Kemicard – Apple and Google Wallet Cards for Salesforce

PO Box 55056 RPO Windermere, Edmonton AB T6W 5B4

+1-780-237-2142

info@kemisoft.com

Follow Us On:
Linkedin Youtube
Powered by: KEMISOFT
Menu
Schedule a Demo
Free Trial

KEMISOFT DATA PROCESSING ADDENDUM

Last Updated: February 21, 2025.

This Kemisoft Data Processing Agreement and its Annexes (“DPA”) is incorporated into and forms part of the Kemicard Customer Terms of Service between you and us (the “Agreement”). This DPA reflects the parties’ agreement with respect to (i) the Processing of Customer Personal Data by us as a Processor on your behalf, and (ii) the Processing of Controller Personal Data by each party as a Controller in connection with your use of the Kemicard service.

In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency.

The Processor-to-Controller terms apply solely to the extent that Kemicard is a Processor of Customer Personal Data in connection with the Subscription Services.

The Controller-to-Controller terms apply solely to the extent that Customer uses additional Kemicard features or third-party integrations with Personal Data sharing enabled, and each party is considered a Controller under Data Protection Laws.

We update these terms from time to time. If you have an active Kemicard subscription, we will notify you when updates are made through an email if you have subscribed to receive email notifications via the link in our EULA. 

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1- DEFINITIONS

“California Personal Information” means Customer Personal Data that is subject to the protection of the CCPA.

“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).

“Consumer,” “Business,” “Sell,” “Service Provider,” and “Share” will have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.

“Controller Personal Data” means Personal Data that each party Processes as a Controller in connection with the use of Kemicard’s services or third-party integrations, and each party is considered a Controller under Data Protection Laws.

“Customer Personal Data” means Personal Data contained within Customer Data that Kemicard Processes as a Processor on behalf of Customer.

“Customer Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the provision of Kemicard’s services. “Customer Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.

“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded, or replaced.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the Processing of Personal Data under the Agreement, including without limitation European Data Protection Laws, the CCPA, and other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Canada, Singapore, India, and Japan, in each case as amended, repealed, consolidated, or replaced from time to time.

“Data Subject” means the individual to whom Personal Data relates.

“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

“European Data” means Customer Personal Data that is subject to the protection of European Data Protection Laws.

“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded, or replaced.

“Instructions” means the written, documented instructions issued by Customer to Kemicard, directing Kemicard to perform a specific or general action with regard to Customer Personal Data (including, but not limited to, depersonalizing, blocking, deletion, and making available).

“Permitted Affiliates” means any of your Affiliates that (i) are permitted to use Kemicard’s services pursuant to the Agreement but have not signed their own separate agreement with us and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Customer Personal Data or Controller Personal Data, and (iii) are subject to European Data Protection Laws.

“Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process,” “Processes,” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means transfer of Personal Data originating from Europe to a country that does not provide an adequate level of protection within the meaning of applicable European Data Protection Laws.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded, or replaced.

“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the Processing of Customer Personal Data under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Kemicard employee or consultant.

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2- CUSTOMER RESPONSIBILITIES

2.1. Compliance with Laws

Within the scope of this Agreement and your use of Kemicard’s services, you are responsible for complying with all applicable laws under Data Protection Laws in relation to your processing of Personal Data. This includes ensuring that the data you provide is accurate, obtained legally, and is processed in compliance with relevant transparency and lawfulness requirements under Data Protection Laws. Specific responsibilities include:

  • Ensuring the accuracy, quality, and legality of Customer Personal Data, and verifying the legal means by which such data was acquired.
  • Adhering to all necessary transparency and lawfulness requirements, including providing adequate notices, obtaining necessary consents, and respecting opt-out preferences, especially for marketing purposes.
  • Confirming that you have the right to transfer, or provide access to, Customer Personal Data to Kemicard for processing in accordance with this Agreement.
  • Ensuring compliance with all laws governing email content, consent for sending emails, and related deployment practices.
  • Ensuring that the use of Controller Personal Data is limited to the purposes defined in this Agreement and adheres strictly to Data Protection Laws.

If you cannot comply with any part of these responsibilities, you agree to notify us without undue delay.

