Telnyx Data Processing Addendum (DPA)
Version 2.2
This Data Processing Addendum (“DPA”) is incorporated into the Telnyx Terms and Conditions of Service (the “Agreement”) between Telnyx LLC (and/or any of its subsidiaries or other affiliates, “Telnyx”) and the undersigned customer (“Customer”) with respect to the “Services” as defined in the Agreement.
1. Definitions
All capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to such terms in the Agreement. The following definitions and rules of interpretation below apply to this DPA:
“Adequate” in relation to the level of protection given to Personal Data in countries outside the European Economic Area (“EEA”) or United Kingdom means a decision made by the European Commission under Article 25(6) of Directive 95/46/EC (as amended or replaced from time to time) or Information Commissioner’s Office finding that the relevant third country provides an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.
“Applicable Data Protection Law(s)” refers to all laws and regulations applicable in relation to the processing of Personal Data under the Agreement.
“Controller”, “Processor”, “Data Subject”, and “Processing” (and “Process”) have the meanings given in accordance with Applicable Data Protection Law.
“Customer Account Data” means (a) Personal Data that relates to Customer’s relationship with Telnyx including the names, phone numbers, and/or contact information of individuals authorized by Customer to access Customer’s Telnyx account and/or use the Services and billing information; and (b) Personal Data processed by Telnyx for the purposes of storing, transmitting, or exchanging Customer Content, sending goods, and to provide the Services that may include shipping address data used to trace and identify the source and destination of a communication, such as individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration, and type of communication and/or data provided by the channels used by the Customer to communicate with their customers.
“Customer Content” means Personal Data exchanged by use of the Services such as text, call recording, message bodies, conversation transcriptions, voicemail recordings, voicemail transcription, video recording, video files, images, and sound.
“Employees” with respect to any entity refers to such entity’s employees and contractors.
“Personal Data” or “personal data” means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Security Incident” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed.
“Sensitive Personal Data” means Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation, or any other data that falls within the definition of “special categories of data” under Applicable Data Protection Law.
“Standard Contractual Clauses” or “SCC” means
(a) for the transfer of data from the EEA outside the EEA to a non-adequate country, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in the decision (EU) 2021/914 of 4 June 2021 (“EEA SCCs”);
(b) for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner Version B1.0 in force 21 March 2022 ("UK International Data Transfer Addendum").
“Sub-processor” means any processor engaged by Telnyx for the purposes of the provision of the Services under the Agreement.
2. Relationship of the Parties
2.1 Customer Content.
The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor, and Telnyx acts as a processor (where Customer is a controller) or sub-processor (where Customer is a processor); and an independent data controller (and the Customer is a controller) for the purpose of improving and enhancing the Services.
2.2 Customer Account Data.
The parties acknowledge that with regard to the processing of Customer Account Data, Customer is a controller, and Telnyx is an independent controller, not a joint controller with Customer.
3. Processing of Personal Data
3.1 Purpose Limitation.
Telnyx shall process Customer Content as a data processor (a) for the performance of the Services in accordance with Customer’s instructions as set forth in the Agreement and this DPA and in accordance with Applicable Data Protection Law, (b) as otherwise necessary to provide the Services (which may include responding to support requests and prevention and resolution of security, fraud, and technical issues, the latter may include engaging and providing access to Customer Content to telecommunication carriers to diagnose and solve the issue), (c) as initiated through the use of the Service, and (d) as further instructed by the Customer in writing. Telnyx shall process Customer Content as a data controller to improve and enhance the Services. Telnyx will process Customer Account Data as a data controller in accordance with Applicable Data Protection Law, the Privacy Policy, and the Agreement for the purposes detailed in Schedule 1 of this DPA.
3.2 Customer Instructions.
Customer will ensure that its instructions comply with Applicable Data Protection Laws and that Telnyx’s processing of the Customer Content in accordance with Customer’s instructions will not cause Telnyx to violate Applicable Data Protection Laws. Telnyx will notify Customer to the extent permitted by law if it becomes aware or reasonably believes that Customer’s data processing instructions would violate Applicable Data Protection Law.
