+1.470.730.3560 info@rhodium-systems.io

Data Processing

Last updated: 17 March 2025

Rhodium Systems Data Processing Addendum

The terms of this Data Processing Addendum (“DPA”) supplement the Subscription Agreement where Customer is entering into the Subscription Agreement on behalf of an Enterprise. Customer’s acceptance of the Subscription Agreement shall be treated as its execution of this DPA and, where applicable, the Standard Contractual Clauses. The parties agree that this DPA sets forth both parties’ obligation with respect to the processing and security of Personal Data, to the extent Rhodium Systems processes such Personal Data. The parties hereby enter into this DPA in order to comply with the obligations under Applicable Data Protection Laws (as defined below).

1. Definitions.

The capitalized terms will have the meanings set forth below:

  1. “Applicable Data Protection Laws” means any applicable laws, statutes or regulations as may be amended, extended, re-enacted from time to time, or any successor laws which relate to Personal Data including: (a) the GDPR and any European Economic Area (the “EEA”) Member State laws implementing the GDPR; (b) the California Consumer Privacy Act of 2018 (the “CCPA”), including as modified by the California Privacy Rights Act of 2020 (the “CPRA”), and the California Attorney General Regulations thereof; (c) the United Kingdom (the “UK”) Data Protection Act 2018, as amended, and the GDPR, as incorporated into UK law (the “UK GDPR”); and (d) the Swiss Federal Act on Data Protection of 19 June 1992 and the revised version of 25 September 2020 and its corresponding ordinances (the “Swiss FADP”).
  2. “Data Breach” means a confirmed unauthorized access by a third party or confirmed accidental or unlawful destruction, loss or alteration of Personal Data.
  3. “Customer Product Usage Information” means aggregated or pseudonymized metrics derived from Customer’s use of the Software and which shall not include Customer Content.
  4. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  5. “Personal Data” means all information defined in the definition of “personal data” under GDPR, which is used in the Service.
  6. “Process”, “Processing”, “Processor”, and “Controller” shall have the meaning as defined under GDPR.
  7. “Restricted Transfer(s)” means a transfer of Personal Data from the EEA, the UK or Switzerland to a country that has not received an adequacy decision from the European Commission or the UK or Swiss authorities.
  8. “Service(s)” means the software and services licensed under the Subscription Agreement.
  9. “Standard Contractual Clauses” means (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum issued by the United Kingdom’s Information Commissioner’s Office to the EU Commission's Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-datatransfer-addendum.pdf (the “UK SCCs”); and (iii) where the Swiss FADP applies, those clauses in section 15.d of this DPA (the “Switzerland Clauses”).
  10. “Sub-processor(s)” means any third-party Processor engaged by Rhodium Systems to Process Personal Data in order to provide the Services to Customer under the Subscription Agreement.
  11. “Subscription Agreement” shall mean Rhodium Systems’ standard terms of use and delivery with respect to its software and professional services or such separate agreement as agreed to between the parties in writing similarly governing the use and delivery of Rhodium Systems’ software and professional services.

2. Status of the Parties.

This DPA applies when Rhodium Systems Processes Personal Data in the provision of the Service. In this context, Customer may be the Controller, or in certain instances the Processor acting on behalf of the Controller, of Personal Data. In the event Customer is a Processor, this DPA will continue to refer to Customer as the Controller because it is unlikely that Rhodium Systems will know the identity of the Customer’s Controllers and because Rhodium Systems has no direct relationship with the Customer’s Controllers. Rhodium Systems is the Processor of Personal Data, except for those Processing activities detailed in section 18.a. of the DPA.

3. Details of the Processing and Transfer Description.

The subject-matter of the Processing of Personal Data to be carried out by Rhodium Systems under the Subscription Agreement, along with the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and the categories of data subjects Processed under these terms are further specified in Exhibit A. To the extent the Standard Contractual Clauses apply, the information in Exhibit A shall set forth the basis for such transfers under the Standard Contractual Clauses.

