top of page

Aktibeto EU, UK, and Swiss Data Processing Addendum

This Data Processing Addendum (“DPA”), forms part of the Agreement between Aktibeto LLC (“Aktibeto”) and you, a Host or Client of the Aktibeto. It was first effective on February 17, 2019, and modified on October 14, 2020, to incorporate the Standard Contractual Clauses regarding data transfers and remove references to Privacy Shield. It was updated again on December 22, 2021, and on May 5, 2022, to incorporate the Standard Contractual Clauses issued by the European Commission on June 4, 2021. It was updated April 4, 2023 to include references to the International Data Transfer Addendum required by the UK Parliament and the revised Swiss Federal Data Protection Act.

1. Definitions

All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as “controller,” “data subject,” “personal data,” “processing,” and “processor” will have the same meaning as set forth in the EU Data Protection Law.

“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.

“Agreement” means Aktibeto’s Terms of Use, which govern the provision of the Services to Host, Clients, Staff, Members, as such terms may be updated by Aktibeto from time to time.

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including, where applicable, EU, Swiss, and UK Data Protection Laws.

“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

“EEA” means the 27 countries of the European Union, plus Iceland, Liechtenstein, and Norway.

"Host Data” means any personal data that Aktibeto processes on behalf of Host or Client or Member as a processor in the course of providing Services, as more particularly described in this DPA. Host Data means all personal data provided directly by Aktibeto to Host or to Client, and all personal data that Members of Aktibeto Networks provide when they register for and participate in Aktibeto Networks.

“International Data Transfer Addendum” means Schedule 2, attached to and forming part of this DPA pursuant to UK Parliamentary approval on 21 March 2022, and issued under Section 119A of the Data Protection Act of 2018. This International Data Transfer Addendum is an Addendum to the Standard Contractual Clauses.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Host Data.

“Services” means any product or service provided by Aktibeto Networks to Members or Clients pursuant to the Agreement.

“Standard Contractual Clauses” means Schedule 1, attached to and forming part of this DPA pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Subprocessors” means the other processors that are used by Aktibeto Networks or Hosts to process Personal Data.

“Swiss Data Protection Law” means the revised Federal Data Protection Act (FADP) effective September 1, 2023.

“UK Data Protection Law” means the UK General Data Protection Regulation (UK GDPR)

2. Relationship with the Agreement

2.1 The parties agree that the DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.

2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

2.4 Host further agrees that any regulatory penalties incurred by Aktibeto Networks in relation to the Host Data that arise as a result of, or in connection with, Host’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall reduce Aktibeto Networks’ liability under the Agreement.

2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. Data subjects are third party beneficiaries of the Standard Contractual Clauses at Schedule I.

2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

3. Scope and Applicability of this DPA

This DPA applies where and only to the extent that Aktibeto or Aktibeto Networks processes, on behalf of Host, Host Data that originates from the EEA or that is otherwise subject to EU, UK, or Swiss Data Protection Laws on behalf of Host in the course of providing Services pursuant to the Agreement.

4. Roles and Scope of Processing

4.1 Role of the Parties.

As between Aktibeto Networks and Host, Host is the controller of Host Data, and Aktibeto Networks shall process Host Data only as a processor acting on behalf of Host. 

4.2 Host Processing of Host Data.

Host and Client agrees that (i) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Host Data and any processing instructions it issues to Aktibeto Networks; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Aktibeto Networks to process Host Data and provide the Services pursuant to the Agreement and this DPA.

4.3 Aktibeto Processing of Host Data.

Aktibeto shall process Host Data only for the purposes described in this DPA and only in accordance with Client's and Member’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Client's or Host’s or Member's complete and final instructions to Aktibeto in relation to the processing of Host Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Host or Client or Member and Aktibeto.

4.4 Details of Data Processing

a. Subject matter: The subject matter of the data processing under this DPA is the Host Data.

b. Duration: As between Aktibeto and Host or Client or Member, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

 

c. Purpose: The purpose of the data processing under this DPA is to get and provide the Services to the Host, to provide the Services to the Client or Member, to perform Aktibeto’s obligations under the Agreement (including this DPA), to analyze the use of the Aktibeto, to comply with the law, to prevent misuse of the Services, and as otherwise agreed by the parties.