3.3 Customer Compliance.
Customer shall ensure that (a) it has and will continue to comply with Applicable Data Protection Law in its use of the Services; (b) its customers and end users are provided adequate notice of Telnyx’s processing activities for which Telnyx acts as a controller to fulfill the requirements of Applicable Data Protection Laws; (c) it has and will continue to have the right to transfer or provide access to its customers’ and end users’ Personal Data (including as applicable Sensitive Personal Data) to Telnyx for processing in accordance with the terms of the Agreement and this DPA; and (d) appropriate technical and organizational measures and suitable safeguards are in place before transmitting or processing Sensitive Personal Data and/or before permitting Customer’s end users to transmit or process any Sensitive Personal Data via the Services.
3.4 Processing Information.
Schedule 1 of this DPA details the duration of processing, the nature and purpose of processing, the type of Personal Data, and the categories of data subjects processed by Telnyx.
4. Sub-processors
4.1 Sub-processors List and Engagement.
Customer acknowledges that Telnyx engages Sub-processors in connection with the provision of the Services and Customer provides general consent for Telnyx to appoint Sub-processors subject to this clause 4. The engagement by Telnyx of any such Sub-processor shall be on written terms which impose upon the Sub-processor data protection obligations to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures. Telnyx’s up-to-date sub-processors list is set forth at www.telnyx.com/legal/subprocessors (the “Sub-processors List”).
4.2 General Consent for Telnyx Sub-processors.
Customer grants a general authorization to Telnyx to appoint other entities of Telnyx as Sub-processors, conditional on the requirements detailed in Section 4.1.
4.3 Notification Mechanism.
When a Sub-processor is replaced or a new one appointed, the Sub-processors List may be modified pursuant to a notification mechanism (“Notification Mechanism”). In the event Customer subscribes, Telnyx will provide notification of any new or replacement Sub-processor.
4.4 Objection to New Sub-processors.
If Customer objects to Telnyx’s appointment or replacement of a Sub-processor based on reasonable grounds relating to data protection, it shall notify Telnyx in writing within 10 days of receipt of notice. In such event, Telnyx will use reasonable efforts to provide the Services to Customer in accordance with the Agreement without using the Sub-processor.
4.5 Sub-Processor Liability.
Telnyx shall be liable for its Sub-processors’ processing of Customer Content to the same extent that Telnyx would be liable if performing the processing activities of each Sub-processor directly under the terms of this DPA.
4.6 Communications Sent Through the Services and Payment Gateways.
Customer acknowledges that Telnyx may use telecommunication providers in the provision of the Services. Customer further acknowledges that in order to send communications for the provision of the Services, Telnyx may need to transmit Customer’s communications through existing telecommunications networks and suppliers via companies bound to comply with applicable telecommunications and privacy laws but who may not all have direct contracts with Telnyx and/or Customer. Customer further acknowledges that Telnyx may use payment gateways in the provision of Services via companies bound to comply with data protection laws but who may not have direct contracts with Telnyx. Customer hereby instructs Telnyx to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Services, and acknowledges and agrees that telecommunications networks and payment gateway suppliers are not considered Sub-processors under either the DPA or the Agreement.
4.7 Call Quality.
When Customer reports potential issues with the quality of the Services, the Customer instructs Telnyx to engage its relevant telecommunication suppliers for assistance, including by providing them with access to communications data (for example, CDRs or call recordings), which may contain personal data for the purpose of diagnosing and resolving the reported issues.
