DPA 

DATA PROTECTION ADDENDUM

DATA PROTECTION ADDENDUM

This Data Protection Addendum (the "Addendum") is incorporated into and forms part of the agreement you have entered into with the applicable CrissCross group entity defined in the table below ("CrissCross", "we", "us", and "our") (each a "party", and together the "parties") (the "Agreement"). 

The following table sets out the different CrissCross group entities to which this Addendum applies as well as their relevant role under each applicable Agreement:

Entity

Agreement

Role

Drinela UAB 

Master Services Agreement

Controller; OR Joint controller or processor, only when so determined by a Supervisory Authority or a court of law.

CrissCross Tech (Pty) Ltd

Master Services Agreement

Controller; OR Joint controller or processor, only when so determined by a Supervisory Authority or a court of law

  1. This Addendum is divided into the following parts: 
    1. Part 1 General Terms - these terms apply irrespective of the role of the parties; 
    2. Part 2 Joint Controller Terms - these terms apply only where the parties act as joint controllers; 
    3. Part 3 Controller Terms - these terms apply where CrissCross acts as an independent controller; 
    4. Part 4 Processor Terms - these terms apply where CrissCross act as a processor; and
    5. Part 5 Glossary And Order Of Precedence - setting out the defined terms in this Addendum, its corresponding meaning, and the order of precedence in the event of a conflict relating to this Addendum and the Agreement.

