4-6 of this DPA in writing. Twitter will also provide to you each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the data processing services under the Agreements (each such report, a “Report”). If a Report does not provide, in Your reasonable judgment, sufficient information to confirm Twitter’s compliance with the terms of this DPA, then You or an accredited third-party audit firm agreed to by both You and Twitter may audit Twitter’s compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to Twitter’s business, upon reasonable advance notice to Twitter of no less than 60 days and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Twitter expends for any such audit, in addition to the rates for support services performed by Twitter and any expenses incurred by Twitter in complying with this Clause 4.4 and Clause 4.2.7. Before the commencement of any such audit, You and Twitter will mutually agree upon the timing, duration and scope of the audit, which will not involve physical access to the servers from which the data processing services are provided in order to maintain the security of Twitter’s systems and to preserve the confidentiality of other customers’ data. You will promptly notify Twitter of information regarding any non-compliance discovered during the course of an audit. You may not audit Twitter more than once annually. Where applicable, you agree to exercise Your audit rights under the Standard Contractual Clauses by instructing us to comply with the audit measures described in this Clause 4.4.

4.5  If (i) Your Data includes any personal data that is protected under the GDPR, UK Data Protection Law or the Swiss DPA (such data being “European Personal Data”), (ii) Twitter processes such European Personal Data outside of the EFTA States or the  United Kingdom; and (iii) such processing takes place in a country that is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable), then the Standard Contractual Clauses are hereby incorporated by reference and form an integral part of the Agreement. The term “Standard Contractual Clauses” means (i) the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”), or (ii) to the extent the EU SCCs cannot be relied on to lawfully transfer Personal Data that is protected under UK Data Protection Law, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”). The Standard Contractual Clauses shall apply as follows:

4.5.1 For the purposes of the EU SCCs (i) the “data exporter” is You and the “data importer” is Twitter, (ii) the Module Two terms are selected, (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and the time period for prior notice of sub-processor changes is set out in Section Clause 5 of this DPA, (v) in Clause 11, the optional language does not apply, (vi) in Clause 17, Option 1 applies and the EU SCCs are governed by the laws of Ireland, (vii) in Clause 18(b), disputes will be resolved before the courts of Ireland, (viii) in Annex 1, the details of the parties and description of the transfer are set out in the relevant Agreements between You and Twitter, (ix) in Clause 13(a) and Annex 1.C, the competent supervisory authority is the supervisory authority of the EEA member state in which You or Your representative is in or where the data subjects are predominantly located, and (x) in Annex 2, the description of the technical and organizational security measures is set out in the relevant Agreements between You and Twitter.

4.5.2 To the extent the European Data is protected under UK Data Protection Law or the Swiss DPA, the EU SCCs apply with the following modifications (i) references to ‘Regulation (EU) 2016/679’ are interpreted as references to UK Data Protection Law or the Swiss DPA (as applicable), (ii) references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of UK Data Protection Law or the Swiss DPA (as applicable),  (iii) references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘United Kingdom’ or ‘Switzerland’ (as applicable), (iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable), (v) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘United Kingdom Information Commissioner’ and ‘courts of England and Wales’ or the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), (vi) in Clause 17, the EU SCCs are governed by the laws of England and Wales or Switzerland (as applicable), and (vii) in Clause 18(b), disputes will be resolved before the courts of England and Wales or Switzerland (as applicable). For the purposes of the UK SCCs (i) the ‘data exporter’ is You and the ‘data importer’ is Twitter, (ii) the UK SCCs are governed by the laws of England and Wales, and (iii) the annexes, appendices or tables of the UK SCCs shall be deemed populated with the relevant information set out in the relevant Agreements between You and Twitter.

5. Transfer, Disclosure and Third Parties

5.1 You acknowledge and agree that (a) Twitter’s affiliates may be retained as sub-processors and (b) Twitter and Twitter’s affiliates may engage sub-processors in connection with the provision of the data processing services. Twitter or a Twitter affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Clause 5, You hereby authorize Twitter to engage sub-processors required to assist Twitter for the purposes of providing the data processing services under the Agreements.

5.2 A current list of sub-processors for the data processing services is accessible via privacy.twitter.com. We will provide reasonable notice to You before we engage a new sub-processor of Your Data, including the date on which the new sub-processor will begin processing Your Data (the “Sub-Processor Effective Date”). You may object to Twitter’s engagement of a new sub-processor by ceasing to use the applicable product, program or feature prior to the Sub-Processor Effective Date.  Your continued use of the applicable product, program or feature on or after the Sub-Processor Effective Date constitutes your acceptance of the new sub-processor. For the purposes of the Standard Contractual Clauses, You acknowledge that we may be restricted from disclosing sub-processor agreements to You due to confidentiality obligations but where we cannot disclose a sub-processor agreement, we shall provide all information (on a confidential basis) to You that we reasonably can in connection with such agreement.

6. Post-termination obligations

You and Twitter agree that on the termination of any of the data processing services, Twitter and any sub-processors shall, subject to the limitations described in any relevant Agreements, return all of Your Data relating to such data processing services and copies of such data to You or securely destroy them and demonstrate to Your satisfaction that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Your Data. In such a case, Twitter or a sub-processor agree to preserve the confidentiality of Your Data retained by it and that it will only actively process Your Data after such date in order to comply with the laws to which it is subject.

7. Governing law and jurisdiction

If You are in the European Union or the EFTA States, then this DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Ireland, and the parties to this DPA irrevocably agree that the courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

If You are outside of the European Union or EFTA States, then this DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of the State of California, USA, and the parties to this DPA irrevocably agree that the federal or state courts located in San Francisco County, California, United States, shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

8. Conflicts

In the event of any conflict between the terms of this DPA, the Standard Contractual Clauses and any other terms between You and Twitter, including but not limited to the terms of any Agreements, the terms shall apply in the following order of precedence: (i) the Standard Contractual Clauses, (ii) the DPA, and then (iii) any other terms between You and Twitter. This agreement is written in English and may be translated into other languages and made available by Twitter. The version in English will prevail over versions translated into other languages, which are for mere reference.