Legal Items

Data Processing Agreement

Last Modified:

November 18, 2024

Last updated and effective as of August 6th, 2024

[If you need a signed copy with SCCs, UK Addendum and Sub Processors, click here]

This Sturdy Data Processing Agreement (“DPA”) addresses the processing and transfer of Personal Data under the Master Services Agreement, order form, statement of work or other contract for the provision of Services (“Services Agreement”) by SturdyAI Inc., acting on its own behalf and as agent for each SturdyAI Inc. Affiliate (“Sturdy”) for the counterparty that entered in to the Services Agreement (“Customer”) (each a “Party” and collectively, the “Parties”). To the extent the terms of this DPA conflict with the Services Agreement with regard to the processing of Personal Data, the terms of this DPA shall prevail.

Article 1. Definitions

“Affiliate: means any entity that directly or indirectly controls, is controlled by, or is under common Control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Applicable Law(s)” means as applicable and binding on Customer, Sturdy and/or the Services:

   a.    any law, statute, regulation, bylaw or subordinate legislation in force from time to time to which a Party is subject and/or in any jurisdiction that the           services are provided to or in respect of;

   b.    the common law and laws of equity as applicable to the Parties from time to time;

   c.    any binding court order, judgment or decree; or

   d.    any applicable direction, policy, rule or order that is binding on a Party and that is made or given by any regulatory body having jurisdiction over a           Party or any of that Party’s assets, resources or business.

Appropriate Safeguards” means legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.

Customer Data” means Personal Data received by Sturdy from or on behalf of Customer or Customer Affiliate in connection with the performance of Sturdy’s obligations under this DPA, as set forth in Annex A, and the Services Agreement.

Data Protection Laws” means any Applicable Law governing the privacy and security of personally identifiable information, such as:

   a.    the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”);

    b.    the Data Protection Act 2018 and any laws implementing the GDPR; 

    c.    the GDPR, as it forms part of the law of England and Wales, Scotland and Northern Ireland (i.e., the “UK GDPR”) as provided in the Data Protection            Act 2018, and/or any corresponding or equivalent national laws or regulations; 

    d.    the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 et seq.) , and as may be amended, supplemented, or otherwise modified from            time to time, including by virtue of the California Privacy Rights Act (“CPRA”)(collectively, the “CCPA”; 

    e.    Switzerland’s Federal Act on Data Protection (“FADP”), as amended:

    f.     the laws of any country or other jurisdiction (including, without limitation, the United States and its states) that may apply to the Services, including            the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”), An Act Concerning            Personal Data Privacy and Online Monitoring (Connecticut); and any laws replacing, amending, extending, re-enacting or consolidating any of the            enumerated laws above from time to time.

" Data Subject” means the identified or identifiable person to whom the Personal Data relates.

Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under applicable Data Protection Laws.

Personal Data” means:

    a.    all individually identifiable information created, collected, accessed, received or otherwise processed pursuant to the Services performed under the            Services Agreement; and 

    b.    any other information that applicable Data Protection Laws treat as “personal data” (or equivalent term, including without limitation, “personal            information,” “personally identifiable information,” and “nonpublic personal information”).

Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data or any other unlawful acquisition, use or handling of Personal Data.

Personnel” means all persons engaged or employed from time to time by either Party in connection with the Services Agreement, including employees, consultants, contractors and permitted agents.

Services” means the products or services Sturdy provides Customer under the Services Agreement.

Sub-processor” means another processor engaged by Sturdy for carrying out processing activities in respect of the Customer Data on behalf of Customer.

Terms used but not defined in this DPA (e.g., “processing”, “controller”, “processor”, “business”, “service provider”, “supervisory authority”) shall have the same meaning as set forth in the Services Agreement and applicable Data Protection Laws.

In this DPA references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable.

Article 2. Roles 

  1.             This DPA applies to Sturdy’s processing of Personal Data in Sturdy’s provision of the Services and defines the principles and procedures that Sturdy shall adhere to in its role as a data processor. The Parties agree that this DPA outlines Customer’s complete processing instructions for Study under the Services Agreement.
  2.             For purposes of this DPA, Customer and Sturdy agree that Customer is the controller (or “business” as that term is defined by the CCPA) of Customer Data and Sturdy is a processor of Customer Data (or “service provider” as set forth in the CCPA).