5. Data Transfers
5.1 Telnyx Data Transfer.
To the extent that any Personal Data is transferred from the European Economic Area, the United Kingdom, and/or Switzerland (either directly or via onward transfer) to any country that, according to the European Commission or the competent authority for the UK and Switzerland, does not provide an adequate level of protection for personal data, the parties agree that the Standard Contractual Clauses incorporated by reference to this DPA will apply in respect of the processing of such Personal Data. The Standard Contractual Clauses and this Clause 5 will not apply to Personal Data that is not transferred either directly or via onward transfer outside the EEA, the United Kingdom, and/or Switzerland. In relation to the Standard Contractual Clauses, Telnyx will comply with the obligations of the 'data importer' in the Standard Contractual Clauses, and the Customer will comply with the obligations of the 'data exporter.' Appendices of the EEA SCCs shall be deemed completed as set forth in Schedule 2 of this DPA in relation to the transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to the transfer of personal data outside the United Kingdom shall be deemed completed as set forth in Schedule 3.
5.2 In the event of any conflict or inconsistency between the EU Standard Contractual Clauses (Schedule 2) or UK International Data Transfer Addendum (Schedule 3) and the terms of this DPA, the EU Standard Contractual Clauses or UK International Data Transfer Addendum (Schedule 3) as applicable shall prevail.
5.3 Request for Personal Data.
5.3.1 If Telnyx receives a civil or criminal subpoena, search warrant, or other official and written request that is legally binding (“Request”) by a public authority that is not from an EEA country, the UK, or a country considered Adequate (“Requesting Party”) for disclosure of Customer’s personal data, Telnyx may respond to such Requesting Party with respect to any Request that Telnyx reasonably deems to be valid and appropriate in scope. Otherwise, Telnyx may, insofar as legally permissible, redirect the Requesting Party to request that Personal Data directly from Customer instead.
5.3.2 In the event that the information is provided, Telnyx will (a) ensure that the disclosed Personal Data is the minimum required to satisfy the Request, and (b) take all commercially reasonable steps to ensure that such Customer information is afforded confidential treatment by the authorities.
5.4 Sub-processors Data Transfer.
If in the performance of the Services, Telnyx permits processing of any Personal Data by a Sub-processor outside the EEA, except if in an Adequate country, without prejudice to Section 4, Telnyx shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place such as:
5.4.1 Standard Contractual Clauses;
5.4.2 affirmative representation or covenant regarding compliance with applicable law; or
5.4.3 the existence of any other specifically approved safeguard for data transfers as recognized under Applicable Data Protection Law and/or a European Commission or Information Commissioner’s Office finding of adequacy.
5.5 Processing in the United States.
Customer acknowledges that as of the date hereof, Telnyx’s primary processing facilities are in the United States of America.
6. Security of Personal Data
6.1 Security Measures.
Telnyx has implemented and will maintain appropriate administrative, technical, and organizational measures (www.telnyx.com/legal/technical-organizational-security-practices) to protect Personal Data from a Security Incident, having regard to the state of technological development and the cost of implementing such measures as well as the nature, scope, context, and purposes of processing and the likelihood and severity of harm to the interests of data subjects that may be expected to result from any such Security Incident.
6.2 Employee Access.
Telnyx shall ensure that only such of its employees who may be required by it to provide the Services to Customer or assist Telnyx in meeting its obligations under this DPA shall have access to Personal Data. Telnyx will ensure that the employees accessing Customer Content are under confidentiality obligations to protect such personal information.
7. Security Incidents
7.1 Security Incident Involving Personal Data.
Upon confirming a Security Incident involving personal data for which Telnyx acts as a data processor, Telnyx will:
7.1.1 To the extent permitted by applicable law, notify Customer without undue delay. Such notice shall be delivered in accordance with Section 13 of this DPA;
7.1.2 To the extent such Security Incident is caused by Telnyx’s violation of its obligations under this DPA, take such reasonable remedial steps to address such Security Incident and prevent any further incidents; and
7.1.3 Promptly provide the Customer with all relevant information in its possession as reasonably required by Applicable Data Protection Law to comply with any reporting obligations of a relevant regulatory authority concerning such Security Incident.