 

d. Nature of the processing: Aktibeto provides and gets a platform from Hosts to create and manage communities dedicated to an individual, identity, or interest. Aktibeto or Hosts invite people (“Members” or "Clients") to connect with each other, to message, and to exchange information and content. Hosts tailor their Network or Aktibeto tailor their Aktibeto Network or Service by the Members or Clients they invite, the conversations they organize, what they call their Aktibeto Network or Service, and additional branding they may choose to use.

 

e. Categories of data subjects: Any individual accessing and/or using the Services only through the Host’s account (“ Hosts' Users”), any individual accessing and/or using the Services only through the Aktibeto’s account("Clients, Staff, Members") ; and any individual who joins one of Aktibeto’s Networks (collectively, Members).

 

f. Types of Data:

i. Aktibeto's Clients, Staff, Members and Hosts' Users: Identification and contact data (name, email address, title, contact details, username); employment details (employer, job title, geographic location, area of responsibility); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information);

ii. Members: Identification and contact data (name, gender, occupation, email address, title), personal interests or preferences (including marketing preferences and, if End User chooses to integrate Network account with social media profile, social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data (depending on End User’s settings) and browser data); financial information if End User must pay to join Network (credit card details, account details, payment information); and all other information provided by End User to Aktibeto.

4.5 Disclosures for Legitimate Business Purposes.

Notwithstanding anything to the contrary in the Agreement (including this DPA), Host, Client and Members acknowledges that Aktibeto shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.

4.6 Tracking Technologies.

Aktibeto acknowledges that in connection with the performance of the Services, Aktibeto and its service providers employ the use of cookies, unique identifiers, and similar tracking technologies (“Tracking Technologies”). Aktibeto shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable it and its service providers to deploy Tracking Technologies lawfully on, and collect data from, the devices of Clients, Staff, Members and Hosts' Users in accordance with and as described in the Aktibeto Cookie Policy.

5. Subprocessing

5.1 Authorized Subprocessors.

Host, Client and Member agrees that Aktibeto may engage Subprocessors to process Host Data on their behalf.

5.2 Subprocessor Obligations.

Aktibeto shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Host Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Aktibeto to breach any of its obligations under this DPA.

5.3 Some of the Subprocessors as of the Effective Date is Wix, Google, Slack, Meetup, Eventbrite, Zoom etc. Aktibeto shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Host, Client and Member. The Subprocessor list shall be updated on a regular basis.

5.4 Aktibeto shall give Member prior written notice of the appointment of any new Subprocessor. Member may object in writing to Aktibeto’s appointment of additional Subprocessors, provided that such objection is based on reasonable grounds relating to data protection. If, within five (5) business days of receipt of that notice, Member notifies Aktibeto in writing of any objections (on reasonable grounds) to the proposed appointment, Aktibeto shall take reasonable steps to address the objections raised by Member. If Member and Aktibeto are not able to resolve the appointment of a new Subprocessor within a reasonable period, Member shall have the right to terminate the Agreement (without refund or prejudice to any fees incurred by Aktibeto prior to suspension or termination).

6. Security

6.1 Security Measures.

a. Measures of pseudonymisation and encryption of personal data: All datastores containing personal data are fully encrypted at rest and passwords are symmetrically encrypted within the tables. Personal information fields for analytic data are pseudonymized by our data ingestion pipeline before reaching the data warehouse.

b. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Durability is ensured with point in time recovery restorable within sixty hours for all relational data stores.

c. Measures for user identification and authorisation: System authentication and authorization is accomplished via Wix. 

d. Measures for ensuring physical security of locations at which personal data are processed: We rely on our data center provider (Wix and Google) to ensure physical security.

e. Measures for ensuring events logging: All infrastructure access, authorization, and authentication are auditable through Wix. 

f. Measures for ensuring data quality and measures for allowing data portability and ensuring erasure: Our Data Management Policy specifically covers data classification, handling and retention.

g. Measures for ensuring limited data retention: Data retention is limited and deleted after the retention period.

h. Measures for ensuring accountability: Aktibeto shall not voluntarily assist the U.S. government in its conduct of Executive Order 12333 https://dodsioo.defense.gov/Library/EO-12333/ activities, and has not received any directives under Section 702 of the U.S. Foreign Surveillance Act (https://www.law.cornell.edu/uscode/text/50/1881a.

