Squadcast Data Processing Addendum

Squadcast, Inc. (“Squadcast” or “we” or “our”) provides a number of “Services” through our cloud based application and platform for Incident response orchestration, alert management, Incident tracking, Incident resolution automation and any related analytics, provided by means of a software via https://www.squadcast.com (or at such other URL as Squadcast may designate from time to time), that includes but is not limited to any related application programming interfaces (API), interactive discussion areas, customer accounts and profiles, mobile applications, and other related components thereof, on an individual and collective basis (“Services” or “Service”). We have prepared this Privacy Policy to describe to you our practices regarding the use of information and other data that we collect from our website at https://squadcast.com (“Website”) and through our Services. For the purpose of this Privacy Policy: (i) “Personally Identifiable Information” or “PII” means information that can be used on its own or in combination with other information to identify or contact you, your Users, or your Contact Persons, such as name, phone number and/or e-mail address and (ii) “Anonymous Information,” means information that is not associated with or linked to your PII and does not permit the identification of individual persons.

User Consent

By using our website, submitting or making available information through our Website or Services as described below, you agree to the Terms of Service posted by us on https://squadcast.com/terms and the terms of this Privacy Policy and you expressly consent to the processing of your data in accordance with this Privacy Policy. In connection with providing Services, Squadcast acts as a data processor, not a data controller. This means that Squadcast follows your instructions as to how to use your PII. While we primarily process your data on servers located in the United States, your data may also be processed in the country in which it was collected and in other countries if necessary to do so as part of the Services. The laws in such other countries regarding the use and processing of data may be more or less stringent than the laws in the United States or your country. For example, when an alarm trigger set by you occurs, the Services will automatically retrieve the Contact Information supplied by you and use the method(s) you established to contact the applicable Contact Person. This will require telephoning or sending an email or SMS message or using other means to contact such Contact Person wherever they are located, which may not be the United States or your home country. Of necessity this means PII will be transmitted in or through the networks, servers, telephone system and so forth in the country where the Contact Person is located. You consent, and hereby authorize and assume responsibility, for Squadcast to use your data in this manner as part of offering the Services.

What Data We Collect

  1. Information Provided by Visitors: If you visit our Website or use our Services, we may collect PII from you, including, but not limited to, first and last name, organization name, e-mail address and password if you decide to register to receive information, schedule a demo, or create an account to use the Services. If you provide us feedback or contact us via e-mail (e.g., in response to an employment opportunity posted on our website), we will collect your name and e-mail address, as well as any other content included in the e-mail, in order to send you a reply, and any information that you submit to us, such as a resume. we will collect any information you voluntarily provide, and we may also request optional information to support your use of our services, such as your year of birth, gender and other demographic information. We collect information in the form of the content that you submit during your use of our services, such as photos, comments, ratings and other information you choose to submit. We may also collect information about you and your friends, from any social network you may have connected from, in order to provide you with a more personalized experience. We may receive Personal Information about you from other sources with which you have registered, companies who we have partnered with (collectively, “Partners”) or other third parties. We may associate this information with the other Personal Information we have collected about you. For instance, we may collect your user ID or profile information from third party sources in order to deliver a better experience of our products/services. If you choose to sign up to receive information about products or services that may be of interest to you, we will collect your email address and all related information. Additionally, we collect any information that you voluntarily enter, including Personal Information, into any postings, comments, or forums within the Squadcast community.
  2. Information that We may Collect via Technological Means: Our servers (which may be hosted by a third-party service provider) may collect data from you, such as browser type, operating system, IP address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name, and/or a date/time stamp for your visit. For example, we, or our service providers, may track your IP Address when you access our services to assist with ad targeting. Like most Internet services, we automatically gather this data and store it in log files each time you visit our website or access your account on our network. We may also directly collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Service. These tools collect information sent by your browser or mobile device, including the pages you visit and other information that assists us in improving the Service. We collect and use this analytics information in aggregate form such that it cannot reasonably be manipulated to identify any particular individual User. We also use various technical mechanisms such as cookies, pixels, clear GIFS and so forth to monitor how you are using our website and Services. “Cookies” are small pieces of information that a website sends to your computer’s hard drive while you are viewing a website. We may link the information we store in cookies or through other mechanisms to the personally identifiable information you submit while on our site. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on our website. Persistent cookies can be removed by following Internet browser help file directions. You can also disable all cookies on your Internet browser. If you choose to disable cookies, some areas of our website may not work properly. The use of cookies and other mechanisms by our partners, affiliates or service providers is not covered by our privacy statement as we do not have access or control over them.
  3. Information that we may collect from our Customers: If you decide to purchase the Services and become a Squadcast customer (“Customer”), we will need to collect additional information from you.First, we – or our third-party credit card or payment processor on our behalf – will collect your payment information, such as a credit card number or account information. All of this is your PII. Second, you will need to set up your profile to be able to use the Services. This includes, among other things, telling us how to contact you or your organization when faults are detected by the organization’s monitoring tools, creating accounts for the on-call engineers on your team, and allowing permission to access information relevant to your account available from other tools you use. You will be able to set up your preferred contact methods (e.g., phone, SMS, email and/or push notifications) and you will be required to provide the applicable contact information (“Contact Information”), parts of which will also be PII. If you or your Users are supplying PII for Contact Persons, your represent and warrant that you have the right to provide such information.