7.2 Notification to the Supervisory Authority.
If Customer determines that a Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, Customer will, to the extent commercially feasible, notify Telnyx before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication) and supply Telnyx with copies of any written documentation to be filed with the supervisory authority and of any notification Customer proposes to make (whether to any supervisory authority, data subjects, the public, or portions of the public) which directly or indirectly references Telnyx, its security measures, and/or role in the Security Incident, whether or not by name. Subject to Customer’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, Customer will consult with Telnyx in good faith and take account of any clarifications or corrections Telnyx reasonably requests to such notifications and which are consistent with Applicable Data Protection Law. In the event that impacted data subjects are required to be notified of the Security Incident, Customer will provide reasonable assistance to Telnyx to effectuate appropriate notice to such impacted data subjects.
8. Audits
8.1 Demonstrated Compliance.
Upon Customer’s written request no more than once annually and subject to adequate confidentiality provisions, Telnyx shall, in accordance with Applicable Data Protection Laws, make available to Customer such reasonable information in Telnyx’s possession or control to demonstrate Telnyx’s compliance with its obligations as a data processor of Customer Content to satisfy Customer’s audit rights granted by Applicable Data Protection Law (including where applicable the Standard Contractual Clauses).
9. Personal Data on Expiry or Termination
9.1 Deletion of Personal Data.
In respect of the Customer Content that Telnyx processes as a data processor pursuant to the Agreement, Telnyx shall cease to process such personal data and will promptly arrange for its deletion on expiry or termination of the Agreement unless otherwise agreed by the parties in writing, in which case Telnyx shall hold Customer Content in accordance with the data retention term agreed by the parties. Notwithstanding anything to the contrary in this Section 9, Telnyx may retain Customer Content or any portion of it if required by applicable law, in which case Telnyx shall comply with Applicable Data Protection Law regarding the deletion and retention of Personal Data.
10. Data Protection Impact Assessment
10.1 Telnyx shall provide reasonable assistance to Customer (taking into account the nature of processing and the information available to Telnyx and at Customer's expense) with respect to data protection impact assessments or consultations with supervisory authorities that may be required in accordance with Applicable Data Protection Law.
11. Data Subject Requests
11.1 Self-service Features.
As part of certain Services, Telnyx may, but is not obligated to, provide Customer with self-service features to delete, retrieve, or restrict use of Customer Content, which the Customer may use to assist in its compliance with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects.
11.2 Additional Assistance.
In addition, upon written request, Telnyx will provide reasonable additional and timely assistance in relation to Customer Content at Customer’s expense to assist Customer in complying with its data protection obligations to respond to requests for exercising the rights of data subject under Applicable Data Protection Law.
12. Liability
12.1 Liability.
This DPA is without prejudice to the rights and obligations of the parties under the Agreement, which shall continue to have full force and effect, including any limitations on liability contained therein, which shall apply to this DPA as if fully set forth herein. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
12.2 Penalties.
Notwithstanding anything to the contrary in this DPA or in the Agreement, neither party will be responsible for any fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
13. Notification
13.1 All notices given by Telnyx to Customer under or in connection with this DPA shall be validly served by email. Where Customer has subscribed to the Notification Mechanism, Customer shall receive notifications pursuant to Clause 4.3 of this DPA. All other notices given by Telnyx to Customer under or in connection with this DPA shall be sent to Customer’s email address associated to their Telnyx account; and any notice given by Customer to Telnyx shall be sent to [email protected] and [email protected].
14. Indemnification
14.1 Customer further agrees to indemnify and hold harmless Telnyx for any data minimization or other record retention rules violations related to Customer's retention of data under the General Data Protection Regulation ("GDPR") or any other comparable legislation.
15. Miscellaneous
15.1 Governing Law and Jurisdiction.
This DPA shall be governed by and construed in accordance with the law and the jurisdiction of the country or territory which governs the Agreement except as otherwise specified in this DPA, including its Schedules, or required by Applicable Data Protection Law.