4. Processing Instructions.

Where Rhodium Systems acts as a Processor, Rhodium Systems shall only Process Personal Data on behalf of Customer and only in accordance with documented instructions received from Customer. The parties agree this DPA, the Subscription Agreement, and any features and settings used in the Software shall constitute Customer’s documented instructions. Rhodium Systems will notify Customer promptly if it considers that an instruction from Customer is in breach of any Applicable Data Protection Laws, and Rhodium Systems shall be entitled to suspend execution of the instructions. In the event Rhodium Systems is required to Process Personal Data under European Union or Member State law to which it is subject, Rhodium Systems shall without undue delay notify Customer of this legal requirement before carrying out such Processing, unless Rhodium Systems is prohibited from doing so on important grounds of public interest.

5. Confidentiality by Rhodium Systems Personnel.

Rhodium Systems will limit access to Personal Data to personnel who are required to access Personal Data in order to perform the obligations under the Subscription Agreement. Rhodium Systems shall impose appropriate contractual obligations upon its personnel to maintain the confidentiality of the Personal Data.

6. Security Measures.

Rhodium Systems will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

7. Data Breach.

In the event that Rhodium Systems becomes aware of a Data Breach, Rhodium Systems will:

  1. notify Customer without undue delay after Rhodium Systems becomes aware of the Data Breach;
  2. as part of the notification, provide Customer with information regarding the Data Breach, to the extent such information is available to Rhodium Systems, to enable Customer to comply with its notification requirements under the Applicable Data Protection Laws; and
  3. promptly commence an investigation into the Data Breach and take appropriate remedial steps to prevent and minimize any possible harm. For the avoidance of doubt, Data Breaches will not include unsuccessful attempts to, or activities that do not compromise the security of Personal Data. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users.

8. Data Subject Rights.

Where Rhodium Systems is a Processor and it receives a data subject request in relation to Customer, Rhodium Systems will either notify the Customer directly or reject the user’s request and inform the user to contact Customer. Customer is responsible for ensuring such requests are handled in accordance with Applicable Data Protection Laws. Rhodium Systems will assist Customer with its obligations in connection with data subject requests. To the extent Rhodium Systems is a Controller and it receives a data subject request, Rhodium Systems will comply with the requirements of Applicable Data Protection Laws.

9. Data Protection Impact Assessments (DPIA) and Prior Consultation.

Upon Customer’s request, Rhodium Systems shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Service. Rhodium Systems shall provide reasonable assistance to Customer in the cooperation or prior consultation with supervisory authorities in the performance of its tasks relating to this section 9, to the extent required under Applicable Data Protection Laws.

10. Requests from Authorities.

a. General Obligations.

Rhodium Systems shall, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities, promptly inform Customer of:

  1. any legally binding request for disclosure of Personal Data by a law enforcement authority; and
  2. any relevant notice, inquiry or investigation by a supervisory authority relating to Personal Data.

b. Obligations for Personal Data Transferred Under the Standard Contractual Clauses.

To the extent Rhodium Systems is a data importer under the Standard Contractual Clauses and receives a legally binding request for disclosure of Personal Data, Rhodium Systems agrees that:

  1. it will attempt to obtain a waiver in the event that the country of destination prohibits Rhodium Systems from notifying Customer of the legally binding request for disclosure of Personal data; and
  2. provide as much relevant information as possible to Customer, if permitted under the laws of the country, about the requests received.

In regards to the Personal Data disclosed, Rhodium Systems agrees that:

  1. it will challenge the request for disclosure if, after careful assessment, Rhodium Systems believes the request is unlawful; and
  2. provide the minimum amount of Personal Data permitted when responding to the request for disclosure.