2.2 Customer Instructions

You are responsible for ensuring that any instructions you provide to us regarding the processing of Customer Personal Data comply with all applicable Data Protection Laws. The Agreement (including this Data Processing Agreement or DPA), along with your use of the Kemicard Subscription Service in accordance with the Agreement, represents your complete instructions to us for processing Customer Personal Data. You may provide additional instructions, provided they are consistent with the Agreement, lawful, and align with the intended use of the Kemicard Subscription Service.

2.3 Security

You are responsible for determining whether the data security measures provided by Kemicard meet your obligations under applicable Data Protection Laws. You must ensure the security of Customer Personal Data during transmission to and from the Kemicard platform, including through secure backup or encryption practices.

3- KEMICARD OBLIGATIONS AS PROCESSOR

3.1 Compliance with Instructions

Kemicard will process Customer Personal Data only for the purposes described in this DPA or as otherwise directed by your lawful instructions. We are not responsible for complying with Data Protection Laws specific to your industry unless such laws are applicable to Kemicard as well.

3.2 Conflict of Laws

If we become aware that we cannot process Customer Personal Data according to your instructions due to legal requirements under applicable laws, we will:

  • Notify you promptly of such a legal requirement, where permitted.
  • Cease processing (except for storing and securing the affected data) until new lawful instructions are issued.

During this period, Kemicard will not be liable for failure to perform the Subscription Services until lawful instructions are provided.

3.3 Security

Kemicard will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from breaches, as detailed in Annex 2 to this DPA (“Security Measures”). We may update or modify these measures at our discretion, ensuring no material degradation in protection.

3.4 Confidentiality

Kemicard ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

3.5 Customer Personal Data Breaches

Kemicard will notify you promptly after becoming aware of any Customer Personal Data Breach. We will provide necessary information to assist you in notifying relevant authorities or affected individuals, should you be required to do so under Data Protection Laws.

3.6 Deletion or Return of Customer Personal Data

Upon termination or expiration of your Subscription Service, Kemicard will either delete or return all Customer Data, including Personal Data, unless required by law to retain some or all of it. Archived data will be isolated securely and deleted according to our data retention and deletion practices.

If you need assistance retrieving Customer Data during the Subscription Term, we will provide reasonable support at your cost, as per our Confidentiality agreement.

4- DATA SUBJECT REQUESTS

Kemicard’s Subscription Service provides you with several tools to manage Customer Personal Data, including options to retrieve, correct, delete, or restrict it. These tools are designed to help you fulfill your obligations under Data Protection Laws, particularly in relation to responding to requests from Data Subjects exercising their rights under these laws (“Data Subject Requests”).

If you are unable to independently address a Data Subject Request through the Subscription Service, we will provide reasonable assistance upon your written request. We will assist you in responding to any Data Subject Requests or requests from data protection authorities regarding the processing of Customer Personal Data under this Agreement. You agree to reimburse us for the commercially reasonable costs associated with providing this assistance, and we will notify you of these costs in advance.

In the event that a Data Subject Request or any communication regarding Customer Personal Data under this Agreement is made directly to Kemicard, we will promptly inform you and direct the Data Subject to submit their request to you. You will remain solely responsible for responding substantively to any Data Subject Requests or communications related to Customer Personal Data.

5- SUB-PROCESSORS

You agree that Kemicard may engage Sub-Processors to process Customer Personal Data on your behalf. We may do so in three primary ways:

  1. We may engage Sub-Processors to assist with hosting and infrastructure.
  2. We may engage Sub-Processors to support product features and integrations.
  3. We may engage Kemicard Affiliates as Sub-Processors for service and support.

Some Sub-Processors are applied by default, while others may only apply if you opt in.

Currently, we have appointed third parties and Kemicard Affiliates as Sub-Processors, as listed in Annex 3 of this DPA. You may choose to receive notifications by email for updates on Sub-Processors by subscribing to the notifications form available on the Kemicard website. If you opt in, we will notify you at least 30 days before any changes.

You will have the opportunity to object to the engagement of new Sub-Processors on reasonable grounds related to the protection of Customer Personal Data within 30 days of receiving such notice. Should you object, both parties will engage in good faith discussions to resolve the concern. If no resolution is reached, we may, at our discretion, either not appoint the new Sub-Processor or allow you to suspend or terminate the affected Subscription Service in accordance with the Agreement’s termination provisions, without liability to either party (except for fees incurred prior to suspension or termination).