15.2 Jurisdiction Specific Terms.
To the extent Telnyx processes Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 4, then the terms specified in Schedule 4 (“Jurisdiction Specific Terms”) apply, and in case of any conflict between the Jurisdiction Specific Terms and any term of this DPA, the applicable Jurisdiction Specific Terms will take precedence.
15.3 Updates.
Telnyx may update the terms of this DPA from time to time where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; (b) do not have a material adverse impact on Customer’s rights under the DPA; or (c) are required as a result of new products or services or material changes to any of the existing Services.
Schedule 1
Details of Processing
1. Nature and Purpose of Processing
1.1 Customer Content.
Telnyx will process Customer Content in accordance with Section 3.1 of this DPA.
1.2 Customer Account Data.
Telnyx will process Customer Account Data as a controller to perform the functions as a communications service provider, which may include but are not limited to:
(a) managing the relationship with the Customer;
(b) carrying out Telnyx’s business operations such as accounting, tax, billing, audit, and compliance;
(c) investigating security issues, fraud, unauthorized or unlawful use of the service, and other misuses;
(d) improving the Services; and
(e) as required by applicable law, rule, or regulation, including but not limited to Applicable Data Protection Law.
2. Duration of Processing
2.1 Telnyx Acting as Processor for Customer Content.
Telnyx will process Customer Content for the duration outlined in Section 9 of this DPA.
2.2 Telnyx Acting as Controller.
Telnyx will process personal data as a controller for as long as needed to provide the Services. Upon termination of the Agreement, Telnyx may retain personal data (a) for the purposes outlined in Section 1.2 of this Schedule 1; or (b) as required by law. Telnyx will promptly delete or anonymize such personal data when Telnyx no longer requires it for the herein mentioned purposes.
3. Types of Personal Data
Telnyx processes personal data contained in Customer Content and Customer Account Data as defined in Section 1 of this DPA.
4. Categories of Data Subjects
4.1 Customer Content.
Customer Content may concern the following categories of data subjects:
- Customer’s authorized users, who are those individuals that are authorized by the Customer to use the Services on behalf of the Customer.
- Customer’s customers and end users.
4.2 Customer Account Data.
Customer Account Data may concern the following categories of data subjects:
- Customer’s employees and agents.
- Customer’s authorized users.
- Customer’s customers and end users.
Schedule 2
Standard Contractual Clauses Decision (EU) 2021/914
Terms applicable to the EEA SCCs:
(i) Clause 7 - the optional docking clause will not apply.
(ii) Clause 9 - Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Sub-processors) of this DPA.
(iii) Clause 11 (a) - the optional language will not apply.
(iv) Clause 17 - Option 1 will apply and the Clauses will be governed by the law of Ireland.
(v) Clause 18 - disputes will be resolved before the courts of Ireland.
(vi) Module One (Controller to Controller) of the EEA SCCs applies where Customer is a controller and Telnyx is an independent controller.
(vii) Module Two (Controller to Processor) of the EEA SCCs applies where Customer is a controller and Telnyx is a processor.
(viii) Module Three (Processor to Processor) of the EEA SCCs applies where Customer is a processor and Telnyx is a processor.
Annex I
A. List of Parties
Data exporter(s):
- Name: The company defined as Customer who is a party to the Agreement.
- Address: The address of the Customer as provided in the Agreement.
- Contact details: Customer’s email address associated with their Telnyx account.
- Activities relevant to the data transferred under these Clauses: purchase of Telnyx Services.
- Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.
- Role: The Data Exporter’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.
Data importer(s):
- Name: Telnyx LLC.
- Address: Telnyx’s address specified in the Agreement.
- Contact details: [email protected] and [email protected]
- Activities relevant to the data transferred under these Clauses: Provision of the Services, which includes but is not limited to communications services that enable communications features and capabilities to be embedded into web, desktop, and mobile software applications.