Part 1 - General Terms

  1. Scope And Purpose
    1. This Addendum sets out the principles and procedures that CrissCross shall adhere to and the additional terms, requirements and conditions on which we will process the Protected Data. When providing the Services to you and otherwise exercising and performing our rights and obligations under the Agreement, we may act as a joint controller, independent controller, or processor of Protected Data. 
    2. Nothing in this Addendum reduces or replaces the parties' obligations under the Data Protection Laws in relation to the protection of personal data. 
    3. Subject to paragraph 1.4 of this Part 1, CrissCross shall process the Protected Data only for the following permitted purposes (“Permitted Purpose”):
      1. provision of the Services, or in contemplation thereof;
      2. performance and exercise of our rights and obligations under the Agreement;
      3. our legitimate business purposes, including, compliance with our legal and regulatory obligations, IT security and administration purposes or for any other purposes set out in Schedule 1 to this Addendum (as applicable).
    4. Each party shall process the Protected Data in compliance with: 
      1. the Data Protection Laws; and 
      2. the terms of this Addendum. 
    5. CrissCross has a Data Protection Officer and any queries relating to this Addendum and/or the processing of personal data by us should be sent to our data protection team at compliance@crisscross.money and james@crisscross.money. We will maintain any valid registrations and/or pay such fees as required by our Supervisory Authorities and which (where relevant) covers the intended data processing pursuant to this Addendum.
  2. Technical and Organisational Measures
    1. CrissCross shall only provide the Protected Data to another third party by using secure methods as set out in Schedule 2 to this Addendum.
    2. CrissCross shall implement and maintain, appropriate technical and organisational measures to: 
      1. ensure that the processing of the Protected Data will meet the requirements of the Data Protection Laws and ensure the protection of the rights of data subjects; and 
      2. ensure the security, integrity, availability, and confidentiality of the Protected Data and protect against unauthorised or unlawful processing of the Protected Data, accidental loss or destruction of, or damage to Protected Data such measures to be appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected. 
    3. The level of technical and organisational measures as at the Commencement Date having regard to the matters referred to in paragraph 2.2 of this Part 1 is as set out in Schedule 2 to this Addendum. The measures shall be regularly tested, assessed, and evaluated to assess their effectiveness in ensuring the security of the processing and we shall maintain records of such testing. CrissCross shall keep the measures under review and shall carry out such updates as we may deem appropriate throughout the Data Processing Term. 
    4. CrissCross will ensure that our personnel involved in the processing of Protected Data are appropriately trained to handle and process the Protected Data in accordance with the technical and organisational security measures set out in Schedule 2 to this Addendum together with any applicable Data Protection Laws and guidance from a relevant Supervisory Authority. 
    5. The level, content and regularity of training referred to in paragraph 2.4 shall be proportionate to the personnel's role, responsibility, and frequency with respect to their handling and processing of the Protected Data.
    6. Our Personnel are subject to written confidentiality obligations which cover their processing of any Protected Data.
  3. International Data Transfers
    1. International data transfers between us. To the extent your use of the Services requires under the Data Protection Laws an onward transfer mechanism for CrissCross to lawfully transfer Protected Data from our jurisdiction, including Lithuania or any such other jurisdiction where we operate, to your jurisdiction (if you are located outside of the EEA and we are required to have Appropriate Safeguards in place) ("Transfer Mechanism"), the terms set forth in Schedule 3 (Cross Border Transfers) of this Addendum will apply. 
    2. International data transfers to other third parties. CrissCross will not transfer, access or process Protected Data outside of the EEA including to a Sub-Processor located in such a country or territory unless: 
      1. there is a European Union finding of adequacy in respect of that country or territory pursuant to Article 45 GDPR or as otherwise provided under the Data Protection Laws; 
      2. CrissCross have ensured that any such transfer complies with the Data Protection Laws by having in place Appropriate Safeguards and we have taken steps to satisfy ourselves that: 
        1. the level of protection afforded to the Protected Data in the destination country or territory is equivalent to the level of protection that would be afforded to Protected Data in the EEA; 
        2. any data importer shall provide us with relevant sources and information relating to the destination country or territory and the laws applicable to the transfer in that destination country in order to substantiate the matters set out in 3.2.2.1; and 
        3. any data importer is contractually obliged to keep us informed of any development affecting or likely to affect the level of protection your transferred Protected Data receives in the importer's country; or 
      3. CrissCross are otherwise permitted to do so by virtue of a derogation in Article 49 of the GDPR or as otherwise provided under the Data Protection Laws. 
    3. If, for whatever reason, the transfer of Protected Data pursuant to paragraphs 3.2.1, 3.2.2 or 3.2.3 of this Part 1 - General Terms ceases to be lawful, CrissCross will immediately implement other Appropriate Safeguards and ensure that the level of protection afforded to the Protected Data in the destination country or territory is equivalent to the level of protection that would be afforded to Protected Data in the EEA. Where we cannot do that, we will cease any such transfer of Protected Data unless you expressly authorise the transfer to continue.
  4. Using Processors
    1. Where CrissCross engage a Processor or Sub-Processor to carry out any processing activities in respect of Protected Data, we will: 
      1. ensure that there is a written contract in place with each Processor or Sub-Processor which requires the Processor or Sub-Processor to only carry out such processing as may be necessary from time to time for the purposes of its engagement by us in connection with the Agreement and to comply with terms and conditions which offer materially the same level of protection for the Protected Data as those set out in this Part 1-General Term; 
