Clarifai Data Processing Addendum
EFFECTIVE DATE: December 22, 2022 to go into effect January 1, 2023
This Data Processing Agreement only applies to Customers if Customer has a Clarifai Account located in the United States, the United Kingdom, the European Economic Area and Switzerland.
1. This Data Processing Addendum (“Addendum”) supplements and forms a part of the Clarifai Terms of Services available at https://www.clarifai.com/company/terms as updated from time to time between Customer (defined below) and Clarifai, Inc. (“Clarifai”), or other agreement between Customer and Clarifai governing Customer’s use of the Services (defined below) (the “Agreement”), when Applicable Privacy Laws (defined below) apply to Customer’s use of the Services to process Customer Personal Data (defined below). This Addendum is incorporated into, and forms part of the Agreement entered into by and between Clarifai and Customer (each a “Party” and collectively the “Parties”). Any terms not defined in this Addendum shall have the meanings set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control.
2. Definitions. Capitalized terms not defined in this DPA have the meanings given to them in the Clarifai Terms of Services.
“Approved Data Transfer Mechanism” means, as applicable, the EEA SCCs, the UK Data Transfer Addendum or any data transfer mechanism a supervisory authority approves under DP Law that is incorporated into this DPA.
“Authorized Services” means Services that a Governmental Authority licenses, authorizes or regulates.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199.
“DP Law” means all Law that applies to Personal Data Processing under the Clarifai Terms of Services and this DPA, including international, federal, state, provincial and local Law relating to privacy, data protection or data security.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.
“Data Security Measures” means technical and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing.
“Data Subject” means an identified or identifiable natural person to which Personal Data relates.
“EEA” means the European Economic Area.
“EEA SCCs” mean Module 2 (Transfer: Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.
“Europe” means, for the purposes of this Addendum, the Member States of the European Union, Iceland, Liechtenstein, Norway (together, the “EEA”) plus Switzerland and the United Kingdom.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Instructions” means this DPA and any further written agreement or documentation under which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.
“Joint Controller” means a Data Controller that jointly determines the purposes and means of Processing Personal Data with one or more Data Controllers.
“Personal Data” means any information relating to an identified or identifiable natural person that is Processed in connection with the Services, and includes “personal data” as defined under the GDPR and “personal information” as defined under the CCPA
“Process” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law.
“Sensitive Data” means (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person's sex life or sexual orientation; or (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, to the extent this data is treated distinctly as a special category of Personal Data under DP Law.
“Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.
“UK Data Transfer Addendum” means the international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office.
“UK GDPR” means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
The terms “Controller”, “Processor”, “Data Subject”, “Supervisory Authority” and “Process” shall have the meanings given to them under Applicable Privacy Laws and “Processes”, “Processing” and “Processed” shall be interpreted accordingly, and the terms “Business” and “Service Provider” shall have the meanings given to them under the CCPA.
3. Clarifai as Data Processor and Data Controller.
3.1. Data Processing Roles. To the extent Clarifai Processes Personal Data as a:
(a) Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller; and
(b) Data Controller, it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through you.
3.2. Categories of Data Subjects and Personal Data.
(a) Data Subjects. Clarifai may Process the Personal Data of your Customers, representatives and any natural persons who access or use your Clarifai Account.
(b) Personal Data. Where applicable, Clarifai may Process Payment Account Details,
bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports).
(c) Sensitive Data. Where applicable, Clarifai may Process text, audio, video, facial recognition data or other information that can be considered sensitive personal information.
3.3. Data Processing Purposes.
(a) The purposes of Clarifai’s Processing of Personal Data are when Clarifai is operating in its capacity as a Data Processor for a Service, including:
(i) servicing the Clarifai platform; and
(ii) facilitating payment transactions on behalf of Clarifai users.
(b) The purposes of Clarifai’s Processing of Personal Data in its capacity as a Data Controller are:
(i) determining the Processing of Personal Data when providing Clarifai products and services
(ii)monitoring, preventing and detecting fraudulent activity on the Clarifai platform;
(iii) complying with Law, including applicable know-your-customer obligations; and
(iv) analyzing and developing Clarifai’s services.
