Data Protection Addendum (DPA)

This Data Processing Addendum (the “DPA”) forms an integral part of the Agreement and is entered into between the entity identified as the “Customer” in the Agreement (“Customer”) and DiPhyx, Inc. (“DiPhyx”), and applies solely to the extent that DiPhyx processes any Customer Personal Data (defined below) in connection with the DiPhyx Platform (defined below). By agreeing to this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Law (defined below), in the name and on behalf of its Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Authorized Affiliates.

1. Definitions

1.1.Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. “Authorized Affiliate” means a Customer Affiliate who is authorized to use the DiPhyx Platform under the Agreement and who has not signed their own separate agreement with DiPhyx.

1.2.Agreement” means the DiPhyx Customer Agreement at user agreement document or any other written agreement that governs Customer’s use of the DiPhyx Platform.

1.3.Audit” and “Audit Parameters” are defined in Section 9 below.

1.4.Audit Report” is defined in Section 9.1.1 below.

1.5.Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others,  determines the purposes and means of Processing of Personal Data.

1.6.Customer Instructions” is defined in Section 3.1 below.

1.7.Customer Personal Data” means Personal Data in Enterprise User Data (as defined in the Agreement) for which DiPhyx acts   as a Processor.

1.8. “Data Protection Laws” means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including the applicable laws and regulations of the State of Delaware.

1.9.Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

1.10.DPA Effective Date” is the date of the last signature below.

1.12. “EEA” means European Economic Area.

1.13. “Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Data Protection Laws.

1.14. “Processing” and inflections thereof refer to any operation or set of operations that is performed on Personal Data or on  sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.15. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

1.16. “DiPhyx Platform” means the cloud-based, high-performance computing environment operated by DiPhyx (a “Platform-as-a-Service” PaaS cloud provider). DiPhyx Platform excludes any feature of the DiPhyx Platform that is designated as “beta”, “experimental”, “preview” or similar, that is provided prior to general commercial release, and that DiPhyx at its sole discretion offers to Customer, and Customer at its sole discretion elects to use.

1.17. “Restricted Transfer” means: (i) where EU GDPR applies, a transfer of Customer Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination, (ii) where UK GDPR applies, a transfer of Customer Personal Data from the United Kingdom to any other country that is not subject to an adequacy determination or (iii) where FADP applies, a transfer of Customer Personal Data from Switzerland to any other country that is not subject to an adequacy determination.

1.18. “Security Incident” means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by DiPhyx.

1.19. “Specified Notice Period” is 72 hours.

1.20. “Standard Contractual Clauses” or “SCCs” “SCCs” means together (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at\_en and (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at (“UK Addendum”).

1.21. “Subprocessor” means any third party authorized by DiPhyx to Process any Customer Personal Data.

1.22. “Subprocessor List” means the list referenced in Section 4.

2. Scope and Duration

2.1. Roles of the Parties. This DPA applies to DiPhyx as a Processor of Customer Personal Data and to Customer as a Controller or Processor of Customer Personal Data.

2.2. Scope of DPA. This DPA applies to DiPhyx’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws. This DPA does not apply where DiPhyx is the Controller of Personal Data.

2.3. Duration of DPA. This DPA commences on the DPA Effective Date and terminates upon expiration or termination of the Agreement (or, if later, the date on which DiPhyx has ceased all Processing of Customer Personal Data).

2.4. Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses (2) this DPA and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the disclaimers and limitations, set forth in the Agreement.

3. Processing of Personal Data

3.1. Customer Instructions.

3.1.1 DiPhyx will Process Customer Personal Data as a Processor only: (i) in accordance with Customer Instructions or (ii) to comply with DiPhyx’s obligations under applicable laws, subject to any notice requirements under Data Protection Laws.

3.1.2 “Customer Instructions” means: (i) Processing to provide the DiPhyx Platform and perform DiPhyx’s obligations in the Agreement (including this DPA) and (ii) other reasonable documented instructions of Customer consistent with the terms of the Agreement.

3.1.3 Details regarding the Processing of Customer Personal Data by DiPhyx are set forth in Annex A (Subject Matter and Details of Processing).

3.1.4 DiPhyx will notify Customer if it receives an instruction that DiPhyx reasonably determines infringes Data Protection Laws (but DiPhyx has no obligation to actively monitor Customer’s compliance with Data Protection Laws).

3.2. Confidentiality.

3.2.1 DiPhyx will protect Customer Personal Data in accordance with its confidentiality obligations as set forth in the Agreement.

3.2.2 DiPhyx will ensure personnel who Process Customer Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.

3.3. Compliance with Laws.

3.3.1 DiPhyx will comply with its obligations under this DPA and with Data Protection Laws applicable to DiPhyx’s provision of the DiPhyx Platform to its customers generally.