- Signature and date: By entering into the Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.
- Role: The Data Importer’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.
B. Description of Transfer
Categories of data subjects whose personal data is transferred: As described in Section 4 of Schedule 1 (Details of Processing) of this DPA.
Categories of personal data transferred: Telnyx processes personal data contained in Customer Content and Customer Account Data as defined in Section 1 (Definitions) of this DPA.
Sensitive data: N/A
The frequency of the transfer: The data is transferred on a continuous basis.
Nature of the processing: As per Section 1 of Schedule 1 (Details of Processing) of this DPA.
Purpose(s) of the data transfer and further processing: Telnyx processes personal data for the purposes described in Section 1 of Schedule 1 (Details of Processing) of this DPA.
The period for which the personal data will be retained: Telnyx retains data for the duration described in Section 2 of Schedule 1 (Details of Processing) of this DPA.
For transfers to (sub-) processors, the subject matter, nature, and duration of the processing is set forth in the Sub-processors List (refer to Section 4.1 of this DPA).
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies: The Irish supervisory authority is the competent supervisory authority.
Annex II
Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
Description of the technical and organizational security measures implemented by the data importer are as set forth in Section 6.1 of this DPA. The data importer may update its security document from time to time, provided that there is no material degradation to the security and/or privacy of the services.
Annex III – List of Sub-Processors
Module Two: Transfer Controller to Processor
As per the Sub-processors List (in Section 4.1 of this DPA).
Schedule 3
UK International Data Transfer Addendum
Standard Data Protection International Data Transfer Addendum to the EU Commission
Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018
VERSION B1.0 in force 21 March 2022
PART 1: Tables
Table 1: Parties
- Start date: As set forth in the order or Agreement that incorporates these Standard Contractual Clauses by reference or as set forth in the DPA, whichever is later.
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
|---|---|---|
| Parties' details | Full legal name: The company defined as Customer who is party to the Agreement. Trading name (if different): Main address (if a company registered address): The address of the Customer as provided in the Agreement. Official registration number (if any) (company number or similar identifier): As provided in the Agreement. | Full legal name: Telnyx LLC Trading name (if different): Main address (if a company registered address): The Telnyx address specified in the Agreement. Official registration number (if any) (company number or similar identifier): 03125734 |
| Key Contact | Full Name (optional): Job Title: Contact details including email: Customer’s email address associated to their Telnyx account | Full Name (optional): Job Title: Contact details including email: [email protected] and [email protected] |
| Signature (if required for the purpose of Section 2) | By entering into the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum | By entering into the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum |
Table 2: Selected SCCs Modules and Selected Clauses
- Addendum EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: As provided in Table 1 above.
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) |
|---|---|---|---|---|---|
| 1 | Yes | Does not apply | Optional language does not apply | ||
| 2 | Yes | Does not apply | Optional language does not apply | Option 2 applies - general authorization | As set forth in Section 4 of the DPA |
| 3 | Yes | Does not apply | Optional language does not apply | Option 2 applies - general authorization | As set forth in Section 4 of the DPA |
Table 3: Appendix Information
Appendix Information means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
- Annex 1A: List of Parties (as set forth in Annex I.A of Schedule 2 of this DPA).
- Annex 1B: Description of Transfer (as set forth in Annex I.B of Schedule 2 of this DPA).
- Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data (as set forth in Annex II of Schedule 2 of this DPA).
- Annex III: List of Sub-processors (Modules 2 and 3 only, as set forth in Annex II of Schedule 2 of this DPA).
Table 4: Ending this Addendum when the Approved Addendum Changes
Which Parties may end this Addendum as set out in Section 19: Importer & Exporter
PART 2: Mandatory Clauses
Mandatory Clauses:
Part 2: Mandatory Clauses of the Approved Addendum being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 as it is revised under Section 18 of those Mandatory Clauses.