4. Clarifai Obligations when Acting as a Data Processor.
4.1. Obligations. To the extent that Clarifai is acting as a Data Processor for you, Clarifai will:
(a) Process Personal Data on behalf of and according to your Instructions. Clarifai will not sell, retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and to comply with Law, unless otherwise permitted by the Clarifai Terms of Services (including this DPA) or DP Law. Clarifai will inform Customer if, in its opinion, Instructions violate or infringe DP Law;
(b) ensure that all persons Clarifai authorizes to Process Personal Data in the context of the Services are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of Personal Data;
(c) to the extent required by DP Law, inform Customer of requests Clarifai receives from Data Subjects (including “verifiable consumer requests” as defined under the CCPA) exercising their applicable rights under DP Law to (i) access (e.g., right to know under the CCPA) their Personal Data; (ii) have their Personal Data corrected or erased; (iii) restrict or object to Clarifai’s Processing; or (iv) data portability. Other than to request further information, identify the Data Subject, and, if applicable, direct the Data Subject to Customer as Data Controller, Clarifai will not respond to these requests unless Customer instructs Clarifai in writing to do so;
(d) to the extent required by DP Law, inform Customer of each law enforcement request Clarifai receives from a Governmental Authority requiring Clarifai to disclose Personal Data or participate in an investigation involving Personal Data;
(e) to the extent required by DP Law, provide Customer with reasonable assistance through appropriate technical and organizational measures, at your expense, to assist Customer in complying with your obligations under DP Law, which assistance may include conducting data protection impact assessments and consulting with a supervisory authority, considering the nature of the Processing and the information available to Clarifai;
(f) implement and maintain a written information security program with the Data Security Measures stated in Exhibit 1 of this DPA. In addition, Clarifai will implement a data security incident management program that addresses how Clarifai will manage a data security incident involving the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, Personal Data (“Incident”). If Clarifai is required by DP Law to notify Customer of an Incident, then Clarifai will notify Customer without unreasonable delay, but in no event later than any time period required by DP Law. In addition, for Incidents affecting Personal Data subject to GDPR or UK GDPR, Clarifai will notify Customer no later than 48 hours after Clarifai becomes aware of the Incident. Clarifai will partner with Customer to respond to the Incident. The response may include identifying key partners, investigating the Incident, providing regular updates, and discussing notice obligations. Except as required by DP Law, Clarifai will not notify your affected Data Subjects about an Incident without first consulting you.
(g) engage Sub-processors as necessary to perform the Services based on the general written authorization Customer give to Clarifai under Section 4.2 of this DPA;
(h) to the extent required by DP Law and upon your written request, contribute to audits or inspections by making audit reports available to you, which reports are Clarifai’s confidential information. Upon your written request, and no more frequently than once annually, Clarifai will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding Clarifai and its Affiliates’ Processing of Personal Data. All documentation provided, including any response to a security questionnaire, is Clarifai’s confidential information; and
(i) at your choice, and subject to Clarifai’s rights and obligations under the Clarifai Terms of Services (including this DPA), delete or return all Personal Data to Customer after the Term, and delete existing copies held by Stripe, unless Clarifai is required or authorized by DP Law to store Personal Data for a longer period.
(a) Customer hereby provide Clarifai an upfront general authorization to engage Sub-processors and may ask for a list of Clarifai's current Sub-processors upon written request. Customer acknowledges that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor may prevent Clarifai from offering the Services to Customer. If Customer reasonably objects to an engagement in accordance with this Section 4.2, the Parties shall discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If the Parties cannot reach such a resolution, Customer may terminate the affected part of the Services within a reasonable period of time. Termination shall not relieve Customer of any fees owed to Clarifai under the Agreement. If Customer does not object to the engagement in accordance with this Section 4.2, Customer shall be deemed to have granted authorization to the Sub-processor for the purposes of this Addendum. In all cases, Clarifai will enter into a written agreement with each Sub-processor imposing on the Sub-processor data protection obligations equivalent to those imposed on Clarifai under this Addendum with respect to the protection of Customer Personal Data. Clarifai will remain liable to Customer for the performance of each Sub-processor’s obligations. Pursuant to the Standard Contractual Clauses entered into between the Parties under this Addendum (i) the above authorizations constitute Customer's authorization to Sub-processors for the purposes of the Standard Contractual Clauses, and (ii) Clarifai may be prevented from providing Customer with copies of its agreements with Sub-processors due to confidential information but Clarifai will endeavor to provide all information reasonably requested by Customer with respect to Sub-processor agreements.