3.3.2 Customer will comply with Data Protection Laws, including those applicable to its issuing of Customer Instructions to DiPhyx. Customer will ensure that it has established all necessary lawful bases under Data Protection Laws to enable DiPhyx to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects.

3.4. Changes to Laws. The parties will work together in good faith to negotiate an amendment to this DPA as either party reasonably considers necessary to address the requirements of Data Protection Laws from time to time.

4. Subprocessors

4.1. Use of Subprocessors.

4.1.1 Customer generally authorizes DiPhyx to engage Subprocessors to Process Customer Personal Data including the Subprocessors List. Customer further agrees that DiPhyx may engage its Affiliates as Subprocessors.

4.1.2 DiPhyx will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA and (ii) subject to the terms of this DPA and the Agreement, remain liable for compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause DiPhyx to breach any of its obligations under this DPA.

4.2. Subprocessor List. DiPhyx will maintain an up-to-date list of its Subprocessors, including their functions and locations.

4.3. Notice of New Subprocessors. DiPhyx may update the Subprocessor List from time to time. DiPhyx shall make available a mechanism for Customer to subscribe to notices of new Subprocessors (provided that Customer acknowledges that it may elect to use or not use certain Cloud Service Provider infrastructure in the DiPhyx Platform and therefore will not be notified of new Cloud Service Providers via the Subprocessor List). At least 5 days before any new Subprocessor Processes any Customer Personal Data, DiPhyx will notify those parties who have subscribed to the notifications of the new Subprocessor.

4.4. Objection to New Subprocessors.

4.4.1 If, within 5 days after notice of a new Subprocessor, Customer notifies DiPhyx in writing that Customer objects to DiPhyx’s appointment of such new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith.

4.4.2 If the parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected DiPhyx Platform in accordance with the Agreement.

5. Security

5.1. Security Measures. DiPhyx will implement and maintain reasonable and appropriate technical and organizational measures, procedures and practices, as appropriate to the nature of the Customer Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Customer Personal Data and protect against Security Incidents, in accordance with DiPhyx’s Security Measures referenced in the Agreement and as further described in at

5.2. Incident Notice and Response.

5.2.1 DiPhyx will implement and follow procedures to detect and respond to Security Incidents.

5.2.2 DiPhyx will: (i) notify Customer without undue delay and, in any event, not later than the Specified Notice Period, after becoming aware of a Security Incident affecting Customer and (ii) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within DiPhyx’s reasonable control.

5.2.3 Upon Customer’s request and taking into account the nature of the applicable Processing, DiPhyx will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws. Notwithstanding the foregoing, Customer acknowledges that it will be unlikely that DiPhyx can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects.

5.2.4 Customer acknowledges that DiPhyx’s notification of a Security Incident is not an acknowledgement by DiPhyx of its fault or liability.

5.2.5 Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

5.3. Customer Responsibilities.

5.3.1 Customer is responsible for reviewing the information made available by DiPhyx relating to data security and making an independent determination as to whether the DiPhyx Platform meets Customer’s requirements and legal obligations under Data Protection Laws.

5.3.2 Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.

6. Data Protection Impact Assessment

DiPhyx shall provide reasonably requested information regarding the DiPhyx Platform to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.

7. Data Subject Requests

7.1. Assisting Customer. Upon Customer’s request and taking into account the nature of the applicable Processing, DiPhyx will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Cloud Service).

7.2. Data Subject Requests. If DiPhyx receives a request from a Data Subject in relation to the Data Subject’s Customer Personal Data, DiPhyx will notify Customer and advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws), and Customer will be responsible for responding to any such request.

8. Data Return or Deletion

8.1. During Agreement Term. During the Agreement’s term, Customer may, through the features of the DiPhyx Platform, access, return to itself or delete Customer Personal Data.

8.2. Post Termination.

8.2.1 Following termination or expiration of the Agreement, DiPhyx will, in accordance with its obligations under the Agreement, delete all Customer Personal Data from the DiPhyx Platform in accordance with DiPhyx’s policies and procedures.

8.2.2 Deletion will be in accordance with industry-standard secure deletion practices.

8.2.3 Notwithstanding the foregoing, DiPhyx may retain Customer Personal Data: (i) as required by Data Protection Laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, DiPhyx will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data and (y) not further Process retained Customer Personal Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.

9. Audits

9.1. Third-Party Compliance Program.

9.1.1 DiPhyx will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request no more than once annually (subject to confidentiality obligations).

9.1.2 Customer may share a copy of Audit Reports with relevant government authorities as required upon their request.

9.1.3 Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by Audit Reports.

10. Cross-Border Transfers

10.1. Cross-Border Data Transfers.

10.1.1 If DiPhyx engages in a Restricted Transfer, such transfer shall be governed by the SCCs which shall be deemed incorporated into and form an integral part of this DPA. If and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data to DiPhyx, the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of such Personal Data.