How We Use the Data We Collect

We use PII for two basic purposes: to provide and improve the Website and to provide and improve the Services. In particular, we use Contact Information to send alerts to Customers in accordance with the Customer’s notification rules and schedule. We may also use PII to facilitate the creation of and secure your account on our network; identify you as a User in our system; provide improved administration of our Website and Services; improve the quality of experience when you interact with our Website and Services; respond to your inquiries related to employment opportunities or other requests; send promotional communications; provide you with hardcopy or electronic newsletters, or surveys; send upgrades and special offers related to our Services and related services and for other marketing purposes of Squadcast, should you request to receive such communications from us; make telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback. We may also analyze request and usage patterns so that we may enhance the content of the Website and Services or improve their respective functionalities, or for other business purposes. We may use and display your full name and email address when you send an email notification to a friend through Squadcast or any other tool from which you have connected to Squadcast (such as in an invitation, or when sharing your content). Additionally, we use your email address to contact you on behalf of your friends (such as when someone sends you a personal message) or notifications from any other application/tool/website with whom you have registered to receive such notifications. We may use this e-mail address to contact you, for things such as notifications of limited edition shop sales and other related information. However, you may indicate your preference at any time to stop receiving further promotional communications.

When We May Disclose Data

We may share your data with third parties as part of providing the Services. This will include, among other things, to provide technical support, to process payments, and to contact your organization when an alarm is triggered. Third parties may include, among others, payment processors, technical support organizations, server and network hosts, telephone and messaging operators, and other telecommunications organizations. We require our third-party service providers to promise not to use such information except as necessary to provide the relevant services to us. Regardless of any choices you make regarding your PII (as described below), we may disclose PII if it is believed in good faith that such disclosure is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants; or (b) protect or defend the rights or property of Squadcast or users of the Services or related services. We may also share any information collected under this Privacy Policy in connection with any merger, sale of assets, financing, acquisition, or in any other situation where used information may be disclosed or transferred as one of our business assets, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may share aggregate or anonymous data (including personal data that has been stripped of personally identifying characteristics) with third parties as part of providing our Service. Except as otherwise stated in this policy, we do not sell, trade, share, or rent the PII collected from our Services or the Website to third parties other than as outlined in this policy, unless you ask or authorize us to do so. We may in the future share some or all of your information with any subsidiaries, joint ventures, or other companies under a common control, in which case we will require them to honor this Privacy Policy. You understand that when you use Squadcast, certain information you post or provide through Squadcast, such as your name, profile, comments, posts and ratings, may be shared with other users and posted on publicly available portions of Squadcast, including without limitation, chat rooms, bulletin and message boards, along with other public forums. If you provide feedback to us, we may use and disclose such feedback for any purpose, along with any associated Personal Information. We will collect any information contained in such feedback but will treat the Personal Information in it in accordance with this Privacy Policy. You agree that any such comments and any email we receive becomes our property. We may use feedback for marketing purposes or to add to or modify our services without paying any royalties or other compensation to you. Please keep in mind that if you choose to disclose Personal Information when posting comments or other information or content through Squadcast, this information may become publicly available and may be collected and used by others, including people outside the Squadcast community. We will not have any obligations with respect to any information that you post to parts of Squadcast available to others, and recommend that you use caution when giving out personal information to others in public forums online or otherwise. You expressly consent to the sharing of your PII as described in this Privacy Policy.