Schedule 4
Jurisdiction Specific Terms
Australia:
- The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles (APPs) and the Australian Privacy Act (1988).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
Brazil:
- The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
- The definition of “Processor” includes “Operator” as defined under Applicable Data Protection Law.
- The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to the data subjects.
California:
- The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (collectively the “CCPA”).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law.
- The definition of “Controller” includes “Business” as defined under Applicable Data Protection Law.
- The definition of “Processor” includes “Service Provider” as defined under Applicable Data Protection Law.
- Data Subject Rights include Consumer rights as provided in the CCPA. Telnyx will provide reasonable additional and timely assistance to assist Customer in complying with its obligations with respect to consumer requests as provided in Section 11 of the DPA.
- Telnyx will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Telnyx agrees not to sell or share Customer’s Personal Data or Customer end users’ Personal Data; retain, use, or disclose Customer’s Personal Data for any commercial purpose other than providing the Services; or retain, use, or disclose Customer’s Personal Data outside of the scope of the Agreement. Telnyx understands its obligations under the Applicable Data Protection Law and will comply with them.
- Telnyx certifies that its Sub-processors, as described in Section 4 of the DPA, are Service Providers under Applicable Data Protection Law with whom Telnyx has entered into a written contract that includes terms substantially similar to this DPA. Telnyx conducts appropriate due diligence on its Sub-processors.
- Telnyx will implement and maintain the reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 6 of the DPA.
- Telnyx shall notify the Customer if it makes a determination that it can no longer meet its obligations as Service Provider under the CCPA.
- Upon notice, including if Telnyx notifies the customer that it can no longer meet its obligations, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information.
- Telnyx shall not combine Customer Content that it receives from Customer or on behalf of Customer with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that Telnyx may combine personal information to perform any business purpose as defined in the regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185 of the CPRA, except as provided for in paragraph (6) of subdivision (e) of the CPRA and in regulations adopted by the California Privacy Protection Agency.
- The engagement of Telnyx of a sub-processor/service provider to process personal data will be on written terms which impose upon the service provider data protection obligations to the standard required by Applicable Data Protection Law as provided in Section 4.1 of this DPA.
Canada:
- The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- Telnyx’s Sub-processors, as described in Section 4 of the DPA, are third parties under Applicable Data Protection Law with whom Telnyx has entered into a written contract that includes terms substantially similar to this DPA. Telnyx has conducted appropriate due diligence on its Sub-processors.
- Telnyx will implement technical and organizational measures as set forth in Section 6 of the DPA.
European Union:
- The definition of “Applicable Data Protection Law” includes the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).
Israel:
- The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
- The definition of “Controller” includes “Database Owner” as defined under Applicable Data Protection Law.
- The definition of “Processor” includes “Holder” as defined under Applicable Data Protection Law.
- Telnyx will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Telnyx in accordance with Section 6 of the DPA.
- Telnyx must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 6 of the DPA and complying with the terms of the Agreement.
- Telnyx must ensure that the Personal Data will not be transferred to a Sub-processor unless such Sub-processor has executed an agreement with Telnyx pursuant to Section 4.1 of this DPA.
Japan:
- The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “Controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Telnyx is responsible for the handling of Personal Data in its possession.
Nevada:
- The definition of “Applicable Data Protection Law” includes the Nevada Revised Statutes Chapter 603A.
- The definition of “Personal Data” includes “Personal Information” as defined under the Nevada Revised Statutes Chapter 603A.
Singapore:
- The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
- Telnyx will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 of the DPA and complying with the terms of the Agreement.
United Kingdom:
- The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.
- References in this Addendum to GDPR will be deemed to be references to the corresponding laws of the United Kingdom, this is UK GDPR and Data Protection Act 2018.
Virginia:
- The definition of “Applicable Data Protection Law” includes the Virginia Consumer Data Protection Act 2023 (“VCDPA”).
- The definition of “Data Subject” includes “Consumer” as defined under the VCDPA.