Additionally, in the event DiPhyx adopts an alternative transfer mechanism (including any successor version of the Privacy Shield), such alternative transfer mechanism shall apply instead of the SCCs described in this DPA (but only to the extent such alternative transfer mechanism complies with applicable Data Protection Laws and extends to the territories to which Customer Personal Data is transferred).

10.1.2 Transfers from the EEA. Where a Restricted Transfer is made from the EEA, the SCCs are incorporated into this DPA and apply to the transfer as follows.

11. General

The parties agree that this DPA shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the DiPhyx Platform. This DPA may not be modified except by subsequent written agreement of the parties. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including all Annexes hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability and disclaimer sections of the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Annexes hereto. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws. The obligations placed upon each party under this DPA and the Standard Contractual Clauses shall survive so long as DiPhyx processes Customer Personal Data on behalf of Customer.

Last Updated 3.4.24




  • Name of the data exporter: The entity identified as the “Customer” in the Agreement and this DPA.
  • Contact person’s name, position and contact details: The address and contact details associated with Customer’s DiPhyx account, or as otherwise specified in this DPA or the Agreement.
  • Activities relevant to the data transferred: The activities specified in Annex 1(B)below.
  • Signature and date: See front end of the DPA.
  • Role (Controller/Processor): Controller (for Module 2) or Processor (for Module 3).
  • Name of the data importer: DiPhyx, Inc.
  • Activities relevant to the data transferred: The activities specified in Annex 1.B below.
  • Signature and date: See front end of the DPA.
  • Role (Controller/Processor): Processor.


Categories of data subjects whose personal data is transferred: Data subjects include individuals about whom data is provided to DiPhyx via the DiPhyx Platform (by or at the direction of Customer).

Categories of Customer Personal Data transferred are determined and controlled by Customer in its sole discretion.

Sensitive data transferred: Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include ‘special categories of personal data’ or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.

Frequency of Transfer; Nature; Subject Matter; Duration of Processing: Continuous or one-off depending on Customer’s use of the Resacle Platform. DiPhyx provides the DiPhyx Platform as further described in the Agreement. Customer Personal Data (if Customer elects to upload Customer Personal Data). The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which DiPhyx processes Customer Personal Data.

DiPhyx shall process Personal Data for the following purposes: (a) as necessary for the performance of the DiPhyx Platform.

Annex 1(C) COMPETENT SUPERVISORY AUTHORITY. The data exporter’s competent supervisory authority will be determined in accordance with the EU GDPR.



1. Subject to Section 10 of the DPA, where the transfer of Customer Personal Data to DiPhyx is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA as follows:

1.1 In relation to transfers of Personal Data protected by the EU GDPR, the SCCs shall apply as follows:

1.1.1 Module Two terms shall apply (where Customer is the controller of Personal Data) and the Module Three terms shall apply (where Customer is the processor of Personal Data);

1.1.2 in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede the SCCs under the same terms and conditions as Customer, subject to mutual agreement of the parties;

1.1.3 in Clause 9, option 2 (“general authorization”) is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 4 of the DPA;

1.1.4 in Clause 11, the optional language shall not apply;

1.1.5 in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law;

1.1.6 in Clause 18(b), disputes shall be resolved before the courts of Ireland;

1.1.7 Annex I shall be deemed completed with the information set out in Annex A to the DPA; and

1.1.8 Annex II shall be deemed completed with the information set out in the Section 5 (Security Measures) of the DPA.

1.2 In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:

1.2.1 the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;

1.2.2 Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annex A and Annex B to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”; and

1.2.3 any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

1.3 In relation to transfers of Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 1(a) above will apply with the following modifications:

1.3.1 references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;

1.3.2 references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and/or “Swiss law” (as applicable);

1.3.3 references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”);

1.3.4 the SCCs shall be governed by the laws of Switzerland ; and

1.3.5 disputes shall be resolved before the competent Swiss courts.

2. Where the Standard Contractual Clauses apply pursuant to Section 10 of this DPA, this section sets out the parties’ interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the Standard Contractual Clauses:

2.1 where Customer is itself a processor of Personal Data acting on behalf of a third party controller and DiPhyx would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), DiPhyx may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;

2.2 the certification of deletion described in Clause 16(d) of the SCCs shall be provided by DiPhyx to Customer upon Customer’s written request;

2.3 for the purposes of Clause 15(1)(a) the SCCs, DiPhyx shall notify Customer and not the relevant data subject(s) in case of government access requests, and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and

2.4 taking into account the nature of the processing, Customer agrees that it is unlikely that DiPhyx would become aware of Customer Personal Data processed by DiPhyx is inaccurate or outdated. To the extent DiPhyx becomes aware of such inaccurate or outdated data, DiPhyx will inform the Customer in accordance with Clause 8.4 SCCs.

Contact us
+1 (619) 693-6161
Follow us on
@2023-2024 DiPhyx, Inc.