Article 3. U.S.-Specific Processing Requirements 

The Parties agree that Data Protection Laws also include any United States federal and state laws applicable to the processing of Personal Data. Sturdy acknowledges that it shall act as a “service provider” or “contractor” where such term is defined under applicable Data Protection Laws and comply with all such obligations under applicable U.S. Data Protection Laws. Sturdy shall not: (i) sell or share (as defined under U.S. Data Protection Laws) Customer Data; (ii) collect, retain, use, or disclose Customer Data for any purpose other than providing the services specified in the agreement(s) between Customer and Sturdy; (iii) collect, retain, use, or disclose Customer Data outside of the direct business relationship between Customer and Sturdy; or (iv) combine Customer Data with Personal Data that Sturdy obtains from other sources or that Sturdy collects itself. Sturdy acknowledges that the Personal Data Customer discloses is provided for a “business purpose” (as defined under Data Protection Laws), including those business purposes outlined in this DPA. Sturdy understands that Customer may exercise any right of a controller or “business” under Data Protection Laws including, but not limited to, any right that (a) permits Customer to take reasonable and appropriate steps to ensure that Sturdy uses Customer Data consistent with Customer’s business purpose (b) stops or remediates Sturdy’s unauthorized use or misuse of Customer  Data, upon notice to Sturdy. Without unreasonable delay, Sturdy shall notify Customer if it can no longer meet its obligations under the U.S. Data Protection Laws. Sturdy certifies that it understands the prohibitions outlined in this Article 3 and will comply with them.

Article 4. Scope of Personal Data Processing 

  1.           Customer determines the scope of Customer Data to which Customer provides Sturdy access to perform the Services. Accordingly, the collection, processing and/or use of Personal Data may relate to the categories of data presented in Annex A to this DPA. 

Article 5. Data Processing Instructions  

  1.           Sturdy shall:

          a. process the Customer Data only (i) on written instructions from Customer, as further specified in this DPA, or (ii) where required to do so under               applicable Data Protection Laws to which Sturdy is subject. Customer hereby acknowledges that by virtue of using the Services, it gives Sturdy               instructions to process and use Customer Data in order to provide the Services in accordance with the Services Agreement and as further described               in Annex A; 

          b. ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory or               contractual obligation of confidentiality;

          c. take all applicable measures required of Sturdy as a data processor pursuant to applicable Data Protection Laws, as further specified in Article 10               below;

          d. respect the conditions referred to in Article 7 for engaging another processor of Customer Data to provide the Services;

          e. provide Customer reasonable assistance in the fulfilment of Customer’s obligations to respond to Data Subject requests, as applicable and required               by Data Protection Laws;

          f. assist Customer in ensuring compliance with the obligations pursuant to applicable Data Protection Laws, taking into account the nature of              processing and the information available to Customer;

          g. return or provide an opportunity for Customer to retrieve or otherwise securely delete all Customer Data after the end of the provision of Services.               At Customer’s written request, Sturdy shall delete any Personal Data except for (i) secure back-ups deleted in the ordinary course of business              according to an established data retention policy, and (ii) retention as required by Applicable Law; 

          h. make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Applicable Law;

          i. ensure that only Personal Data which is strictly necessary for the legitimate conduct of the processing is collected and processed.  Further, Sturdy              shall provide information on the processing of Customer Data required by Data Protection Laws. Where required, Sturdy shall communicate the              essential content of this DPA to the Data Subjects;

          j. inform Customer if, in Sturdy’s opinion, any written instruction from Customer infringes Data Protection Laws, provided that Sturdy shall have no              obligation to independently inspect or verify Customer’s use or processing of Personal Data; and

          k. inform Customer of and provide reasonable assistance in meeting Customer’s obligations in regard to any Personal Data Breach of Customer Data,              in accordance with Article 11 below.