(b) Clarifai will enter into a written agreement with each Sub-processor that imposes on that Sub-processor obligations comparable to those imposed on Clarifai under this DPA, including implementing appropriate Data Security Measures. If a Sub-processor fails to fulfill its data protection obligations under that agreement, Clarifai will remain liable to Customer for the acts and omissions of its Sub-processor to the same extent Clarifai would be liable if performing the relevant Services directly under this DPA.
4.3 CCPA Certification. To the extent applicable to the Services, Clarifai certifies that it understands and will comply with the requirements in this DPA relating to the CCPA.
4.4 Disclaimer of Liability. Notwithstanding anything to the contrary in your or this DPA, Clarifai and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to Clarifai or any of its Affiliates’ acts or omissions, to the extent that Clarifai was acting in accordance with your Instructions.
5. Your obligations when acting as a Data Controller. Customer must:
5.1 only provide Instructions to Clarifai that are lawful;
5.2 comply with and perform your obligations under DP Law, including Data Subject rights, data security and confidentiality, and ensure Customer have an appropriate legal basis for the Processing of Personal Data as described in your the Clarifai Terms of Services including this DPA; and
5.3 provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) regarding, respectively, Clarifai and your Processing of Personal Data for the purposes described in your Clarifai Terms of Services including this DPA.
6. Data transfers.
6.1 General. Clarifai and its Affiliates may transfer Personal Data on a global basis as necessary to provide the Services. Clarifai and its Affiliates may transfer Personal Data to Clarify In the United States and to Clarifai’s Affiliates and Sub-processors in other jurisdictions. Where Clarifai transfers Personal Data under this DPA to a country or recipient not recognized as having an adequate level of protection for Personal Data according to DP Law, Clarifai will comply with its obligations under DP Law.
6.2 Transfers from the EEA to Clarifai. The EEA SCCs apply to a transfer from the EEA of Personal Data Processed under this DPA between Customer and Clarifai and are incorporated into this DPA. Customer agrees that the EEA SCCs are completed and supplemented as follows:
(a) Customer is the data exporter and Clarifai is the data importer;
(b) the optional docking clause under Clause 7 of the EEA SCCs will not apply;
(c) option 2 under Clause 9 of the EEA SCCs applies and Customer generally authorize Clarifai to engage Sub-processors according to Section 4.2 of this DPA;
(d) the optional redress language under Clause 11(a) of the EEA SCCs will not apply;
(e) the governing law under Clause 17 of the EEA SCCs will be Ireland;
(f) the choice of forum and jurisdiction under Clause 18 of the EEA SCCs will be the courts of Ireland.
(g) Annexes I, II and III of the EEA SCCs are deemed to be populated with the information set out in Exhibits 1 and 2 of this DPA; and
(h) Annex IV of Exhibit 2 of this DPA supplements the EEA SCCs with additional clauses.
6.3 In relation to Customer Personal Data that is subject to UK Data Protection Laws, the Standard Contractual Clauses shall apply in accordance with Section 5.2.1 with the following modifications: (i) the Standard Contractual Clauses shall be amended as specified by the UK Addendum, which shall be incorporated by reference, (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in Annex 1 and Annex 2 of this DPA, (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "importer", and (iv) any conflict between the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
6.4 In relation to Customer Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses shall apply in accordance with Section 6.2.1 with the following modifications (i) references to ‘Regulation (EU) 2016/679’ shall be interpreted as references to the Swiss DPA, (ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be replaced with the equivalent article or section of the Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be replaced with ‘Switzerland’, (iv) Clause 13(a) and Part C of Annex 2 shall not be used and the ‘competent supervisory authority’ shall be the Swiss Federal Data Protection Information Commissioner, (v) references to the ‘competent supervisory authority’ and ‘competent courts’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’, (vi) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland, and (vii) in Clause 18(b), disputes shall be resolved before the courts of Switzerland.
6.5 Alternative Transfer Mechanism. To the extent that Clarifai adopts an alternative data transfer mechanism to the Standard Contractual Clauses as implemented in accordance with Section 6.2 this Addendum, such alternative transfer mechanism shall apply instead of the Standard Contractual Clauses, provided that such alternative transfer mechanism complies with Applicable Privacy Laws and extends to the territories in which Customer Personal Data is Processed, and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such alternative transfer mechanism.