Your Choices: We offer you choices regarding the collection, use, and sharing of your PII

  1. Opt-Out: We may periodically send you free newsletters and e-mails that directly promote the use of our site or the purchase of our Services. When you receive newsletters or promotional communications from us, you may indicate a preference to stop receiving further communications from us and you will have the opportunity to “opt-out” (either through your account or by following the unsubscribe instructions provided in the e-mail you receive). Notwithstanding your indicated preferences, when applicable we will send you notices of any updates to our Terms of Service, this Privacy Policy, and other communications that directly affect your status as a user of our site or Services. Despite your indicated email preferences, we may send you administrative emails regarding Squadcast, including, for example, administrative confirmations, and notices of updates to our Privacy Policy if we choose to provide such notices to you in this manner.
  2. By You. You agree to defend, indemnify and hold Squadcast, Inc. harmless from and against all claims, losses and damages, suits, government investigations, fines, actions, damages, settlements, losses, liabilities, costs and expenses (including reasonable attorneys’ fees) for any breach of your representations, warranties and covenants set forth in these terms.
  3. Ability to Edit or Delete Personal Information: You may edit any of your PII in your account, including Contact Information (and/or notification rules), by editing your profile. You may also request that we delete your account information by sending an email to help@squadcast.com, but please note that we may be required (by law or otherwise) to keep this information and not delete it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). We will respond to such requests within 30 days. When we delete or edit account information, it will be deleted from the active database, but may remain in our archives. We will otherwise retain your information for as long as your account is active or as needed to provide you services as well as is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Information Processed under the Direction of Customers

As described above, Squadcast processes Contact Information under the direction of the applicable Squadcast Customer (data controller) and has no direct relationship with the individuals (e.g., Devops Personnel) whose personal data it processes. Any individual who seeks access, or who seeks to edit or delete inaccurate Contact Information should direct his or her query to the applicable customer. It is the customer’s responsibility to edit or delete (or have edited or deleted) such Contact Information as set forth above.

Security of Your Data

Squadcast is committed to protecting the security of your PII. We use a variety of industry-standard security technologies and procedures to help protect your PII from unauthorized access, use, or disclosure. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL). We also require you to enter a password to access your account information. Please do not disclose your account password to unauthorized people. Despite these measures, you should know that Squadcast cannot fully eliminate security risks associated with PII and mistakes and security breaches may happen. If you have any questions about security on our Website, you can contact us at the information below.

Links to Third Party Sites

Our provision of a link to any other website or location is for your convenience and does not signify our endorsement of such other website or location or its contents. When you click on such a link, you will leave our site and go to another site. During this process, a third party may collect data, including PII, from you. We have no control over, do not review, and cannot be responsible for, these outside websites or their content. Please be aware that the terms of this Privacy Policy do not apply to these outside websites or content, or to any collection of data after you click on a link to a third party. We encourage you to carefully read the privacy statement of any other website you visit.

Right to Information

You may request and obtain from us once a year, free of charge, certain information about the PII (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you would like to make such a request, please submit your request in writing to support@squadcast.com.


Because we value your privacy, we will take any necessary precautions, to the best of our ability, to be in compliance with the California Online Privacy Protection Act. We therefore will not distribute your personal information to outside parties without your consent, unless as otherwise explicitly stated in this Privacy Policy. As part of the California Online Privacy Protection Act, all users of our site may make any changes to their information at anytime by logging into their control panel and going to the 'Edit Profile' page. We are also in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act), we do not intentionally collect any information or PII from anyone under 13 years of age. Thus, if we obtain actual knowledge that a user is under 13, we will take steps to remove that user’s Personal Information from our databases. We recommend that children between the ages of 13 and 18 obtain their parent’s permission before submitting information over the internet. By using Squadcast, you are representing that you are at least 18 years old, or that you are at least 13 years old and have your parents’ permission to use our services.