  1.          Where Sturdy engages another Sub-processor for carrying out specific processing activities on Customer’s behalf as part of the Services, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor applicable by way of a contract, or other legal act under Applicable Law. Sturdy shall engage any such Sub-processor in accordance with the terms of Article 7 below.  

Article 6. Customer Obligations.

Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired the Personal Data, including providing any required notices to, and obtaining any necessary consent from, its clients, Data Subjects, employees or contractors who qualify as end-users for the Services. Should Customer learn that it has provided Personal Data that may not be shared pursuant to a consent or data privacy notice, Customer shall promptly notify Sturdy in writing, at privacy@sturdy.ai. Customer acknowledges and agrees that Sturdy shall not be liable for the Processing of any Personal Data (including Customer Data) in which Customer failed to obtain consent from the relevant Data Subject to process such Personal Data. Additionally, Customer shall comply with (a) the obligations of a data controller, “business,” or equivalent term (as these terms are defined under Applicable Laws) under all applicable Data Protection Laws; (b) all terms of the Services Agreement; and (c) all terms of this DPA.

Article 7. Sub-processing 

  1.          Subject to the terms of this Article 7, Customer consents to Sturdy engaging Sub-processors for the processing of Customer Data. 
  2.          Customer hereby acknowledges and expressly agrees that (i) Sturdy may engage the Sub-processors listed at: www.sturdy.ai/legal/sturdy-subprocessors, (ii) Sturdy is entitled to retain its Affiliates as Sub-processors, and (iii) Sturdy or any such Sturdy Affiliate may respectively engage any third parties to process Customer Data on Sturdy’s behalf in connection with the provision of Services. Sturdy (and each Sturdy Affiliate) may continue to use those Sub-processors already engaged by Sturdy or any Sturdy Affiliate as of the date of this DPA. If customer wished to be notified of new Sub-processors it can subscribe to notification by sending an email to privacy@sturdy.ai
  3.          Customer may object to Sturdy’s use of a new Sub-processor by notifying Sturdy promptly in writing within (30) thirty days of receipt of Sturdy’s notification of a new Sub-processor. If Customer objects within this time frame, Sturdy will make a reasonable effort to provide the Service in order to comply with the Customer’s request. If Sturdy cannot comply with the customer’s request within (60) sixty days of said request, then Customer may terminate the Service. Sturdy will refund any prepaid fees remaining on their subscription, on a pro-rata basis from the date of termination.
  4.          Sturdy will ensure that Sub-processors are bound by written agreement(s) that require Sub-processors to process Customer Data only as authorized by Sturdy and provide the same level of data protection required of Sturdy under this DPA. 
  5.         Sturdy remains responsible at all times for compliance with this DPA as applicable. Where the Sub-processor fails to fulfill its obligations under any written agreement, Sturdy shall remain fully liable to Customer for the performance of the Sub-processor’s obligations.

Article 8. Onward and International Data Transfer

In the event Customer requests Sturdy to transfer Customer Data across national borders, and without prejudice to the Data Subject’s rights, Sturdy agrees to consult with Customer to ensure the lawful export of Customer Data through an Appropriate Safeguard, including those safeguards available at: https://www.sturdy.ai/legal/sturdy-safeguards. If a listed Appropriate Safeguard is, or becomes applicable under new Data Protection Laws, it shall be deemed to be signed by Sturdy and Customer by execution of the Services Agreement and is incorporated into this DPA by reference. Applicable Appropriate Safeguards shall be hereby effective upon the commencement of any transfer of Personal Data by either Party. 

Article 9. Assistance with Data Subject Requests

  1.        Sturdy will make available to Customer the Personal Data of Customer’s Data Subjects and the ability to fulfill requests by Data Subjects to exercise one or more of their rights under applicable Data Protection Laws in a manner consistent with the Services. Sturdy shall comply with reasonable requests to assist with Customer’s response to Data Subjects. 
  2.        If Sturdy receives a request from Customer’s Data Subject to exercise one or more of their rights under applicable Data Protection Laws, will redirect the Data Subject to make their request directly to Customer.