      2. be responsible for the acts and omissions of any Processor or Sub-Processor in the performance of its data processing obligations under the Agreement as if they were our own acts and omissions. 
    2. CrissCross will ensure that all persons authorised by us (or by any Processor or Sub-Processor) to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case we will, where practicable and not prohibited by Applicable Law, notify you of any such requirement before such disclosure).
  5. Records
    1. CrissCross will maintain complete, accurate and up-to-date written records of all categories of processing activities carried out in accordance with the Data Protection Laws (the "Records").
  6. Reporting and General Obligations
    1. CrissCross will comply with our obligations under the Data Protection Laws to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) to the data subjects. 
    2. CrissCross will notify you promptly (and in any event within 48 (forty eight) hours) if we become aware of a Personal Data Breach by us or otherwise in connection with the Services and provide you with full details of the Personal Data Breach. We will provide reasonable co-operation and assistance to you as is necessary to facilitate the handling of a Personal Data Breach in an efficient and compliant manner and to enable us to comply with our obligations under the Data Protection Laws. We will not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach by us or otherwise in connection with the Services unless required to do so under the Data Protection Laws and/or by a Supervisory Authority, in which case, we will notify you in advance of such requirement. 
    3. CrissCross will take prompt action to investigate any Personal Data Breach involving Protected Data and to identify, prevent and mitigate the effects of and to remedy any such Personal Data Breach. 
    4. CrissCross will act reasonably to keep you informed of ongoing developments in relation to any Personal Data Breach.
  7. Your Obligations
    1. Irrespective of whether CrissCross act as a joint controller, controller, or processor: 
      1. you are solely responsible for making an independent determination as to whether the technical and organisational measures implemented by you are adequate and meet the requirements of the Data Protection Laws and any other obligations you have under Applicable Laws; 
      2. you will comply, at all times, with your obligations as a controller or joint controller (as applicable) and will provide your services to clients in compliance with the Data Protection Laws; 
      3. you will maintain any valid registrations and pay any fees as required by your Supervisory Authority to cover your processing activities including those contemplated under the Agreement; 
      4. you will maintain adequate data processing, privacy and IT security policies in relation to your processing of personal data and any cyber security incident that meet the requirements of Data Protection Laws. You will comply with and procure that your personnel comply at all times with such policies. You will ensure that your personnel are subject to written confidentiality obligations which cover their processing of personal data. Where specific control requirements are deemed by us to be not applicable to the Services, we may agree to waive or amend some of the requirements by notifying you of such waiver or amendment in writing; 
      5. you will provide all necessary, fair and transparent information and notices to, and obtain all necessary consents from, any data subjects whose Protected Data are processed pursuant to this Addendum (including any personnel, any third parties and customers), so that CrissCross are lawfully able to use or otherwise process this Protected Data for the Permitted Purpose pursuant to this Addendum without needing any further consent, approval or authorisation and upon our request from time to time, you will consult with us, and comply with our reasonable requests in relation to the same. You will ensure that such information and notices detail the purposes of processing of Protected Data as required for the Permitted Purpose, the legal basis for such processing, the recipients of the Protected Data and such other information as required to be given by a controller to data subjects under the Data Protection Laws; 
      6. if requested by CrissCross, you will promptly provide reasonable evidence to us that you have provided all necessary information and notices to and obtained all necessary consents from data subjects and otherwise complied with your obligations under the Data Protection Laws; 
      7. CrissCross will be entitled to assume that any disclosure or transfer of personal data to us by you (directly or indirectly) is done so in a manner which is compliant with the Data Protection Laws; 
      8. you will ensure that any personal data you disclose or otherwise transfer to us is accurate; 
      9. you will not disclose or transfer to us, any excessive or irrelevant personal data that is not required by us in connection with the performance of the Services or otherwise for the Permitted Purpose and you will ensure that you delete from any documents that you disclose or transfer to us any such excessive or irrelevant personal data; 
      10. you will notify CrissCross promptly (and in any event within 48 (forty eight) hours) if you become aware of a Personal Data Breach by us or otherwise in connection with the Services and provide us with full details of the Personal Data Breach. You will provide reasonable co-operation and assistance to us as is necessary to facilitate the handling of a Personal Data Breach in an expeditious and compliant manner and to enable us to comply with our obligations under the Data Protection Laws. You will not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach by us or otherwise in connection with the Services unless required to do so under the Data Protection Laws and/or by a Supervisory Authority, in which case, you will notify us in advance of such requirement; 
      11. you will notify CrissCross promptly (where legally permissible and within no more than 2 (two) business days) if you receive or become aware of a Data Complaint and you will provide reasonable co-operation and assistance to us as is necessary to deal with such Data Complaint; 
      12. you will provide CrissCross with reasonable cooperation and assistance as may be required from time to time to enable us to comply with our obligations under the Data Protection Laws including those obligations relating to security, Data Subject Requests, data protection impact assessments and consultations with a Supervisory Authority; and 
      13. you will comply with any additional obligations imposed on you in the other parts of this Addendum.