Contact Information

Squadcast welcomes your comments or questions regarding this Privacy Policy. Please e-mail us at support@squadcast.com

Changes to This Privacy Policy

This Privacy Policy is subject to occasional revision, and if we make any substantial changes in the way we use your information, we will notify you by sending you an e-mail to the last e-mail address you provided to us and/or by posting notice of the changes on our website. Any material changes to this Privacy Policy will be effective upon the earlier of thirty (30) calendar days following our dispatch of an e-mail notice to you of the changes, thirty (30) calendar days following our posting of notice of the changes on our site, or the date that you accept the changes (e.g., by clicking an “I Accept” button or similar means). These changes will be effective immediately for new users of our website, Services or related services. Please note that at all times you are responsible for updating your Personal Data to provide us with your most current e-mail address. If you object to any such changes, you must cease using Squadcast. In the event that the last e-mail address that you have provided us is not valid, or for any reason is not capable of delivering to you the notice described above, our dispatch of the e-mail containing such notice will nonetheless constitute effective notice of the changes described in the notice.

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Terms of Service, currently located at https://www.squadcast.com/terms/ made between Squadcast, Inc. (“Squadcast”) and Customer (the term “Customer” means the company that You represent) for the provision of the Squadcast Services (the “Agreement”). This DPA reflects the parties’ agreement with respect to the Processing of Customer’s Personal Data in accordance with the requirements of the Data Privacy Laws and Regulations. To the extent the terms and conditions of this DPA are inconsistent with the Terms of Service or applicable Order Form, this DPA shall control as it relates to the Processing of Customer Personal Data. References to the Agreement will be construed as including this DPA. This DPA shall be effective on the effective date of the Agreement or if the Agreement was effective prior to the publishing of this version of the DPA then the Effective Starting date published above for this DPA (provided that Customer has an Agreement in place already) (“Effective Date”). Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.

How this DPA Applies

If Customer is not a party to an Order Form nor the Agreement, this DPA is not valid and not legally binding.

Data Processing Terms

  1. Definitions:

    The terms used in this Addendum shall have the meanings set forth below. Except as modified below, the terms of the Agreement shall remain in full force and effect.
    For the purposes of this DPA:
    • ‘Customer Personal Data’ means any Customer data that is Personal Data. For purposes of this DPA, Customer Personal Data does not include personal information of employees or other representatives of Customer with whom Squadcast has a direct business relationship.
    • ‘Data Privacy Laws’ means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), equivalent requirements in the United Kingdom including the UK Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if Squadcast’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
    • ‘Data Subject’ means an identified or identifiable natural person about whom Personal Data relates.
    • ‘Personal Data’ includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.
    • ‘Process’ or ‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or communication, restriction, erasure or destruction.
    • ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
    • Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
    • Standard Contractual Clauses” (or “SCCs”) refers to one or both of the following, as the context requires:
      • For Personal Data for which Customer is subject to UK Data Protection Law, the “2010 Standard Contractual Clauses,” defined as the clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec/2010/87/2016-12-17; and
      • For Personal Data subject for which Customer is subject to the GDPR, the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj.
  2. Scope and Purposes of Processing:
    • Squadcast will Process Customer Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) on Customer’s behalf; and (3) in compliance with Data Privacy Laws. If a Data Privacy Law to which Squadcast is subject requires Squadcast to Process Customer Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Squadcast will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Data Privacy Laws.
    • Without limiting the foregoing, Customer directs Squadcast, and Squadcast agrees, to Process Customer Personal Data solely in accordance with Customer’s written instructions, as may be provided by Customer to Squadcast from time to time.
    • Squadcast will not:
      • Sell Customer Personal Data or otherwise Process Customer Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Squadcast will not Process Customer Personal Data outside of the direct business relationship between Customer and Squadcast. For purposes of this paragraph, “sell” shall have the meaning set forth in applicable Data Privacy Laws.
      • Attempt to link, identify, or otherwise create a relationship between Customer Personal Data and non-Personal Data or any other data without the express written authorization of Customer.
  3. Personal Data Processing Requirements:

    Squadcast will:
    • Taking into account the nature of the Processing, Squadcast shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a verifiable request by a Data Subject (or their lawful representatives) under applicable Data Privacy Laws (such as rights to access or delete Personal Data). In addition, to the extent Customer, in its use of the Services, does not have the ability to address such verifiable request, Squadcast shall upon written request of Customer, use commercially reasonable efforts to assist or cause any applicable subprocessor to assist, Customer in the fulfilment of Customer’s obligations to respond to such requests, to the extent Squadcast or the subprocessor is legally permitted to do so and the response to the verifiable request is required under applicable Data Privacy Laws. To the extent legally permitted, Customer shall be responsible for Squadcast’s provision of such assistance, including any fees associated with the provision of additional functionality.
    • Ensure that the persons it authorizes to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    • Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Customer Personal Data; (ii) any Data Subject requests for exercising their rights under Data Privacy Laws; or (iii) any government or Data Subject requests for access to or information about Squadcast’s Processing of Customer Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. Squadcast will provide Customer with reasonable cooperation and assistance in relation to any such request.
    • Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Personal Data, when required by applicable Data Privacy Laws.
  4. Subprocessors:
    • Squadcast’s Subprocessors. A list of subprocessors for the Services as of the Effective Date is located at https://www.squadcast.com/subprocessors/. Customer has instructed or authorized the use of subprocessors to assist Squadcast with respect to the performance of Squadcast’s obligations under the Agreement. Customer acknowledges and agrees that Squadcast may engage third-party subprocessors to assist Squadcast in providing or maintaining the Services provided under the Agreement. Squadcast shall maintain an updated list of subprocessors and Customer may receive notification of changes to the published list of subprocessors by email, push notification or announcement on the website / app or other electronic means or by checking the above website url.
    • Liability for Subprocessors. Squadcast shall be liable for the acts and omissions of its subprocessors to the same extent Squadcast would be liable if performing the services of each subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
    • If Squadcast processes Personal Data of residents in the European Economic Area, the United Kingdom, or Switzerland on Customer’s behalf, in order to exercise its right to object to Squadcast’s use of a new subprocessor, Customer shall notify Squadcast promptly in writing within ten (10) business days after Squadcast’s updated list of subprocessors has been made available. In the event Customer objects to a new subprocessor pursuant to this subprovision, and that objection is not unreasonable, Squadcast will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer. If Squadcast is unable to make available either type of change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Services which cannot be provided by Squadcast without the use of the objected-to new subprocessor by providing written notice to Squadcast.
    • Copies of Subprocessor Agreements. The parties agree that the copies of the subprocessor agreements that must be sent by Squadcast to Customer pursuant to the Standard Contractual Clauses (where applicable) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Squadcast beforehand; and, that such copies will be provided by Squadcast only upon reasonable request by Customer.
  5. Security Measures:

    Squadcast will implement appropriate administrative, technical, physical, and organizational measures to protect Customer Personal Data, as set forth in Exhibit B. Squadcast regularly monitors compliance with these measures. Squadcast will not materially decrease the overall security of the Services during Customer’s subscription term.
  6. Security Breach Management and Notification:

    Squadcast will maintain a security incident management procedure and shall, to the extent required under the applicable Data Privacy Law, promptly notify Customer of any actual or reasonably suspected Security Breach, by Squadcast or its subprocessors of which Squadcast becomes aware. Customer shall be responsible for notifying Data Subjects affected by a Security Breach unless Customer and Squadcast make other arrangements. Squadcast shall make reasonable endeavors to identify and remediate the cause of such Security Breach and to notify Customer no later than seventy-two (72) hours after Squadcast’s discovery and full remediation unless otherwise required by applicable Data Privacy Law. The notification will include the following information, to the extent known by Squadcast: (i) the nature of the Security Breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Customer Personal Data records concerned; and (ii) measures taken or proposed to be taken by Squadcast to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  7. Deletion of Customer Personal Data:

    Squadcast shall, upon Customer’s request and subject to the limitations described in the Agreement, delete Customer Personal Data in accordance with the procedures and timeframes specified in the Agreement. The parties agree that the certification of deletion of Personal Data that is described in the Standard Contractual Clauses shall be provided by Squadcast to Customer only upon Customer’s request.
  8. Data Transfers:
    1. Squadcast shall ensure that international transfers are in compliance with all applicable Data Privacy Laws. Where Squadcast engages in an onward transfer of Customer Personal Data, Squadcast shall ensure that a lawful data transfer mechanism is in place prior to transferring Customer Personal Data from one country to another.
    2. European Economic Area. Except as provided in Section (d) below, with respect to Customer Personal Data transferred from the European Economic Area (“EEA”) for which the GDPR governs the international nature of the transfer, to the extent legally required, Customer and Squadcast are deemed to have signed the EU SCCs, which form part of this DPA and will be deemed completed as follows:
      1. Module 2 of the EU SCCs applies to transfers of Customer Personal Data from Customer (as a controller) to Squadcast (as a processor) and Module 3 of the EU SCCs applies to transfers of Customer Personal Data from Customer (as a processor) to Squadcast (as a subprocessor);
      2. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;
      3. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Exhibit C of this DPA and Squadcast shall propose an update to that list at least 10 days in advance of any intended additions or replacements of sub-processors in accordance with Section 4.3 of this DPA;
      4. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
      5. Under Clause 17 of Modules 2 and 3 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland;
      6. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the parties select the courts of Ireland;
      7. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A of this DPA;
      8. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
      9. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Exhibit B of this DPA; and
      10. Annex III of Modules 2 and 3 (List of subprocessors) is intentionally not included.
    3. United Kingdom. With respect to Customer Personal Data transferred from the United Kingdom for which the UK Data Protection Law (and not the law in any EEA jurisdiction or Switzerland) governs the international nature of the transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“IDTA”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the IDTA. Undefined capitalized terms used in this provision shall mean the definitions in the IDTA. For purposes of the IDTA, they shall be deemed completed as follows:
      1. Table 1 of the IDTA:

               a.1 The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in the Agreement.

               a.2 The Key Contacts shall be the contacts set forth in the Agreement.
      2. Table 2 of the IDTA: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
      3. Table 3 of the IDTA: Annex 1A, 1B, II, and III shall be set forth in Exhibits A, B, and C of this DPA.
      4. Table 4 of the IDTA: Both parties may end the IDTA as set out in Section 19 of the IDTA.
      5. By entering into this DPA, the Parties are deemed to be signing the IDTA, the Mandatory Clauses in Part 2, and its applicable Tables and Appendix Information.
    4. Switzerland. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 8.2 of this DPA, but with the following differences to the extent required by the FADP:
      1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
      2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
      3. References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
      4. Under Annex I(C) of the EU SCCs (Competent supervisory authority):

                d.1 Where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

                d.2 Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in (h) of this DPA insofar as the transfer is governed by the GDPR.
      5. To the extent the EU SCCs apply, nothing in this DPA or the Agreement shall be construed to prevail over any conflicting clause of the EU SCCs. Each party acknowledges that it has had the opportunity to review the EU SCCs.
    5. Changes in Laws:

      If the transfer of Customer Personal Data under the SCCs or other lawful data transfer mechanism, approved by the relevant data protection authority, ceases to be lawful or the additional safeguards are no longer effective, Squadcast may, at its discretion: (a) cease transfers of the Customer Personal Data to, or access to such Customer Personal Data from, the relevant jurisdictions; or (b) promptly cooperate with Customer to facilitate use of an alternative lawful data transfer mechanism and alternative additional safeguards that will permit Customer to continue to benefit from the Services in compliance with applicable Data Privacy Laws relating to the protection of Customer Personal Data. If Customer and Squadcast are unable to promptly implement such an alternative data transfer mechanism or alternative additional safeguards, then Customer may, at its option, upon written notice to Squadcast suspend the transfer or reduce the scope of the Services to exclude the Customer Personal Data.
  9. Audits and Certifications:

    The parties agree that the audits described in the Standard Contractual Clauses shall be carried out in accordance with the following specifications: Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Squadcast shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Squadcast and that has signed a nondisclosure agreement reasonably acceptable to Squadcast) information regarding Squadcast’s compliance with the obligations set forth in this DPA, and its Subprocessors (to the extent that they make such information generally available to customers). Following any notice by Squadcast to Customer of a Security Breach, upon Customer’s reasonable belief that Squadcast is in breach of its obligations in respect of protection of Personal Data under this DPA, or if such audit is required by Customer’s Supervisory Authority, Customer may contact Squadcast in accordance with the notice procedure described in the Agreement to request an on-site audit of Squadcast’s procedures relevant to the protection of Personal Data, but only to the extent required under applicable Data Privacy Laws. Any such request shall occur no more than once annually. Customer shall reimburse Squadcast for any time expended for any such on-site audit at Squadcast’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Squadcast shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Squadcast. Customer shall promptly notify Squadcast with information regarding any non-compliance discovered during the course of an audit, and Squadcast shall use commercially reasonable efforts to address any confirmed non-compliance.
  10. Limitation of Liability:

    Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, any Order form or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA, including all attachments hereto.
  11. Order of Precedence:

    This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms in the Agreement shall apply. With respect to the rights and obligations of the parties with respect to the Processing of Customer Personal Data, the terms of this DPA will control and the parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment,  exhibit, or Standard Contractual Clauses (as applicable) that the parties may have previously entered into regarding the Processing of Customer Personal Data in connection with the Squadcast Services.
  12. Term and Termination; Duration of Processing:

    Notwithstanding expiration or termination of the Agreement, this DPA and the Standard Contractual Clauses (if applicable) will remain in effect until the deletion of all Customer Personal Data as described in this DPA and will automatically expire upon such deletion.




MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s):

The data exporter is a user of the importer’s services pursuant to their underlying commercial agreement.  The data exporter acts as a controller with respect to its own personal data. To the extent permitted by the commercial agreement, the exporter also is permitted to use the contracted services as a processor on behalf of third parties.

Data importer(s):

The data importer is the provider of services to the exporter pursuant to their underlying commercial agreement. The data importer acts as the exporter’s processor.


MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred:
The personal data transferred concern data subjects residing in the European Economic Area, the United Kingdom and Switzerland.

Categories of personal data transferred: The personal data transferred concern the following categories of data (please specify): Data Exporter may transfer Personal Data to Vendor (Squadcast), the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, and is not limited to the following categories of personal data:

  1. First and Last Name
  2. Contact Information (telephone number & email address)
  3. Company, Position
  4. Login Credentials

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The personal data transferred concerns the following special categories: None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Nature of the processing: Vendor’s Processing activities shall be limited to those discussed in the underlying Agreement and the DPA between the parties.

Purpose(s) of the data transfer and further processing: The objective of the transfer and further processing of personal data by Data Importer is the access and use of Vendor services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data will be retained for the period of time necessary to provide the Services to Customer under the Agreement and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent such information is provided to subprocessors for purposes of providing the Services.


MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

See Section 8.2(h) of the DPA.


MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor


The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Vendor shall comply with Exhibit B to the DPA.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

Vendor shall require its subprocessors to take appropriate technical and organizational measures to provide assistance to the controller and/or data exporter that are no less restrictive than those in Exhibit B.


This Appendix forms part of the SCCs and must be completed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with SCCs (or document/legislation attached):

Data importer has implemented stringent data privacy structures within the company. These structures ensure adequate data privacy with the measures implemented by data importer: 

  1. Organization
  2. Entry
  3. Admission
  4. Access
  5. Transmission of data
  6. Input of data
  7. Commissioned data processing
  8. Data availability
  9. Data separation

The specific details regarding the technical and organizational measures are explained in the following text.

A. Organizational Control 

Measures, which comply with the specific requests of Data Protection, regarding the internal organization:

  1. Installment of an internal Data Protection Officer
  2. Commitment of employees to data secrecy
  3. IT-Emergency concept
  4. Data back-up concept (for production data)
  5. Regulations regarding the correct and secure processing of duties done by data processing
  6. Regular instruction of relevant regulations
  7. Control of compliance with the regulations
  8. Regulations and instructions for entry control
  9. Regulations and instructions for access control
  10. Regular information and instruction of the employees
  11. Documentation of IT-procedures, software, IT-configuration

B. Entry Control 

Measures to limit entrance of unauthorized persons to areas where personal data is used or processed with electronic data processing devices.

  1. Entry control
  2. Regulations and instructions of entry control
  3. Identification badges / code cards / Biometric access
  4. Entry regulations organization for employees
  5. Entry regulations for external service providers (cleaning and maintenance personal, craftsmen, customers, visitors
  6. Classification of security areas
  7. Identification of admission authorized persons
  8. Safeguarding by alarm system, intrusion detector, police & fire emergency call
  9. Security locks with centralized key administration and master key plan
  10. Revision secure organization of admission rights
  11. Revision secure grant and revocation of admission rights

C. Access Control (Electronic data processing) 

Measures to limit access of unauthorized persons to systems where personal data is used or processed with electronic data processing devices.