When we engage Sub-Processors, we will ensure that the data protection terms imposed on them provide at least the same level of protection for Customer Personal Data as those outlined in this DPA. We remain responsible for each Sub-Processor’s compliance with this DPA and for any actions or omissions of such Sub-Processors that cause us to breach our obligations under this Agreement.

6- DATA TRANSFERS

You acknowledge and agree that Kemicard may access and process Customer Personal Data globally as necessary to provide the Subscription Service in accordance with the Agreement. Specifically, Customer Personal Data may be transferred to and processed by Kemicard’s operations in various jurisdictions, including the United States and other locations where Kemicard Affiliates and Sub-Processors have operations. Whenever Customer Personal Data is transferred outside its country of origin, both parties will ensure such transfers comply with applicable Data Protection Laws.

7- DEMONSTRATION OF COMPLIANCE

Kemicard will make available all necessary information to demonstrate compliance with this DPA and cooperate with audits, including inspections conducted by you or your auditor, to assess compliance with the terms of this DPA where required by applicable law. You acknowledge that the Subscription Service is hosted by Kemicard’s hosting Sub-Processors, who maintain independently validated security programs (including SOC 2 and ISO 27001). Kemicard’s systems undergo annual audits as part of SOC 2 compliance and regular penetration testing by independent third-party firms.

Upon request, we will supply (on a confidential basis) our SOC 2 report and summary copies of our penetration testing report(s) so you can verify our compliance with this DPA. You may download these documents directly from Kemicard’s Security website. Additionally, at your written request, Kemicard will provide written responses to reasonable information requests necessary for confirming our compliance with this DPA. Please note that you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect noncompliance.

8- ADDITIONAL PROVISIONS FOR EUROPEAN DATA

8.1 Scope

This ‘Additional Provisions for European Data’ section applies only to European Data that Kemicard processes on your behalf under the Agreement..

8.2 Role of Parties
In processing European Data in accordance with your Instructions, you are either the Controller or acting as a Processor on behalf of another Controller, and Kemicard is the Processor under the Agreement.
8.3 Instructions
If Kemicard believes that your Instruction infringes European Data Protection Laws (where applicable), we will inform you without delay.
8.4 Data Protection Impact Assessments and Consultation with Supervisory Authorities
To the extent reasonably available to us, and if you do not have access to the required information, we will assist you in conducting data protection impact assessments and consultations with supervisory authorities (e.g., the French Data Protection Authority (CNIL), the UK Information Commissioner’s Office (ICO)) as required under European Data Protection Laws.
8.5 Data Transfers
Kemicard will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Customer Personal Data unless necessary measures are taken to ensure compliance with applicable European Data Protection Laws. These measures may include:
  • Transferring the data to a recipient that is covered by a legally adequate transfer mechanism (e.g., the Data Privacy Framework).
  • Transferring the data to a recipient with binding corporate rules authorization.
  • Executing Standard Contractual Clauses for transfers, as required under applicable European Data Protection Laws.

9- ADDITIONAL PROVISIONS FOR CALIFORNIA PERSONAL INFORMATION

9.1 Scope
The ‘Additional Provisions for California Personal Information’ section applies only to California Personal Information that Kemicard processes on your behalf under the Agreement.
9.2 Role of Parties
When processing California Personal Information in accordance with your Instructions, you are the Business, and Kemicard is the Service Provider under the CCPA.
9.3 Responsibilities
Kemicard certifies that we will process California Personal Information only for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the “Business Purpose”), or as otherwise permitted by the CCPA. Kemicard will not:
  • Sell or share California Personal Information.
  • Process California Personal Information outside the direct business relationship between the parties, unless required by law.
  • Combine California Personal Information with Personal Data from other sources, except as required for our obligations as a Service Provider.
9.4 Compliance
Kemicard will:
  • Comply with obligations as a Service Provider under the CCPA.
  • Provide the same level of protection for California Personal Information as required by the CCPA.
  • Notify you if we determine we can no longer meet our obligations under the CCPA.
9.5 CCPA Audits
You may take reasonable steps to ensure that Kemicard uses California Personal Information in compliance with your obligations under the CCPA. Upon notice, you have the right to take reasonable actions to stop and remediate unauthorized use of California Personal Information.
9.6 Not a Sale
Both parties acknowledge that the disclosure of California Personal Information to Kemicard does not form part of any monetary or valuable consideration exchanged between the parties.

