Pricing

WETEST DATA PROCESSING ADDENDUM

1. Definitions
1.1 For the purposes of this Addendum, the following expressions bear the following meanings unless the context otherwise requires:
"Applicable Data Protection Laws"means (a) the General Data Protection Regulation 2016/679 (the"GDPR"); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 ("DPA"), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the DPA, the"UK GDPR"), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
"Controller to Processor Clauses"means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time;
"Data Processing Clauses"means the standard contractual clauses between controllers and processors set out in Commission Decision 2021/915 of 4 June 2021, or any equivalent clauses issued by the relevant competent authority of the UK, in each case as amended, updated or replaced from time to time;
"Data Subject"shall have the meaning given in the relevant Applicable Data Protection Laws;
"Effective Date"shall be the date on which the Data Controller accepts the Agreement as part of obtaining the WeTest services;
"Personal Data"means all Personal Data (as defined by the relevant Applicable Data Protection Laws) that is subject to the relevant Applicable Data Protection Laws from time to time;
"Process","Processed"or"Processing"has the meaning given in the relevant Applicable Data Protection Laws ;
"Processor to Processor Clauses"means, as relevant, (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 specifically including Module 3 (Processor to Processor); (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time ;
"Regulator"means the data protection supervisory authority which has jurisdiction over a Data Controller's Processing of Personal Data; and
"Third Country"means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
2. Background
2.1 The customer of WeTest which acts as data controller (as determined under the Applicable Data Protection Laws) (the"Data Controller") wishes to appoint Top Range Mobile Limited (the"Data Processor") (collectively"the Parties"), to Process Personal Data, as further described in Schedule 1 (Processing Details), for the purpose of performing the WeTest Terms of Service, or such terms and conditions as agreed between the relevant customer and Top Range Mobile Limited (the"Agreement").
2.2 This Addendum is being put in place to ensure that Data Processor processes each Data Controller's Personal Data on the Data Controller's instructions and in compliance with the Applicable Data Protection Laws (as defined below).
3. Conditions of Processing
3.1 This Addendum governs the terms under which Data Processor is required to Process Personal Data on behalf of the Data Controller.
3.2 This Addendum shall commence on the Effective Date. Termination of this Addendum shall be governed by the Agreement.
4. Data Processor's Obligations
4.1 To the extent the Data Processor Processes Personal Data on behalf of the Data Controller, it shall:
4.1.1 Process the Personal Data only on behalf of the Data Controller and in accordance with, and for the purposes set out in the documented instructions received from the Data Controller, including with regard to transfers of Personal Data to Third Countries or an international organization, unless required to Process such Personal Data by Union or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
4.1.2 ensure that its personnel authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.1.3 implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the Processing, including as set out in Schedule 2 and, as appropriate, (i) the pseudonymization of Personal Data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures;
4.1.4 taking into account the nature of the Processing, reasonably assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in the Applicable Data Protection Laws;
4.1.5 without undue delay notify the Data Controller (including further information about the breach provided in phases promptly as more details become available) in writing upon becoming aware of any improper, unauthorized, or unlawful access to, use of, or disclosure of, or any other event which affects the availability, integrity or confidentiality of Personal Data which is Processed by Data Processor under or in connection with this Addendum. The Data Processor shall be obliged to provide the Data Controller with all information necessary for the compliance with the Data Controller's obligations pursuant to Applicable Data Protection Laws;
4.1.6 provide reasonable assistance to the Data Controller in ensuring compliance with the obligations to (i) allow a Data Subject to exercise their rights under the Applicable Data Protection Law in respect of Personal Data Processed by Data Processor on behalf of any Data Controller (such as rights to rectification, erasure, blocking, access their personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making); (ii) implement appropriate technical and organizational security measures; (iii) notify (if required) Personal Data breaches to Regulators and/or individuals; (iv) deal or comply with any assessment, enquiry, notice or investigation by a Regulator; and (iv) conduct mandatory data protection impact assessments and, if required, prior consultation with Regulators;
4.1.7 at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies of the Personal Data unless Union or Member State law requires storage of the Personal Data; and
4.1.8 from time to time and on request from the Data Controller, make available to the Data Controller such information as is reasonably necessary to demonstrate compliance with the obligations laid down in this Clause 4 and Applicable Data Protection Laws, and reasonably allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
4.2 The Data Processor shall promptly inform the Data Controller if, in the Data Processor's opinion, an instruction of the Data Controller infringes the Applicable Data Protection Laws.