 

6.2 Updates to Security Measures.

Client and Member is responsible for reviewing the information made available by Aktibeto relating to data security and making an independent determination as to whether the Services meet Client's or Member's requirements and legal obligations under Data Protection Laws. Client and Member acknowledges that the Security Measures are subject to technical progress and development and that Aktibeto may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

6.3 Host Responsibilities.

Notwithstanding the above, Client and Member agrees that except as provided by this DPA, Client and Member is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any User Data uploaded to the Services. 

6.4 Confidentiality of processing.

Aktibeto shall ensure that any person who is authorized by Aktibeto to process Host Data (including its staff, agents, Service Providers and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

6.5 Security Incident Response.

Upon becoming aware of a Security Incident, Aktibeto shall notify Host or Client or Member without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Host or Client or Member. Aktibeto shall fully cooperate and assist with Host’s or Client's or Member's investigation, containment and mitigation efforts.

6.6 Disaster Recovery

For all systems used in connection with the Services, Aktibeto shall establish and maintain arrangements for emergency backup services and resources that assure uninterrupted delivery of the Services to the extent reasonably practicable. If a disaster occurs at and/or affects the facilities and interrupts the Services, whether or not covered by a written disaster recovery plan in existence as of the effective date, Aktibeto shall take all commercially reasonable measures to minimize the damage caused by any impairment of the Services resulting from the disaster and avoid recurrence.

7. Verification

Upon reasonable request, Aktibeto will verify its compliance with this DPA, provided that Host or Client shall not exercise this right more than once per year.

 

8. International Transfers

8.1 Data center locations.

Aktibeto may transfer and process Host Data anywhere in the world where Aktibeto, its Affiliates or its Subprocessors maintain data processing operations. Aktibeto shall at all times provide an adequate level of protection for the Host Data collected, transferred, processed, or retained in accordance with the requirements of Data Protection Laws.

8.2 Standard Contractual Clauses and International Data Transfer Addendum.

Aktibeto will not process Host Data related to personal data of data subjects located in the EEA or Switzerland in a location outside of the EEA, except pursuant to the Standard Contractual Clauses or any replacement thereof. Aktibeto will not process Host Data related to data subjects located in the UK in a location outside of the UK, except pursuant to the International Data Transfer Addendum.

8.3 Changes in the Law.

To the extent that Host or Aktibeto are relying on a specific statutory mechanism to normalize international data transfers (namely, Standard Contractual Clauses) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Aktibeto and Host agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.

9. Return or Deletion of Data

Upon termination or expiration of the Agreement, Aktibeto shall (at Client’s or Member's election) delete or return to Client or Member all Host Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Aktibeto is required by applicable law to retain copies of some or all of the Host Data, or to Host Data it has archived on back-up systems, which Host Data Aktibeto shall securely isolate and protect from any further processing, except to the extent required by applicable law.

10. Cooperation

10.1 The Services provide Clients and Members with controls that Clients and Members may use to retrieve, correct, delete or restrict Host Data, which Client or Member may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Client or Member is unable to independently access the relevant Host Data within the Services, Aktibeto shall (at Client’s or Member's expense) provide reasonable cooperation to assist Client or Member to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the Agreement. In the event that any such request is made directly to Aktibeto, Aktibeto shall not respond to such communication directly without Client’s or Member's prior authorization, unless legally compelled to do so. If Aktibeto is required to respond to such a request, Aktibeto shall promptly notify Host and Client or Member and provide it with a copy of the request unless legally prohibited from doing so.

 

10.2 If a law enforcement agency sends Aktibeto a demand for Host Data (for example, through a subpoena or court order), Aktibeto shall attempt to redirect the law enforcement agency to request that data directly from Host or Client or Member. As part of this effort, Aktibeto may provide Host’s or Client's or Member's basic contact information to the law enforcement agency. If compelled to disclose Host Data to a law enforcement agency, then Aktibeto shall give Host or Client or Member reasonable notice of the demand to allow Host or Client or Member to seek a protective order or other appropriate remedy unless Aktibeto is legally prohibited from doing so.

 

10.3 To the extent Aktibeto is required under EU Data Protection Law, Aktibeto shall (at Host’s or Client's or Member's expense) provide reasonably requested information regarding the Services to enable the Host or Client or Member to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

11. Changes in Data Protection Laws

Aktibeto may modify or supplement this Addendum, with reasonable notice to the Host or Client or Member: (i) If required to do so by a supervisory authority or other government or regulatory entity; (ii) If necessary to comply with applicable law; (iii) To implement new or updated Standard Contractual Clauses approved by the European Commission; or (iv) To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.

bottom of page