11. Return or Deletion of Personal Data.

This section shall apply where Rhodium Systems acts as a Processor. Customer may, at any time during the term of the Agreement or upon termination of the Agreement, delete any groups containing Personal Data through the in-product administrative settings. Further, Rhodium Systems will, upon request, securely destroy or, at Customer’s sole discretion, return all Personal Data (including all copies) and confirm to Customer that it has taken such measures, in each case to the extent permitted by applicable law. Rhodium Systems agrees to preserve the confidentiality of any Personal Data retained by it in accordance with applicable law and agrees that any active Processing of such Personal Data after termination of the Subscription will be limited to the extent necessary in order to comply with applicable law. Rhodium Systems shall ensure that the obligations set forth in this section are also required of Sub-processors.

12. Controller Obligations.

Customer, acting as the Controller or on behalf of the Controller, agrees that:

  1. It shall comply with all Applicable Data Protection laws, and as between Customer and Rhodium Systems, it shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data;
  2. It has provided all legally required notices to and obtained all legally required consents from the data subjects whose Personal Data is Processed under the Subscription Agreement;
  3. All instructions from Customer to Rhodium Systems with respect to Processing of Personal Data shall comply with Applicable Data Protection Laws;
  4. It shall promptly inform Rhodium Systems of any non-compliance by Customer, its employees or contractors with this DPA or the provisions of the Applicable Data Protection Law relating to the protection of Personal Data Processed under the Subscription Agreement; and
  5. It is solely responsible for making an independent determination as to whether the technical and organizational measures for the Service meet Customer’s requirements, including any of its security obligations under applicable data protection requirements. Customer acknowledges and agrees that the security practices and policies implemented and maintained by Rhodium Systems provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

13. Audit.

  1. Rhodium Systems Audits. Rhodium Systems performs internal audits to verify the adequacy of its security measures, excluding the physical and environmental security of the third-party physical data centers from which Rhodium Systems provides the Services, as those controls are inherited by the third-party Sub-processor.
  2. Rhodium Systems Customer Audits. Rhodium Systems will assist Customers with remote self-serve audits of its security program by responding to requests for documentation evidencing Rhodium Systems’ policies, procedures and security measures. Rhodium Systems reserves the right to refuse to provide Customer (or its representatives) information which would pose a security risk to Rhodium Systems or its customers.
  3. Feedback. Upon completion of the remote self-serve audit, Customer may submit audit results in writing to Rhodium Systems. Rhodium Systems may in its sole discretion make commercially reasonable efforts to implement Customer’s suggested improvements.
  4. Audit Rights Under Standard Contractual Clauses. To the extent Rhodium Systems is a Processor and Customer’s audit requirements under the Standard Contractual Clauses or Article 28 of the GDPR cannot reasonably be satisfied through the Reports and self-service audits set forth above, Customer may request an additional audit. Before the commencement of an audit, Customer and Rhodium Systems will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit. To the extent needed to perform the audit, Rhodium Systems will make the Processing systems and supporting documentation relevant to the Processing of Personal Data by Rhodium Systems and its Sub-processors available, including inspections (provided that no access to third party confidential information will be permitted). Such an audit will be conducted by Customer or by an independent, accredited third-party auditor during regular business hours, with reasonable advance notice to Rhodium Systems, and subject to reasonable confidentiality procedures. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Rhodium Systems expends for any such audit. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Rhodium Systems. Nothing in this section of the DPA varies or modifies the Standard Contractual Clauses or affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.

14. Sub-processors.

To the extent that Rhodium Systems acts as a Processor:

  1. Customer agrees that Rhodium Systems shall be entitled to use industry standard Sub-processors for the Service. Customer may request a list of Sub-processors from Rhodium Systems. If Customer objects to the use of a Sub-processor, the parties will work together in good faith to resolve the objection, including making a commercially reasonable change to Customer’s configuration or use of the Services to avoid the Processing of Personal Data by the new Sub-processor. Customer can only object to the use of a Sub-processor on the basis that such usage would cause Customer to violate data protection commitments or other applicable legal requirements.
    1. To the extent applicable for Customer whose Services include Rhodium Systems’ software with a specified regional hosting location, as may be mutually agreed and described in an Order Form or Subscription Agreement as applicable, that hosting location will be as so designated.
    2. To the extent Customer has purchase Professional Services separate from the Subscription, as that term is defined under the Rhodium Systems Professional Services Agreement, and the parties have agreed Rhodium Systems will facilitate all or a part of such Professional Services via a subcontractor, Customer agrees that Rhodium Systems’ use of such subcontractor(s) shall be an approved Sub-processor.
  2. Where a Sub-processor is appointed as described in section 14.a. above: (i) Rhodium Systems will restrict the Sub-processor’s access to Personal Data to what is necessary to maintain the Service or to provide the Service to Customer in accordance with the documentation, and Rhodium Systems will prohibit the Sub-processor from accessing Personal Data for any other purpose; (ii) Rhodium Systems will enter into a written agreement with the Sub-processor and (iii) Rhodium Systems will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors that cause Rhodium Systems to breach any of Rhodium Systems’ obligations under this DPA.

15. International Data Transfers.

  1. If a transfer of Personal Data from Customer to Rhodium Systems is a Restricted Transfer, the transfer shall take place on the basis of the EU SCCs and/or the UK SCCs and/or the Switzerland Clauses. In the event Rhodium Systems obtains certification under the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. Data Privacy Framework, Rhodium Systems may also make Restricted Transfers to the United States on the basis of these certifications. The parties agree that the obligations under the Standard Contractual Clauses or the EU-U.S. DPF shall only apply to a Restricted Transfer.
  2. To the extent the EU SCCs apply, the parties agree that:
    1. where Module One of the EU SCCs applies to the Personal Data transferred for those Processing activities detailed in section 18.a of the DPA, Customer is acting as a Controller and “Data Exporter” and Rhodium Systems is acting as independent Controller and “Data Importer”;
    2. where Module Two of the EU SCCs applies to the Personal Data transferred, Customer is acting as a Controller and “Data Exporter” and Rhodium Systems is acting as a Processor and “Data Importer”;
    3. where Module Three of the EU SCCs applies to the Personal Data transferred, Customer is acting as a Processor and “Data Exporter” and Rhodium Systems is acting as a Processor and “Data Importer”;
    4. Clause 7. The optional docking clause does not apply;
    5. Clause 9(a). The parties select “Option 2 General Written Authorization” under Module Two and Module Three for the engagement of the Subprocessors identified in section 14 of this DPA and the time period for prior written notice of changes shall be thirty (30) days;
    6. Clause 11. The optional language will not apply;
    7. Clause 17. Option 2 will apply and the EU SCCs will be governed by the law of the Netherlands;
    8. Clause 18(b). Disputes shall be resolved before the courts of the Netherlands;
  3. To the extent the UK SCCs apply, the parties agree that:
    1. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent article or section of the UK GDPR; and references to "EU", "Union" and "Member State law" are all replaced with "UK";
    2. Clause 13(a) of the EU SCCs are not used;
    3. references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
    4. Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales";
    5. Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts"; and
    6. the relevant Annexes of the UK SCCs shall be deemed complete with the information set out in Exhibit A to this DPA.
  4. To the extent the Switzerland Clauses apply, the parties agree that:
    1. the EU SCCs as implemented above will apply provided that “GDPR” shall be interpreted as references to the Swiss FADP;
    2. references to the “EU”, “Union”, and “Member State law” shall be interpreted as references to Switzerland and Swiss law;
    3. the term “member state” shall not exclude data subjects in Switzerland from being able to sue for their rights in their place of habitual residence; and
    4. references to any competent supervisory authority or court shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and courts in Switzerland.
  5. If there is a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of the conflict or inconsistency.