5. Changes in Applicable Data Protection Laws
5.1 The parties agree in good faith to modifications to this Addendum if changes are required for Data Processor to continue to process the Personal Data as contemplated by this Addendum in compliance with the Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection Laws, including (i) to comply with the GDPR or any national legislation implementing it, or the UK General Data Protection Regulation or the DPA, and any guidance on the interpretation of any of their respective provisions; (ii) the Controller to Processor Clauses or the Processor to Processor Clauses or any other mechanisms or findings of adequacy are invalidated or amended, or (iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.
6. International Transfers
6.1 To the extent the Data Processor Processes Personal Data in a Third Country, and it is acting as data importer, the Data Processor shall comply with the data importer's obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this Addendum; the Data Controller will comply with the data exporter's obligations in such Controller to Processor Clauses; and:
6.1.1 for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, the parties and processing details set out in Schedule 1 (Processing Details) shall apply, and the Start Date is the Effective Date;
6.1.2 if applicable, for the purposes of Part 1 of such Controller to Processor Clauses, the relevant Addendum EU SCCs (as such term is defined in the applicable Controller to Processor Clauses) are the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2) as incorporated into this Addendum by virtue of this Clause 6.1.2;
6.1.3 for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organizational security measures set out in Clause 4.1.3 and Schedule 2 (Technical and Organization Security Measures) shall apply; and
6.1.4 if applicable, for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2 ("General written authorization") is deemed to be selected and the notice period specified in Clause 7.1 shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the relevant Regulator of the Data Controller; (iv) Clause 17, Option 1 is deemed to be selected and the governing law shall be Dutch law; (v) Clause 18, the competent courts shall be the Dutch courts; (vi) Part 1 of such Controller to Processor Clauses, the Data Processor as Importer may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor Clauses.
6.2 The Data Controller acknowledges and agrees that Data Processor may appoint an affiliate or third party subcontractor to Process the Data Controller's Personal Data in a Third Country, in which case the Data Processor shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of the Data Controller.
7. Sub-Processing
7.1 The Data Controller hereby grants the Data Processor general written authorization to engage the sub-processors set out [at the end of this Addendum] subject to the requirements of this Clause 7, and on the condition that the Data Processor shall inform the Data Controller with seven (7) business days' prior written notice of any intended changes concerning the addition or replacement of the sub-processors, during which the Data Controller object against the change. In the event of no response from the Data Controller, the Data Processor may proceed with the addition or replacement. If the Data Controller rejects the replacement sub-processor, the Data Processor may terminate the Agreement with immediate effect on written notice to the Data Controller.
7.2 In the event that the Data Processor engages a sub-processor for carrying out specific Processing activities on behalf of the Data Controller, (i) the Data Processor shall ensure that it has a written agreement in place with such sub-processor which contains obligations on the sub-processor which are no less onerous on the relevant sub-processor than the obligations on the Data Processor under this Addendum, and (ii) where that sub-processor fails to fulfil its obligations, the Data Processor shall remain fully liable under the Applicable Data Protection Laws to the Data Controller for the performance of that sub-processor's obligations.
8. Data Controller's Obligations
8.1 Data Controller warrants that: (i) the legislation applicable to it does not prevent Data Processor from fulfilling the instructions received from the Data Controller and performing Data Processor's obligations under this Addendum; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Data Processor and enable the Processing of the Personal Data by the Data Processor as set out in this Addendum and as envisaged by the Agreement.