10- CONTROLLER-TO-CONTROLLER TERMS

10.1 Scope.
This ‘Controller-to-Controller Terms’ section applies to the extent that Kemicard processes Controller Personal Data in connection with your use of the Kemicard Subscription Service, including but not limited to features like membership engagement and event tracking.
10.2 Role of Parties.
Both parties acknowledge that they are acting as Controllers of Controller Personal Data when processing such data under this Agreement. We will each comply with our respective obligations under Data Protection Laws when handling Controller Personal Data. Nothing in this Agreement or this section shall restrict Kemicard in any way from independently collecting, using, or sharing data processed through your use of our service, including for purposes related to our analytics and service improvements.
10.3 Compliance with Laws.
Each party will ensure that any Controller Personal Data it shares or makes available to the other party has been collected in compliance with Data Protection Laws, including (i) obtaining necessary consent or providing required notices to Data Subjects; (ii) establishing a lawful basis for Processing Controller Personal Data; (iii) implementing adequate technical and organizational measures to protect the data; and (iv) meeting any reporting obligations related to breaches. You are responsible for ensuring your website and systems disclose and facilitate the necessary consents, especially for tracking via Kemicard’s features (e.g., membership tracking, event scanning). Should a Data Subject contact either party to exercise their rights, the contacted party will either fulfill the request directly or work with the other party to ensure compliance. If you determine that you have no lawful basis for processing Enrichment Outputs, you agree to delete such data.
10.4 Demonstration of Compliance.
If either party receives complaints or notices related to the other party’s Processing of Controller Personal Data, we will direct the relevant authority to the other party and, if necessary, provide assistance to facilitate compliance.
10.5 Security.
We will implement reasonable security measures to protect Controller Personal Data, using appropriate physical, technical, and organizational safeguards. For more on our security measures, refer to Kemisoft’s Security Overview.
10.6 CCPA Compliance.
If the California Consumer Privacy Act (CCPA) applies to the processing of Controller Personal Data, both parties agree to: (i) share such data solely for the business purposes outlined in this Agreement; (ii) provide the same level of privacy protection required by the CCPA; (iii) notify the other party promptly if they can no longer comply with the CCPA; and (iv) take appropriate action upon reasonable notice to ensure that the receiving party uses the data in a manner consistent with CCPA requirements.

11- TRANSFER MECHANISMS

In cases where the transfer of Customer Personal Data or Controller Personal Data involves a Restricted Transfer, and European Data Protection Laws require appropriate safeguards, Kemicard will comply with the following:

11.1 Data Privacy Framework.
Kemicard participates in and certifies compliance with the Data Privacy Framework. To the extent that this Framework applies, Kemicard will rely on it to lawfully receive Customer Personal Data and Controller Personal Data in the United States, ensuring that the data is protected as required by the Data Privacy Framework Principles. We will notify you if we can no longer comply with this requirement.
11.2 Standard Contractual Clauses.
If European Data Protection Laws require additional safeguards (such as in the case where the Data Privacy Framework does not cover the transfer), the Standard Contractual Clauses (SCCs) will apply as follows:

(A) For Customer Personal Data processed as a Processor: Module Two terms apply where you are the Controller, and Module Three terms apply if you are a Processor. We will notify you of any changes to Sub-Processors in line with the DPA’s ‘Sub-Processors’ section. Additionally, we will comply with Clause 9 (notification of changes to Sub-Processors) and Clause 11 (governing law), as per the Jurisdiction Specific Terms.

(B) For Controller Personal Data: Module One terms apply when both parties are Controllers. The same procedural and governance terms as above apply.

(C) For Personal Data under the UK GDPR: The SCCs will be modified to comply with the UK Addendum, with Tables 1, 2, and 3 completed with DPA details and Table 4 marked “neither party.”

(D) For Swiss DPA: The SCCs will be adapted to reflect Swiss law, with references to the “EU” or “Union” adjusted to “Swiss law,” and any applicable supervisory authorities changed to the Swiss Federal Data Protection and Information Commissioner.

(E) For Customer Personal Data processed as a Processor: We will fulfill obligations under the ‘Sub-Processors’ section of the DPA and make reasonable efforts to ensure Sub-Processors allow disclosure of relevant agreements to you.

11.3 Alternative Transfer Mechanism.
If Kemicard is required to adopt an alternative transfer mechanism under European Data Protection Laws, you agree to execute the necessary documents or take action to ensure the legal effect of the alternative mechanism. This will apply automatically and supersede the mechanisms described above where necessary.