16. California Consumer Privacy Act and California Privacy Rights Act.

The following applies where Rhodium Systems is Processing Personal Data that is within the scope of CCPA or CPRA:

  1. The parties agree that Rhodium Systems is a service provider as defined under CCPA, and that any Personal Data transferred to Rhodium Systems is done for a valid business purpose and for Rhodium Systems to perform the Services;
  2. Subject to exceptions under CCPA, Rhodium Systems agrees that it will not sell Personal Data Processed under the Subscription Agreement, as the term “selling” is defined in the CCPA;
  3. Rhodium Systems will not share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing or by electronic or other means, the Personal Data, transferred under the Subscription Agreement or to perform the Services, to a third party for cross-contextual behavioral advertising in which no money is exchanged;
  4. Customer may monitor Rhodium Systems's compliance with this DPA through those measures set forth in section 13, provided Customer will be subject to all requirements and limitations as specified in section 13.d.;
  5. Rhodium Systems will not use or disclose Personal Data outside its direct business relationship with Customer; and
  6. Rhodium Systems will not combine the Personal Data transferred under the Subscription Agreement or to perform the Services with information that it receives from or on behalf of a third-party or that it collects independently from California residents, except that Rhodium Systems may combine Personal Data to perform a valid business purpose as permitted under the CCPA and/or CPRA.

17. Limitation of Liability.

To the maximum extent allowed under Applicable Data Protection Laws, the parties intend and agree that each party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Subscription Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA.

18. Miscellaneous.

a. Rhodium Systems’ Role as a Controller. Customer acknowledges and agrees that as part of providing the Services, Rhodium Systems will Process certain Personal Data as a Controller for the following legitimate business purposes:

  1. to manage the relationship with Customer, such as the creation of customer relationship accounts and billing and licensing management;
  2. to conduct internal business operations, such as accounting, audit, tax, and other financial reporting purposes;
  3. to ensure the security of the Services, such as identity verification services and to prevent fraud and mitigate risk;
  4. to comply with our legal or regulatory obligations; and
  5. to improve and develop our products and Services through the collection and Processing of Customer Product Usage Information. To the extent any data Processed under this section is Personal Data, Rhodium Systems agrees that it will Process such Personal Data in compliance with Applicable Data Protection Laws and only for the purposes that are compatible with those described in this section18.a. Customer Content will not be Processed for any of the purposes listed under this section, unless required under applicable law. Rhodium Systems shall be an independent Controller for the Processing listed in this section and will be solely responsible and liable for any such Processing.

b. This DPA, including the Standard Contractual Clauses, constitute the entire agreement and understanding of the parties, and supersedes any prior agreement or understanding between the parties, in each case in respect of the Processing of Personal Data for the purposes specified herein. In case of discrepancies between this DPA and Subscription Agreement, this DPA shall prevail.

EXHIBIT A

Details of the Processing and Transfer Description

A. Section 2 of this DPA or Modules Two/Three of the EU SCCs

  1. Data Exporter: Customer

    Contact Details: As listed by Customer in the website purchase portal or as identified on any combination of an Order Form or Subscription Agreement. Signature and Date: Customer is deemed to have signed this DPA and the Restricted Transfer documentation incorporated herein, as of the effective date of acceptance via purchase by Customer through rhodium-systems.io, or the date an Order Form or Subscription Agreement is fully executed. Role: Controller or Processor

    Data Importer: Rhodium Systems, Inc.

    Contact Details: : 6470 East Johns Crossing, Suite 160, Johns Creek, Georgia 30097 USA   dproc@rhodium-systems.io
    Signature and Date: Rhodium Systems is deemed to have signed this DPA and the Restricted Transfer documentation incorporated herein, as of the effective date of acceptance via purchase by Customer through rhodium-systems.io, or the date an Order Form or Subscription Agreement is fully executed.
    Role: Processor or Sub-processor

  2. Categories of data subjects whose Personal Data is transferred

    • Customer’s prospects, clients, business partners, and vendors (who are natural persons)
    • Customer’s employees, agents, advisors and freelancers (who are natural persons)
    • Customer’s users authorized by Customer to use the Services
    • Any other natural persons who become identifiable through content provided via Customer’s use of the Services

  3. Categories of Personal Data transferred

    • Account Information, such as name, username, email address, and password
    • Profile Information, such as name, public avatar or photo, employer, email address, job title, address, social media
    handles, and biography
    • Contact information, such as name, address, email address, and telephone
    • Content provided through the use of the Services, such as users, roles, asset data and network configuration data.
    • Customer Support Information, such as the request you are making or the services being provided
    • Product Analytics for Customer to measure engagement by their own users, such as user-level metrics and counts related to
    interactions with the Software

  4. Sensitive or special categories of Personal Data

    Rhodium Systems does not intentionally collect sensitive or special categories of Personal Data, such as genetic data, health information, or religious information. These data elements should not be submitted to the Services without Rhodium Systems’ consent, pursuant to section 14 of the Subscription Agreement.