Article 10. Technical and Organizational Controls and Security 

Sturdy shall maintain the technical and organizational controls and security measures for the protection of Customer Data as set forth in this DPA and those located at: https://www.sturdy.ai/legal/sturdys-technical-and-organizational-measures. Sturdy may update its security practices and other security documentation without notice provided that the measures implemented during any term of Service shall in no event provide less protection than those included as of the effective date of such term.

Article 11. Personal Data Breach

  1. Notice Requirement. Sturdy shall notify Customer without unreasonable delay after becoming aware of a Personal Data Breach relating to Customer Data. 
  2. Notice to Supervisory Authorities. Sturdy shall also ensure it complies with Applicable Laws concerning Personal Data Breaches and with its obligations to notify any supervisory authority as required by Applicable Law. 
  3. Public Statement. Customer shall not issue any public statements regarding Sturdy or engage in any correspondence with a supervisory authority on behalf of Sturdy unless Sturdy has first agreed, in writing, to the issuance of the public statement or correspondence.  Customer shall notify Sturdy in advance of any written statements it makes to Supervisory Authorities regarding Sturdy, unless otherwise prohibited by Applicable Law.

Article 12. DPIA; Records of Processing Activities 

  1.          If a data protection impact assessment is required pursuant to Data Protection Laws (including Article 35 of the GDPR), Sturdy shall cooperate and provide reasonable assistance to Customer in the performance of such assessment(s), to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Sturdy.
  1.          Sturdy shall maintain all applicable records of data processing activities required by Article 30(2) of the GDPR and other applicable Data Protection Laws.

Article 13. Audit right

  1.          Customer may carry out audits of Sturdy’s processing of Customer Data as required by Data Protection Laws, subject to Customer: 

       a.   giving Sturdy at least thirty (30) days prior written notice of such audit being required by Customer;

       b.   ensuring that all information obtained or generated by Customer or its auditor(s) in connection with such audits is kept strictly confidential and              saved for disclosure to a supervisory authority or as otherwise required by Applicable Law;

       c.   ensuring that such audit is undertaken during normal business hours, with minimal disruption to Sturdy’s business, Sub-processors’ business, or the              business of other clients of Sturdy; and

      d.    providing, at no charge to Sturdy, a full copy of all findings of the audit.

  1. Third-Party Auditors. Customer may use a third-party auditor with Sturdy’s written agreement, which shall not be unreasonably withheld.  Prior to any third-party audit, such auditor shall be required to execute an appropriate confidentiality agreement with Sturdy.

  1. Notice of Failure to Comply.  After conducting an audit under this Article 13 or after receiving an audit report from Sturdy, Customer must notify Sturdy, in writing, of the specific manner, if any, in which Sturdy does not comply with any of the security, confidentiality, or data protection obligations in this DPA or Data Protection Laws, if applicable. Any such information will be deemed confidential information of Sturdy. Upon such notice, Sturdy will use commercially reasonable efforts to make any necessary changes to ensure compliance with such obligations. 

Article 14. Counterparts, Modification, Supplementation, and Term

  1.           Counterparts. Should any provisions of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force.  The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein. 
  2.           Modification. The Parties may modify or supplement this DPA, with notice to the other Party, (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Applicable Law, (iii) to implement Appropriate Safeguards such as Standard Contractual Clauses,  (iv) to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40 and 42 of the GDPR or similar provisions in applicable Data Protection Laws, or (v) to comply with any request or requirement imposed by an applicable third-party data controller. 
  3.           Supplementation. Without prejudice to this DPA, either Party may from time to time provide additional information and detail about how it will execute this DPA in its product-specific technical, privacy, or policy documentation.
  4.           Term. This DPA shall expire upon the later of (a) the termination of the Services Agreement, (b) cessation of any processing of Customer Data by Sturdy on behalf of Customer, or (c) delivery of written notice of termination of the Services Agreement from one Party to the other. 
  5.           Liability and Indemnity. This DPA is subject to the limitations of liability and indemnity set forth in the Services Agreement. 

Article 15. Governing Law. 

  1.           This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, Delaware and controlling United States federal law or, if required under Data Protection Laws, the governing law required by such Data Protection Laws.
  2.         This DPA is subject to the governing law and exclusive jurisdiction set forth in the Services Agreement.