12- GENERAL PROVISIONS

12.1 Amendments.
Notwithstanding anything else to the contrary in this Agreement, and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, Kemicard reserves the right to update or change this DPA at any time. Any such changes will be communicated to you, and the terms in the ‘Amendment; No Waiver’ section of the General Terms will apply.
12.2 Severability.
If any provision of this DPA is found to be invalid or unenforceable, the validity and enforceability of the other provisions will remain unaffected.
12.3 Limitation of Liability.
Each party’s and its Affiliates’ aggregate liability under this DPA, including any other data processing agreements between the parties, will be subject to the limitations and exclusions outlined in the ‘Limitation of Liability’ section of the General Terms. References to ‘Kemisoft’ or ‘Kemisoft, Inc.’ will include both Kemisoft and the Kemicard entity. However, in no event will either party’s liability be limited concerning any individual’s data protection rights under this DPA or any other related data processing agreements.
12.4 Governing Law.
This DPA will be governed by and construed in accordance with the ‘Contracting Entity; Applicable Law; Notice’ sections of the Jurisdiction Specific Terms unless otherwise required by Data Protection Laws.

13- PARTIES TO THIS DPA

13.1 Permitted Affiliates.
By entering into this Agreement, you agree to this DPA (including the Standard Contractual Clauses, where applicable) on behalf of yourself and your Permitted Affiliates. The terms “Customer,” “you,” and “your” in this DPA refer to you and your Permitted Affiliates, unless specified otherwise.
13.2 Authorization.
The legal entity agreeing to this DPA on behalf of Kemicard confirms that it is authorized to enter into this DPA for itself and, if applicable, its Permitted Affiliates.
13.3 Remedies.
Only the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy available under this DPA on behalf of its Affiliates. This entity will manage and coordinate all instructions, authorizations, and communications with Kemicard related to the DPA, and will act on behalf of all Permitted Affiliates in a combined manner.
13.4 Other Rights.
When reviewing Kemicard’s compliance with this DPA pursuant to the ‘Demonstration of Compliance’ section, you agree to minimize the impact on Kemicard by combining any audit requests for the Customer entity and all of its Permitted Affiliates into a single audit request, when feasible.

ANNEX 1A

DETAILS OF PROCESSING – KEMICARD AS PROCESSOR
1- LIST OF PARTIES

Data exporter:

  • Name: The Customer, as defined in the Kemicard Terms of Service (on behalf of itself and Permitted Affiliates)
  • Address: The Customer’s address, as set out in the Order Form
  • Contact person’s name, position, and contact details: The Customer’s contact details, as set out in the Order Form and/or as provided in the Customer’s Kemicard account
  • Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer’s use of the Kemicard Subscription Services under the Kemicard Terms of Service
  • Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, or as a Processor on behalf of another Controller)

Data importer:

  • Name: Kemicard
  • Address: Kemicard headquarters, 140 Hays Ridge Blvd SW, Edmonton, AB T6W 4Y1, Canada.
  • Contact person’s name, position, and contact details: Christine Mikhaiel, Data Protection Officer, Kemicard, 140 Hays Ridge Blvd SW, Edmonton, AB T6W 4Y1, Canada.
  • Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer’s use of the Kemicard Subscription Services under the Kemicard Terms of Service
  • Role (controller/processor): Processor
1- DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is Transferred:

You may submit Customer Personal Data in the course of using the Kemicard Subscription Service, the extent of which is determined and controlled by you in your sole discretion. This may include, but is not limited to, Customer Personal Data related to the following categories of Data Subjects:

  • Your contacts, members, employees, contractors, collaborators, customers, prospects, suppliers, subcontractors, or any other individuals associated with your business who interact with or receive services via Kemicard. Data Subjects may also include individuals attempting to communicate with or transfer Customer Personal Data to your end users.
Categories of Personal Data Transferred:

You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

  1. Contact Information (as defined in the General Terms).
  2. Any other Personal Data submitted, sent to, or received by you or your end users, via the Subscription Service.

Sensitive Data Transferred and Applied Restrictions or Safeguards:

The processing of Sensitive Data, if applicable, is subject to scope limitations, restrictions, and safeguards mutually agreed upon by the parties, as reflected in the Agreement.