  1. Data Retention
    1. CrissCross will not retain Protected Data for longer than is necessary to carry out any Permitted Purpose. 
    2. CrissCross will maintain and comply with our data retention policy, details of which we will provide to you on written request.

Part 2 - Joint Controller Terms

Where the parties process Protected Data as joint controllers under or otherwise in connection with the Agreement (“Joint Data”), the provisions set out in this Part 2 - Joint Controller Terms will apply to the processing of Joint Data by the parties, in addition to Part 1 – General Terms. 

  1. Processing Joint Data 
    1. Each party will comply with its controller obligations in the Data Protection Laws in connection with its processing of Joint Data. 
    2. Each party agrees that: 
      1. for the Joint Data, the parties act together to determine the purpose and means of processing; 
      2. it will process the Joint Data solely for the Permitted Purpose and in accordance with Schedule 1 as updated from time to time;
      3. it will ensure that the Joint Data has been collected, processed, and transferred in accordance with the Data Protection Laws as applicable to that Joint Data; 
      4. it will be responsible for providing all necessary, fair and transparent information and notices to data subjects and will ensure that such information and notices details the processing of Joint Data as required for the Permitted Purpose, the legal basis for such processing, the recipients of the Joint Data (including the other party, any third parties or a regulator) and such other information as required to be given by a controller to data subjects under the Data Protection Laws. Such information and notices will be transparent as to the arrangement between the parties in compliance with the Data Protection Laws;  
      5. it will co-operate with the other party to provide any information reasonably required to enable the other party to produce and publish its information and notices in accordance with paragraph 1.2.4 of this Part 2 – Joint Controller Terms;  
      6. it will ensure that any data subject who wants to make a Data Subject Request has an easily accessible point of contact to do so; and 
      7. it will reasonably assist the other party in ensuring compliance with the other party's obligations under the Data Protection Laws with respect to security, Personal Data Breach notifications, data protection impact assessments and consultations with Supervisory Authorities, in so far as they relate to the processing of Joint Data.  
  2. Data Subject Requests and Data Complaint Handling 
    1. If a party receives a Data Subject Request and/or a Data Complaint relating to the processing of Joint Data, it will promptly notify the other party (and in any event within 48 (forty-eight) hours of receipt of the Data Subject Request) and comply with the provisions of this paragraph 2. 
    2. As between the parties, responsibility for compliance with and responding to: 
      1. any Data Subject Request - falls on the party which first received such Data Subject Request; and 
      2. any Data Complaint regarding the processing of Joint Data - falls on the party which receives the Data Complaint, 

unless agreed otherwise by the parties.

  1. The parties will provide reasonable assistance to one another to assist with handling Data Subject Requests and Data Complaints relating to the processing of Joint Data. Each party will deal with a Data Subject Request or a Data Complaint relating to the processing of Joint Data, in a timely and professional manner and in accordance with the requirements of the Data Protection Laws (including with respect to any timescales). 
  2. Neither party will respond to a Data Subject Request or Data Complaint relating to the processing of Joint Data, without consultation with the other party, unless such failure to respond would cause it to be in breach of the Data Protection Laws and/or it is requested to respond by a Supervisory Authority. 
  1. Personal Data Breaches 
    1. If a Personal Data Breach occurs in relation to the Joint Data processed by either party: 
      1. the party that discovers the Personal Data Breach will notify the other party without undue delay (and in any event within 48 (forty-eight) hours of becoming aware of the Personal Data Breach), and will provide a detailed description of the Personal Data Breach, including the details of the type of data and the identity of the affected person(s) as soon as such information can be collected or otherwise becomes available, as well as any other information that the other party may reasonably request from time to time; 
      2. the parties will reasonably cooperate to determine the cause of the Personal Data Breach and who should notify the Supervisory Authority and/or the data subject(s) if required. In the absence of any agreement, we will be entitled to notify the Supervisory Authority and/or data subject(s); and 
      3. the party suffering the Personal Data Breach will take action immediately to carry out any recovery or other action necessary to remedy the Personal Data Breach. If you become aware of a Personal Data Breach in relation to the Joint Data, you will notify us by email at compliance@crisscross.money and james@crisscross.money

Part 3 - Controller Terms

Where we process Protected Data as an independent controller under or otherwise in connection with the Agreement (“Controller Data”), the provisions set out in this Part 3 Controller Terms will apply to the processing of Controller Data by us, in addition to Part 1 – General Terms. 

  1. Processing Controller Data We will comply with our controller obligations under the Data Protection Laws in connection with our processing of Controller Data. 
    1. We will:
      1. process the Controller Data solely for the Permitted Purpose and in accordance with Schedule 1 to this Addendum as updated from time to time; 
      2. provide all necessary, fair and transparent information and notices to data subjects and will ensure that such information and notices detail the processing of Controller as required for the Permitted Purpose, the legal basis for such processing, the recipients of the Controller Data (including third parties or a regulator) and such other information as required to be given by a controller to data subjects under the Data Protection Laws; and 
      3. ensure that any data subject who wants to make a Data Subject Request in connection with Controller Data has an easily accessible point of contact to do so. 
  2. Data Subject Requests 
    1. If you receive a Data Subject Request and/or a Data Complaint relating to the processing of Controller Data, to the extent legally permissible, you will promptly notify us  (and in any event within 48 (forty-eight) hours of receipt of the Data Subject Request and/or Data Complaint) by email at compliance@crisscross.money and james@crisscross.money, and, unless otherwise required under Applicable Law or by a Supervisory Authority, we, as controller, will be responsible for and will handle such Data Subject Request and/or Data Complaint in compliance with the Data Protection Laws.