7. Conflict. If there is any conflict or ambiguity between:
7.1 the provisions of this DPA and the provisions of your the Clarifai Terms of Services regarding Personal Data Processing, the provisions of this DPA will prevail; and
7.2 the provisions of this DPA and any provision contained in an Approved Data Transfer Mechanism and executed by Customer and Clarifai the provisions of the Approved Data Transfer Mechanism will prevail.
EXHIBIT 1: CLARIFAI DATA SECURITY
The following technical measures are in place to protect the Customer Personal Data handled by Clarifai:
1. Encryption of personal data
1.1 Data at rest encrypted using AES-256 algorithm.
1.2 Employee laptops are encrypted using full disk AES-256 encryption.
1.3 HTTPS encryption on every web login interface, using industry standard algorithms and certificates.
1.4 Secure transmission of credentials using by default TLS 1.2.
1.5 Access to operational environments requires use of secure protocols such as HTTPS.
1.6 Data that resides in Amazon Web Services (AWS) encrypted at rest as stated in AWS' documentation and whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected and protected by AWS-provided HSM certified under FIPS 140-2.
2. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
2.1 Virtual Private Network (VPN)
2.2 Strong access controls based on the use of the 'Principle of Least Privilege'.
2.3 Differentiated rights system based on security groups and access control lists.
2.4 Employees are granted only the amount of access necessary to perform job functions.
2.5 Unique accounts and role-based access within operational and corporate environments.
2.6 Access to systems restricted by security groups and access-control lists.
2.7 Authorization requests are tracked, logged and audited on a regular basis.
2.8 Removal of access for employees upon termination or change of employment.
2.9 Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources.
2.10 Strong and complex passwords required. Initial passwords must be changed after the first login.
2.11 Passwords are never stored in clear-text and are encrypted in transit and at rest.
2.12 Account provisioning and de-provisioning processes.
2.13 Automatic account locking.
2.14 Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
2.15 Confidentiality requirements imposed on employees.
2.16 Mandatory security training for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Clarifai.
2.17 Non-disclosure agreements with third parties.
2.18 Separation of networks based on trust levels.
3. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing
3.1 User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems. These logs are available only to authorized employees, stored off-system, and available for security investigations.
3.2 All logs can be accessed only by authorized Clarifai employees and access controls are in place to prevent unauthorized access.
3.3 Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures.
3.4 Network segmentation and interconnections protected by firewalls.
3.5 Annual penetration testing for all components of the Clarifai SaaS, including web and mobile applications.
4. Measures for user identification and authorization
4.1 Access to operational and production environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and least privilege principle.
4.2 Authorization requests and provisioning is logged, tracked and audited.
4.3 Customer-generated OAuth tokens are stored in an encrypted state.
4.4 Keys required for decryption of those secrets are stored in a secure, managed repository (such as AWS KMS) that employs industry-leading hardware security models that meet or exceed applicable regulatory and compliance obligations.
4.5 Access keys used by production Clarifai applications (e.g., AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly.
4.6 User activity in operational environments including access, modification or deletion of data is being logged.
4.7 Security groups and Network-based firewalls.
5. Measures for the protection of Data during transmission
5.1 Remote access to the network via VPN tunnel and end-to-end encryption
5.2 HTTPS encryption for data in transit (using TLS 1.2 or greater).
6. Measures for the protection of Data during storage
6.1 Clarifai customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access unauthorized data - including one customer accessing files of another customer.
6.2 Endpoint security software
6.3 System inputs recorded via log files
6.4 Access Control Lists (ACL)
6.5 Multi-factor Authentication (MFA)
7. Measures for ensuring physical security of locations at which personal data are Processed
7.1 Clarifai hosts the production infrastructure with multitenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance - among other certifications.
8. Measures for ensuring events logging
8.1 Remote logging
8.2 A central Security Information and Event Management (SIEM) system and other product tools monitor security or activities
9. Measures for ensuring system configuration, including default configuration
9.1 Clarifai has in place a Change Management Policy.
9.2 Clarifai monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in our change platform.
9.3 Access Control Policy and Procedures
9.4 Mobile device management
10. Measures for internal IT and IT security governance and management
10.1 Clarifai has established an Internal Controls Matrix in accordance with the SSAE18 SOC 2 standard.
Information-related business operations continue to be carried out in line with the SOC 2 and HIPAA standard.