Frequency of the Transfer:

Continuous

Nature of the Processing:

Customer Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

  1. Storage and other Processing necessary to provide, maintain, and improve the Subscription Services provided to you.
  2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Purpose of the Transfer and Further Processing:

We will Process Customer Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.

Period for which Personal Data will be retained:

Subject to the ‘Deletion or Return of Customer Personal Data’ section of this DPA, Kemicard will Process Customer Personal Data for the duration of the Agreement unless otherwise agreed in writing.

ANNEX 1B

DETAILS OF PROCESSING – KEMICARD AS CONTROLLER
1- LIST OF PARTIES

Data exporter/importer: Customer

  • Name: The Customer, as defined in the Kemicard Terms of Service (on behalf of itself and Permitted Affiliates)
  • Address: The Customer’s address, as set out in the Order Form
  • Contact person’s name, position, and contact details, including email: The Customer’s contact details, as set out in the Order Form and/or as provided in the Customer’s Kemicard account
  • Activities relevant to the data transferred under these Clauses: Processing of Controller Personal Data in connection with Customer’s use of Kemicard Subscription Services
  • Role (controller/processor): Controller

Data exporter/importer: Kemicard

  • Name: Kemicard
  • Address: Kemicard headquarters, 140 Hays Ridge Blvd SW, Edmonton, AB T6W 4Y1, Canada.
  • Contact person’s name, position, and contact details: Christine Mikhaiel, Data Protection Officer, Kemicard, 140 Hays Ridge Blvd SW, Edmonton, AB T6W 4Y1, Canada.
  • Activities relevant to the data transferred under these Clauses: Processing of Controller Personal Data in connection with Customer’s use of Kemicard Subscription Services
  • Role (controller/processor): Controller
1- DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is Transferred:

Individuals associated with a company or other institution, including but not limited to members, employees, contractors, collaborators, customers, and prospects.

Categories of Personal Data Transferred:

Professional data, which may include but is not limited to:

  1. First and last name
  2. Business email address
  3. Business employer
  4. Business role
  5. Professional title
  6. IP address
  7. Online identifiers
  8. Other similar information related to the use of Kemicard services

Sensitive Data Transferred and Applied Restrictions or Safeguards:

The parties do not anticipate the transfer of sensitive data under this agreement.

Frequency of the Transfer:

Continuous

Nature of the Processing:

Controller Personal Data will be Processed in accordance with the Agreement and may be subject to the following Processing activities:

  1. Storage and other Processing of Customer Data (such as personal identifiers, membership details, event attendance) by Kemicard necessary to provide, maintain, and improve the Kemicard Subscription Services.
  2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Purpose(s) of the Transfer and Further Processing:

Controller Personal Data will be transferred for the purposes contemplated in the Agreement, including to provide Customer with membership and event-related services and to improve, enhance, and develop Kemicard’s digital pass platform and Subscription Services.

Period for which Personal Data will be Retained:

Controller Personal Data will be Processed and retained by the parties in accordance with their respective data retention policies or as otherwise set out under the Agreement.

ANNEX 2

SECURITY MEASURES

Kemisoft (the provider of Kemicard) is committed to ensuring the security and privacy of its customers’ data. As part of this commitment, Kemicard observes the security measures outlined in this Annex 2. All capitalized terms not otherwise defined herein will have the meanings set forth in the General Terms. For more information on these security measures, please refer to Kemicard’s Security Overview and Penetration Test Summaries available at https://kemicard.com/trust-center/

1- INFORMATION SECURITY POLICY

Kemicard maintains and adheres to an internal, written Information Security Policy. This policy defines the security standards and practices for protecting Customer Data across the service infrastructure. Customers can visit Kemicard’s Security Center for an overview of these security standards.