  5. Nature of the Processing

    The Processing relates to Customer’s use of the Services for purposes determined and controlled by Customer its sole discretion.

  6. Purpose(s) of any data transfer and further Processing

    Purposes of the data transfer are to allow Rhodium Systems entities to provide the Services, which are hosted and processed on servers in the United States.

  7. The frequency of any data transfer

    Personal Data will be transferred for the duration of the Subscription Term under the Subscription Agreement and this DPA on a continual basis.

  8. The period for which Personal Data will be retained

    Personal data will be retained for the period determined by Customer, including until termination of the Subscription Term, subject to exceptions allowed by law and under the Subscription Agreement with Customer.

  9. Transfers to Sub-processors

    Rhodium Systems’ Sub-processors import data under the Standard Contractual Clauses or other lawful transfer mechanism for the purposes of cloud hosting, search functionality, application logging and debugging, content delivery, transactional emails, and Customer Support. Rhodium Systems uses Sub-processors in order to provide the Services to Customer. Personal data will be retained for the period determined by Customer, including until termination of the Subscription Term, subject to exceptions allowed by law and under the Subscription Agreement with Customer.

B. Section 18.a of this DPA or Module One of the EU SCCs

  1. Data Exporter: Customer
    Contact Details: As listed by Customer in the website purchase portal or as identified on any combination of an Order Form or Subscription Agreement.
    Signature and Date: Customer is deemed to have signed this DPA and the Restricted Transfer documentation incorporated herein, as of the effective date of acceptance via purchase by Customer through rhodium-systems.io, or the date an Order Form or Subscription Agreement is fully executed.
    Role: Controller

    Data Importer: Rhodium Systems, Inc.
    Contact Details: : 6470 East Johns Crossing, Suite 160, Johns Creek, Georgia 30097 USA   dproc@rhodium-systems.io
    Signature and Date: Rhodium Systems is deemed to have signed this DPA and the Restricted Transfer documentation incorporated herein, as of the effective date of acceptance via purchase by Customer through rhodium-systems.io, or the date an Order Form or Subscription Agreement is fully executed.
    Role: Controller

  2. Categories of data subjects whose Personal Data is transferred
    • Customer’s employees, agents, advisors and freelancers (who are natural persons)
    • Customer’s users authorized by Customer to use the Services

  3. Categories of Personal Data transferred
    • Account Management Information, such as license data, historical user data, and account administrator contact information
    • Billing Information, such as Customer’s billing address, billing contact, and credit card or banking information
    • Customer Product Usage Information, as defined in the DPA, such as feature usage and engagement metrics
    • Security and Fraud Prevention Information, such as log data, device data and IP address

  4. Sensitive or special categories of Personal Data
    Rhodium Systems does not collect sensitive or special categories of Personal Data for the purposes as described under this subsection B of Exhibit A.

  5. Nature of the Processing
    The Processing allows for Rhodium Systems to understand how the Services are used, to process payments for the Services, to administer the Services, to comply with legal obligations, and to protect the safety and property of Rhodium Systems and Customer.

  6. Purpose(s) of any data transfer and further Processing
    Rhodium Systems has employees who are located in the United States.

  7. The frequency of any data transfer
    Personal Data will be transferred for the duration of the Subscription Term under the Subscription Agreement and this DPA on a continual basis.

  8. The period for which Personal Data will be retained
    Personal Data will be retained for the described in the Data Retention section of the Rhodium Systems Privacy Statement.