10.2 Clarifai has in place a written information security policy, including supporting documentation.
10.3 The authority and responsibility for managing Clarifai’s information security program has been delegated to a senior manager and they are authorized by senior management to take actions necessary to establish, implement, and manage Clarifai’s information security program.
11. Measures for certification/assurance of processes and products
11.1 Clarifai has been audited by a third party and has achieved SOC 2 compliance, attesting to our commitment to controls that safeguard the confidentiality and privacy of information stored and Processed in our service
12. Measures for ensuring data minimization limited data retention
12.1 Detailed privacy assessments are performed related to implementation of new products/services and processing of personal data.
12.2 Data collection is limited to the purposes of Processing (or the data that the customer chooses to provide).
12.3 Security measures are in place to provide only the minimum amount of access necessary to perform required functions.
12.4 Restrict access to personal data to the parties involved in the Processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.
12.5 After termination of all subscriptions associated with an environment, customer data submitted to the Services is permanently removed upon request or in accordance with the Agreement.
13. Measures for ensuring Data quality
13.1 Applications are designed to reduce/prevent duplication. Many application-level checks are in place to ensure data integrity.
13.2 QA team that helps to ensure these items are working as designed and implemented before reaching our production environment.
14. Measures for ensuring accountability
14.1 Customer Privacy Assessments are required when introducing any new product/service that involves Processing of personal data.
14.2 Data protection impact assessments are part of any new Processing initiative where legally required.
15. Measures for allowing data portability and ensuring erasure
15.1 Ability to export all data
EXHIBIT 2: Annex 1(B): Description of the Processing
|Categories of data subjects:
|Individuals whose data is contained in Customer Personal Data provided by Customer in connection with the Services. The categories of Data Subjects are determined by Customer in its sole discretion and (unless otherwise expressly specified by Customer) may include (i) authorized users and other employees, agents, advisors and freelancers of Customer, (ii) Customer's end users or customers, and/or (iii) other third-party individuals whose Personal Data is contained in Customer Personal Data.
Categories of personal data:
|Personal Data contained in Customer Personal Data provided by the Customer in connection with the Services. The categories of Personal Data are determined by Customer in its sole discretion and (unless otherwise expressly specified by Customer) may include (i) images and video, (ii) text, (iii) geo-location (iv) audio and other metadata, and/or (v) labels, tags and annotations.
|Customer may choose to include sensitive data in Customer Personal Data provided by the Customer in connection with the Services. The sensitive data that Customer may submit is determined and controlled by Customer in its sole discretion and (unless otherwise expressly specified by Customer) may include, for example, (i) biometric data, (ii) racial or ethnic origin, and/or (iii) health data. The applied restrictions and safeguards for sensitive data are set out in Annex 2 to this Addendum.
|Nature, subject matter and purpose(s):
|Clarifai is a US-based company that provides a machine learning and artificial intelligence platform for computer vision, natural language processing and more. The subject matter of the Processing is Personal Data that is contained in the images, videos, text, audio and other data that Customer, its authorized affiliates, and/or its authorized users submit to Clarifai for Processing in connection with the Services and pursuant to the Agreement between the Parties. Clarifai shall Process Customer Personal Data for the Permitted Purposes as described in Section 4.1 of the Addendum.
|Duration and retention period:
|Clarifai shall Process Customer Personal Data until it is required to delete or return the Customer Personal Data upon termination of the Agreement and in accordance with the Agreement and this Addendum.
Annex 1(C): Competent Supervisory Authority
For the purposes of Clause 13 of the Standard Contractual Clauses, the competent Supervisory Authority is either (i) where Customer is established in the EEA, the Supervisory Authority responsible for ensuring Customer's compliance with the GDPR; or (ii) where Customer is not established in the EEA, the Supervisory Authority in the EEA member state where Customer's EU representative has been appointed pursuant to Article 27(1) of the GDPR or where the Data Subjects relevant to the transfer are located. In relation to Personal Data that is subject to UK Data Protection Laws and/or the Swiss DPA, the competent Supervisory Authority is the UK Information Commissioner's Office or the Swiss Federal Data Protection and Information Commissioner (as applicable)."