2- ACCESS CONTROL

2.1 Preventing Unauthorized Product Access
  • Outsourced Processing: Kemicard hosts its service with outsourced cloud infrastructure providers. We have established contractual relationships with these vendors to ensure that data is processed and stored in accordance with the DPA. These vendors’ compliance programs, privacy policies, and contractual agreements ensure the protection of data.
  • Physical and Environmental Security: Our product infrastructure is hosted with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at their data centers. Both the physical and environmental security of these infrastructure providers are audited for compliance with SOC 2 Type II, ISO 27001, and other relevant certifications.
  • Authentication: Kemicard implements a robust password policy to ensure that customers authenticate before accessing Customer Data within their accounts.
  • Authorization: Customer Data is stored in secure multi-tenant storage systems and can only be accessed through authorized user interfaces and application programming interfaces (APIs). We employ a strict access control model to ensure that only authorized individuals can view and interact with relevant features and data.
  • Application Programming Interface (API) Access: Public APIs are secured using OAuth authorization or private app tokens.
2.2 Preventing Unauthorized Product Use
  • Access Controls: Kemicard uses network access control mechanisms to restrict unauthorized network traffic. These mechanisms include Virtual Private Cloud (VPC) configurations, security groups, and traditional firewall rules.
  • Intrusion Detection and Prevention: A Web Application Firewall (WAF) solution is used to protect customer websites and other internet-accessible applications hosted by Kemicard. This solution detects and prevents potential attacks on public-facing services.
  • Static Code Analysis: Our source code is regularly analyzed using automated tools to detect software flaws and ensure compliance with best practices.
  • Endpoint Hardening: Workstations and endpoints used by employees are hardened to industry standards, utilizing anti-malware software, endpoint detection, and regular updates.
2.3 Limitations of Privilege and Authorization Requirements
  • Privileged Access Management: Privileged access is tightly controlled using “Just in Time Access” (JITA) and is monitored and removed as necessary to ensure security. Non-personal accounts used for system access are secured in a vault with additional access controls.
  • Product Access: A subset of employees is granted access to the products and customer data to provide effective support, development, research, and troubleshooting. All such access is logged, and high-risk access permissions are reviewed regularly.

3- TRANSMISSION CONTROL

  • In-Transit: Kemicard requires HTTPS encryption (SSL/TLS) on all login interfaces and for every customer site hosted on the service. Industry-standard encryption algorithms and certificates are used for this process.
  • At-Rest: Customer Data, including sensitive information, is stored using encryption technologies that align with industry standards. This layered approach ensures that all data is securely stored.

4- INCIDENT MANAGEMENT, LOGGING, AND MONITORING

  • Incident Response Plan: Kemicard maintains a written Incident Response Plan, which includes playbooks and procedures for addressing security incidents in accordance with the standards set in the Agreement.
  • Detection: Extensive logging is employed across our infrastructure to detect and monitor system behavior, traffic, and authentication events. Alerts are generated for any unusual activities that may indicate a potential security issue.
  • Response and Tracking: Suspected security incidents are thoroughly investigated by security and operations personnel. All confirmed incidents are tracked, and the necessary resolution steps are documented. If an incident involves customer data, we will notify the customer as per the terms of the Agreement.

5- AVAILABILITY CONTROL

  • Infrastructure Availability: Our cloud infrastructure providers use commercially reasonable efforts to ensure a minimum uptime of 99.95%. They maintain N+1 redundancy for power, network, and HVAC services.
  • Fault Tolerance: Redundancy and failover protections are built into the system to ensure that customer data remains available during significant processing failures.
  • Disaster Recovery Plans: Kemicard maintains and regularly tests disaster recovery plans to ensure the availability of information and services following an interruption.

6- VULNERABILITY MANAGEMENT PROGRAM

  • Vulnerability Remediation Schedule: Kemicard maintains a vulnerability remediation schedule, using a risk-based approach to assess, address, and prioritize vulnerabilities.
  • Vulnerability Scanning: We conduct daily vulnerability scans on all products to detect and address potential security risks.
  • Penetration Testing: We work with industry-recognized penetration testing services to conduct annual penetration tests on both our web applications and internal network. These tests help identify vulnerabilities and mitigate their risks.
  • Bug Bounty: We run a bug bounty program to encourage independent security researchers to identify and disclose security flaws, helping us improve product security.

7- PERSONNEL MANAGEMENT

  • Staffing and Training: Kemicard staffs qualified personnel responsible for developing, maintaining, and enhancing the security program. All employees are trained on security policies and procedures relevant to their roles.
  • Background Checks: Where permissible by law, Kemicard employees undergo background checks to ensure that we hire individuals who meet our security standards. All employees must adhere to our company guidelines, non-disclosure requirements, and ethical standards.

ANNEX 3

SUB-PROCESSORS

To assist in delivering the Kemicard Service, Kemisoft may engage Sub-Processors to support various data processing activities. A list of our Sub-Processors, along with the purpose for engaging them, is available on the Kemicard Sub-Processors Page, which is incorporated into this DPA.