Part 4 - Processor Terms

Where we process Protected Data as a processor for you under or otherwise in connection with the Agreement, the provisions set out in this Part 4 – Processor Terms will apply to the processing of Protected Data by us, in addition to Part 1 – General Terms. 

  1. Instructions and Details of Processing 
    1. Insofar as  we process Protected Data on behalf of you, we shall: 
      1. unless required to do otherwise by Applicable Laws, (and shall take steps to ensure each person acting under our authority shall) process the Protected Data only on and in accordance with the Agreement, Schedule 1 to this Addendum and any other documented instructions from you (“Processing Instructions”); and 
      2. if Applicable Laws require us to process Protected Data other than in accordance with the Processing Instructions, notify you of any such requirement before processing the Protected Data (unless Applicable Laws prohibit such information on important grounds of public interest). 
  2. Personnel and Other Processors 
    1. We will not engage a Sub-Processor to carry out any processing activities in respect of the Protected Data without notifying you, and subject to compliance by us with paragraphs 2.2 and 2.3 of this Part 4, and paragraph 3 of Part 1 above. You are deemed to have provided your approval where you have not objected to the new proposed SubProcessor within thirty (30) calendar days from the date you received the notice from us.  
    2. We will: 
      1. provide details to you of any Sub-Processor;
      2. notify you thirty (30) days in advance of any change in a Sub-Processor (through the addition or replacement of a Sub-Processor) and shall provide such information as necessary to enable you to decide whether to consent to the change. You shall be entitled to object to any change in the Sub-Processor and at your discretion (not to be unreasonably exercised) may elect to terminate the Agreement or that part of the Agreement that involves processing of the Protected Data by the Sub-Processor in the event that the we fail to take the steps suggested by you to address the objection and otherwise do not cease to use the relevant Sub-Processor; 
      3. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing obligations which offer materially the same level of protection for the Protected Data as those set out in this Addendum, including an obligation on the Sub-Processor to provide sufficient guarantees to implement equivalent technical and organisational measures in accordance with paragraph 3 of this Part 4 and to delete or return the Protected Data in accordance with paragraph 7 of this Part 4. The contract with the Sub-Processor shall state that compliance with the obligations may be enforced by  you  including if we cease to exist or become insolvent. On request by you, we shall provide a copy of the contract with the Sub-Processor. We may redact the text of the contract to the extent necessary to protect confidential information including any personal data; and 
      4. notify you of any failure by a Sub-Processor to fulfill its contractual obligations referred to in paragraph 2.2.3 of this Part 4. 
    3. We will ensure that all persons authorised by us (or by any Sub-Processor) to process Protected Data are subject to an obligation to keep the Protected Data confidential. We shall grant access to the Protected Data to members of the personnel on an "as needed basis" for the Permitted Purposes only. 
    4. We will remain fully liable to you for any and all acts and omissions of any Sub- Processor, and any persons authorised by us (or by any Sub-Processor) to process Protected Data as if they were our own. 
  3. Technical and Organisational Measures 
    1. We will implement and maintain appropriate technical and organisational measures in accordance with paragraph 2 of Part 1 above, to: 
      1. ensure that the processing of Protected Data will meet the minimum requirements of the Data Protection Laws and ensure the protection of the rights of data subjects; and
      2. provide reasonable assistance to you in responding to Data Subject Requests relating to Protected Data. 
  4. Information and Audit 
    1. Subject to paragraph 4.2 of this Part 4, we will, in accordance with Data Protection Laws, as is reasonably necessary to demonstrate our compliance with our obligations under Part 1 – General Terms, this Part 4 - Processor Terms and the Data Protection Laws (unless providing this information would be in breach of Applicable Laws, in which case we will inform you to the extent we are permitted by Applicable Laws to do so):
      1. as soon as reasonably practicable make available to you the Records, unless providing such information infringes the Data Protection Laws or any Applicable Law (in which case, we will inform you to the extent we are permitted by law to do so); and 
      2. allow for and contribute to audits, including inspections, by you (or an auditor mandated by you and agreed by us in writing). 
    2. You will: 
      1. provide to us reasonable prior written notice (not less than 10 business days) of any information request, audit and/or inspection that you require;  