8.2 Data Controller agrees that it will jointly and severally together with any other Data Controller, indemnify and hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising directly or indirectly from a breach of this Clause 8.
9. Consequences of Termination
9.1 Upon termination of this Addendum in accordance with Clause 3.2, the Data Processor shall, at the choice of the Data Controller:
9.1.1 return to the Data Controller all of the Personal Data and any copies thereof which it is Processing or has Processed upon behalf of that Data Controller; or
9.1.2 destroy all Personal Data it has Processed on behalf of the Data Controller after the end of the provision of services relating to the Processing, and destroy all copies of the Personal Data unless any Applicable Data Protection Law requires storage of such Personal Data; and
9.1.3 in each case cease Processing Personal Data on behalf of the Data Controller.
10. Law and Jurisdiction
This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the jurisdiction stipulated for this purpose in the Agreement. Any disputes in connection with the binding provisions of this Addendum shall be resolved in accordance with the applicable dispute resolution provision in the Agreement.
PROCESSING DETAILS
A. LIST OF PARTIES
Data controller(s)/ exporter(s): The customer of WeTest which is deemed to be a data controller under the Applicable Data Protection Laws and has accepted the Agreement as part of obtaining the WeTest services. Details are as provided by the relevant customer.
Activities relevant to the data transferred under these Clauses: provision of Personal Data collected from Data Subjects for Processing to facilitate the services provided under the Agreement.
Role (controller/processor): Controller
Data processor/ importer(s):
Name: Top Range Mobile Limited
Address: 29/F., Three Pacific Place, No. 1 Queen's Road East, Wanchai, Hong Kong
Contact person's name, position and contact details: DPO_WeTest@wetest.net
Activities relevant to the data transferred under these Clauses: provision of the services as further set out in the Agreement.
Role (controller/processor): Processor
B. PROCESSING DETAILS/ DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is processed/ transferred
The Data Controller's employees and end users/customers.
Categories of personal data processed/ transferred
Registration information, payment management information, social media log in information, customer service information, WeChat Work information, testing information, quota management information, game installation package information, performance and analytics information
Sensitive data processed/ transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous, in accordance with the requirements of providing the services under the Agreement.
Nature of the processing
Account creation and registration, confirmation of identity for the use of services, administration of product and customer support services, operation and facilitation of the service (including maintaining transaction history), optimization of the service (including specifying users country and the corresponding language version), ensuring and maintaining the security of the service, and improving the operation of the service (including solving crashes and optimizing compatibility).
Purpose(s) of the data processing/ data transfer and further processing
To enable the provision of services in accordance with the Agreement.
Duration of the processing/ the period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement.
For processing by/ transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.
SCHEDULE 2
TECHNICAL AND ORGANIZATION SECURITY MEASURES
The Data Processor shall implement a comprehensive privacy and security program for the purpose of protecting content. This program includes the following:
  • Data security. The Data Processor shall design and implement the following measures to protect customer's data against unauthorized access:
    • standards for data categorization and classification;
    • a set of authentication and access control capabilities at the physical, network, system and application levels; and
    • a mechanism for detecting big data-based abnormal behavior.
  • Network security. The Data Processor shall design and implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.
  • Physical and environmental security. The Data Processor shall implement stringent infrastructure and environment access controls have been implemented for Data Processor's infrastructure based on relevant regional security requirements. Sub-processor shall implement an access control matrix is, based on the types of personnel and their respective access privileges, to ensure effective management and control of access and operations by personnel.
  • Incident management. The Data Processor shall operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.
LIST OF APPROVED SUB-PROCESSORS
SubcontractorsServices provided
Tencent Technology (Shanghai) Company LimitedData processing
Tencent Japan GKData center services and infrastructure
Aceville Pte LimitedData center services and infrastructure
Tencent Cloud LLCData center services and infrastructure
Harvest Sharp LimitedPayment services