  1. Regulations and instructions for access control
  2. Processes for file organization
  3. Rights- and role-concept
  4. Assignment of rights for data-input as well as for information, modification and deletion of stored data
  5. Regulated procedure for granting, changing and revocation of access rights
  6. User adaptive access protection
  7. Selective access for files and functions
  8. Automatic screensaver protection in case of inactivity
  9. Requirement of user identifiers (Passwords) for files, system data, application data
  10. Machine control of authorizations
  11. Logging access to specific data (e.g.: Console log, machine Log)
  12. Functional and/or timely limited use of terminals
  13. Password policy at the level of configuration of IT-systems
  14. Identification and authentication of users
  15. Control of administrator activities
  16. Limitation of free style queries in databases
  17. Specific written directives for the restart-procedure
  18. Safeguards for access by self-acting institutions
  19. Use of encryption while transmitting data

D. Access Control (Data media) 

Measures to limit access of unauthorized persons to data and/or applications being stored on storage devices outside of an electronic data processing system.

  1. Identification of authorized personnel
  2. Rules regarding the production of copies
  3. Labelling obligation for data media with classification
  4. Guidelines for the organization of data storage
  5. Data privacy conform elimination of out of use data media with protocol
  6. Controlled storage of in use and swapped out data media in a secure area (Archive, secure cabinets)

E. Transmission Control 

Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. 

Measures to ensure and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged. 

Measures to ensure, that an automated procedure for the retrieval of personal data is running a log procedure in order to have retrospect information which data has been retrieved by whom.

  1. Determination of authorized person for transmission and transport
  2. Documentation of the retrieval and transmission programs
  3. Determination and documentation of the transmission procedure and the data receivers Regulations and instructions for data media transport and transmission control

F. Input Control

Measures to ensure that it is possible to check and establish whether and by whom personal data / social data have been entered, modified or removed into/from data processing systems.

  1. Automatic protocol of input, modification and deletion of personal data
  2. Protocol of system generation and modification of system parameters
  3. Definition of deletion and retention periods for the protocols

G. Job Control 

Measures to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the principal. The following measures are relevant in case of sub-order for the subcontractor as well.

  1. Careful selection of the contractor (processor)
  2. Written agreement with definition of the decisional authority based on statutory mandatory law
  3. Outline of the rights and duties of principal and contractor in regard to:
    Data security measures
    Transmission directives
    Retention and deletion periods
    Breach of contract
  4. Insurance
  5. Definition of safety measures
  6. Right of access to subcontractor premises
  7. Control of security measures at the subcontractor
  8. Control of the correct execution of the contract
  9. Sanctions in case of contract violations

H. Availability Control 

Measures to ensure that personal data is protected from accidental destruction or loss (e.g.: loss of power, lightning, protection from water damage)

  1. Ordinance of work instructions and safety directives
  2. Fire preventions
  3. Definition and control of fire precautions and fire/water early warning system
  4. Risk- and weak-point-analysis for relevant IT-division
  5. Regular and intense instruction of all employees
  6. Disaster recovery plan, emergency handbook, security-infrastructure
  7. Recovery-Procedures for production data
  8. Data mirroring
  9. Regular stringent data back up
  10. Formalized approval process for new IT-applications and in case of relevant changes of running applications
  11. Used software is checked and released in a formalized procedure
  12. Centralized procurement for hard- and software
  13. Database-Logging

I. Separation Control 

Measures to ensure that data collected for different purposes can be processed separately.

  1. Stringent company internal directives for data collection, data processing and use of data
  2. Grant of specific access rights
  3. Use of separate user roles to ensure separation control
  4. Documentation of data bases
  5. Documentation of application programs
  6. Disaster recovery plan, emergency handbook, security-infrastructure
  7. Documentation of the specific purposes of the collection, processing and use of data
  8. Logical separation of data


Current Subprocessors

A list of Subprocessors for the Services as of the Effective Date is located at https://www.squadcast.com/subprocessors.

Squadcast, Inc.
355 Bryant Street, Suite # 403
San Francisco CA 94107

Copyright © Squadcast Inc. 2017-2023