      2. ensure that the Records and all information obtained or generated by you or your auditor in connection with such information requests, inspections and audits are kept strictly confidential and you will not disclose the same to a third party unless required to do so by a relevant regulator, in which case, you will (to the extent legally permissible) not less than fourteen (14) days before such disclosure give prior written notice of such requirement to us;  
      3. ensure that such audit or inspection is undertaken during our normal business hours, with minimal disruption to our business and the business of our other customers;  
      4. pay our reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits; and  
      5. comply with any additional obligations with regards to access by you or an auditor as set out in the Agreement. 
    3. Both parties shall be entitled to share any information referred to in this paragraph 4 of this Part 4, including the results of any audit, with a competent Supervisory Authority as may be necessary from time to time. 
    4. Nothing in paragraph 4 of this Part 4, gives you the right to access any data of any other customer of ours or any information that could cause us to breach our obligations under Applicable Law (including the Data Protection Laws) and/or our confidentiality obligations owed to a third party. 
  5. Assistance and Data Subject Rights 
    1. We are responsible for maintaining a record of Data Subject Requests. Upon receipt of any Data Subject Request, we shall immediately (and no later than within 48 (forty-eight) hours of receipt) refer such Data Subject Request to you and shall, at our own expense, promptly assist you with such Data Subject Request to ensure that you meet the response times under the Data Protection Laws. We will not respond to a Data Subject Request without providing prior written notice to you or as required by Applicable Laws, in which case we shall, to the extent permitted by Applicable Laws, inform you  of that legal requirement prior to us responding to such Data Subject Request. 
    2. We will provide such assistance as reasonably required by you to ensure compliance with your obligations under the Data Protection Laws with respect to: 
      1. security of processing; data protection impact assessments (as such term is defined in the Data Protection Laws); 
      2. prior consultation with a Supervisory Authority regarding high-risk processing; 
      3. notifications to the Supervisory Authority and/or communications to data subjects by you in response to any Personal Data Breach; and 
      4. any remedial action to be taken in response to a Personal Data Breach and/or a Data Complaint or request relating to your obligations under the Data Protection Laws relevant to the Agreement.
  6. Breach Notification 
    1. In respect of any Personal Data Breach, we will, without undue delay but in no event later than 48 (forty-eight) hours (or earlier where possible) after becoming aware, notify you of the Personal Data Breach and provide you with details of the Personal Data Breach including the nature of the Personal Data Breach, the categories and approximate volume of data subjects, the Protected Data records concerned, the likely consequences of the Personal Data Breach and any measures taken or to be taken by us to mitigate the effects of the Personal Data Breach. Where, and insofar as, it is not possible for us to provide all of this information at the same time, the initial notification will provide such information as available to us and we will provide the further information as soon as it becomes available without undue delay (but in no event later than 24 (twenty-four) hours after it becomes available). 
    2. We will immediately, at our own expense, investigate the Personal Data Breach and take steps to identify, prevent and mitigate the effects of and to remedy any Personal Data Breach. We will not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach without your prior written approval. 
    3. We will promptly (but in no event later than 48 (forty-eight) hours after becoming aware) inform you if we receive or become aware of a Data Complaint and shall not respond to the Data Complaint without your prior written approval. 
  7. Deletion or Return of Protected Data and Copies 
    1. We will process the Protected Data only for the duration of the Data Processing Term.
    2. On termination of the Agreement and, at your written request, we will ensure that any Protected Data (and all copies) are securely returned to you or destroyed (at your discretion and direction) to the extent reasonably practicable (unless storage is required by Applicable Laws and, if so, we will inform you of any such requirement) in the following circumstances:
      1. on termination of the Agreement; 
      2. on expiry of the Data Processing Term; 
      3. once processing of the Protected Data is no longer necessary for the Permitted Purposes.

Schedule 1 - Data Processing Details

DETAILS OF PROCESSING

DESCRIPTION

SCOPE

The processing of personal data as required for the Permitted Purpose.

NATURE AND PURPOSE

The processing of personal data as required for the Permitted Purpose.

DURATION

For the duration of the Agreement and for such time as required by Applicable Laws (the "Data Processing Term").

TYPES OF PERSONAL DATA

We will process such categories of personal data as necessary to provide the Services, including the following categories of data:  

  • IP address 
  • Passport details 
  • National identity card details  
  • Bank account details  
  • Transaction data 
  • Cryptocurrency wallet and/or transaction addresses

CATEGORIES OF PERSONAL DATA

Data subjects include, without limitation, the following individuals associated with you:  

  • Employees 
  • Directors 
  • Shareholders 
  • Beneficial owners 
  • Authorised Users 
  • Suppliers
  • Customers
  • Consultants
  • Contractors   

Schedule 2 - Security Measures

  1. The security measures include:
    1. Implementing the relevant security processes and protocols to ensure the security of Protected Data during storage and transmission. 
    2. pseudonymising and/or encrypting the Protected Data stored by a party or transmitted by a party over public or wireless networks; and 
    3. implementing and maintaining the relevant policies and procedures to ensure the confidentiality, integrity, availability and resilience of processing systems and services.

Schedule 3 - Cross Border Transfers

  1. Definitions
    1. Terms used in this Schedule 3 shall have the meanings set out below, in the Addendum or as otherwise defined in the EU Standard Contractual Clauses. Where a term is defined in both this Schedule 3 and the EU Standard Contractual Clauses, the meaning of the term in the EU Standard Contractual Clauses shall have precedence in relation to the EU Standard Contractual Clauses.
    2. "EU Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
  2. Cross Border Data Transfer Mechanisms
    1. In the event the Services are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the EU Standard Contractual Clauses as set forth in paragraph 2.2 (EU Standard Contractual Clauses) of this Schedule 3; and, if (a) is applicable, then (b) other applicable data Transfer Mechanisms permitted under Data Protection Laws.
    2. The EU Standard Contractual Clauses will apply to personal data that is transferred via the Services from the EEA, Switzerland, Guernsey, or Jersey, either directly or via onward transfer, to any country or recipient outside the EEA, Switzerland, Guernsey, or Jersey that is not recognized by the relevant competent authority as providing an adequate level of protection for personal data. For data transfers that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into, and incorporated into this Addendum by this reference, and the following modules may apply depending on whether CrissCross act as a controller, joint controller or processor of personal data:
      1. module One (Controller to Controller) of the EU Standard Contractual Clauses; 
      2. module Two (Controller to Processor) of the EU Standard Contractual Clauses; 
      3. module Three (Processor to Processor) of the EU Standard Contractual Clauses; 
      4. module Four (Processor to Controller) of the EU Standard Contractual Clauses; and 
      5. for each module, where applicable the modules will be completed as follows:
        1. in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply; 
        2. in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in paragraph 2.2.2 in Part 4 - Processor Terms of this Addendum; 
        3. in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply; 
        4. in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by laws of Ireland; 
        5. in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
        6. in Annex I, Part A of the EU Standard Contractual Clauses:

Data Exporter

CrissCross

Contact details: 

compliance@crisscross.money and james@crisscross.money

Data Exporter Role: 

The Data Exporter’s role is set forth in the table setting out the different CrissCross group companies on page 1 of this Addendum.  

Signature and Date: 

By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the Commencement Date of the Agreement. 

Data Importer: 

The CrissCross customer (based in third country outside EU)  

Contact details: 

The email address(es) designated by the customer of CrissCross as provided to CrissCross from time to time. 

Data Importer Role: 

The Data Importer’s role is set forth in section 1 of Part 1  of this Addendum.

Signature and Date: 

By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Commencement Date of the Agreement. 

  1. in Annex I, Part B of the EU Standard Contractual Clauses: 
    1. the categories of data subjects are set forth in Schedule 1 (Data Processing Details) of this Addendum; 
    2. the frequency of the transfer is a continuous basis for the duration of the Agreement; 
    3. the nature of the processing is set forth in the table in Schedule 1 (Data Processing Details) of this Addendum; 
    4. the purpose of the processing is set forth in the table in Schedule 1 (Data Processing Details) of this Addendum; 
    5. the period for which the personal data will be retained is set forth in the table in Schedule 1 (Data Processing Details) of this Addendum; 
    6. in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; 
    7. and Schedule 2 (Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses. 

Part 5 - Glossary And Order Of Precedence

  1. Definitions And Interpretation
    1. Terms, acronyms, phrases and abbreviations utilised in the financial services industry or other similar business context will be interpreted in accordance with their generally understood meaning in such industry or business context and lowercase terms used but not defined in this Addendum such as "personal data", "personal data breach", "processing", "processor", "controller", "joint controller" and "data subject" have the meanings set out in the Data Protection Laws. Unless the context otherwise requires, capitalised terms used in this Addendum shall have the meaning given to them below, or as otherwise defined in the Agreement:
      1. "Agreement" means the agreement between relevant CrissCross group entity in the table set out on page 1 and you, which incorporates this Addendum by reference; 
      2. "Applicable Laws" means any laws, regulations, regulatory constraints, obligations or rules in South Africa, Lithuania, or any other relevant jurisdiction, which are applicable to the relevant Agreement and this Addendum (including binding codes of conduct and binding statements of principle incorporated and contained in such rules from time to time), interpreted (where relevant) in accordance with any guidance, code of conduct or similar document published by a relevant regulatory authority; 
      3. "Appropriate Safeguards" means such legally enforceable mechanism(s) for transfers of personal data as may be permitted under the GDPR from time to time; 
      4. "Commencement Date" means the effective date of the Agreement; 
      5. "Controller Data" has the meaning given to it in Part 3 of this Addendum; 
      6. "Data Complaint" means a complaint or request relating to either party's obligations under the Data Protection Laws relevant to the Agreement including any complaint by a data subject or any notice, investigation or other action by a Supervisory Authority; 
      7. "Data Processing Term" has the meaning given to it in Schedule 1 of this Addendum;
      8. "Data Protection Laws" means all applicable data protection laws (and in each case any re-enactment or amendment) in any jurisdiction where CrissCross operates (to the extent applicable to the services we provide to you under the relevant Agreement), including the Data Protection Act 2018, the EU GDPR and any other directly applicable local or national regulation (or directive) relating to privacy; 
      9. "Data Subject Request" means a request made by a data subject to exercise any rights of data subjects under the Data Protection Laws in connection with the Protected Data; 
      10. "Joint Data" has the meaning given to it in Part 2 of this Addendum; 
      11. "Permitted Purposes" has the meaning given to it in paragraph 1.3 of Part 1 of this Addendum; 
      12. "Personal Data Breach" means a personal data breach in relation to, involving or affecting the Protected Data; 
      13. "Processing Instructions" has the meaning given to it in paragraph 1.1.1 of Part 4 of this Addendum; 
      14. "Protected Data" means any personal data processed by us in our capacity as a joint or independent controller or as a processor in connection with the performance of our obligations under the Agreement; 
      15. "Records" has the meaning given to it in paragraph 5.1 of Part 1 of this Addendum; 
      16. "Services" means those services we provide to you from time to time under and pursuant to the terms of the relevant Agreement; 
      17. "Sub-Processor" means another processor engaged by us (when acting as a processor) for carrying out processing activities in respect of the Protected Data under or in connection with the Agreement; and 
      18. "Supervisory Authority" means any local, national, or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board, or other body responsible for administering the Data Protection Laws including the relevant supervisory authorities in Lithuania and South Africa.
  2. Order Of Precedence
    1. In the event of any conflict between this Addendum, provisions of the Agreement, or the Privacy Policy, this Addendum will prevail.
    2. If there is any conflict between (i) the provisions in Part 1 - General Terms; and (ii) the provisions in any of Part 2 - Joint Controller Terms, Part 3 - Controller Terms, or Part 4 - Processor Terms, the provisions in Part 2 - Joint Controller Terms, Part 3 - Controller Terms, or Part 4 - Processor Terms (as applicable) will prevail. 
    3. CrissCross reserve the right to update this Addendum from time to time in accordance with the terms of the Agreement including in order to comply with our obligations under the Data Protection Laws, to address any changes to the Services including any new functionality or features and/or to cover any additional services that we may provide to you from time to time. The prevailing terms will be the terms of the most recent version of this Addendum made available on the CrissCross website and notice will be deemed to be given on the date of publication on the CrissCross website.