This Data Processing Addendum (hereinafter: “Addendum”) forms an integral part of the Terms of Service of Readymag Inc., a Delaware corporation operating under the laws of State of Delaware, having its registered office at 160 Greentree Drive, Suite 101, Dover, DE 19904 (hereinafter: “Data Processor”) accepted by user of the Site and Service (hereinafter: “Data Controller”) during the registration procedure on the website of the Data Processor (hereinafter: “Principal Agreement”).

Data Controller and Data Processor shall collectively be referred to as the: “Parties”.

If you need signed version of this Addendum, please contact us at privacy@readymag.com and we will send you link for digital signing. You should provide us with some information. Once authorized person signs the Addendum you will receive a fully executed copy via email for download.

Preamble

In connection with the personal data collected from individuals located within the European Union (“EU”) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties decided to record in writing their rights and obligations regarding their data processing relationship.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

This Addendum shall remain in effect as long as the Principal Agreement is in force and shall expire upon the termination of the Principal Agreement.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Applicable Laws” means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws;

1.1.2 “Contracted Processor” means Data Processor or a Subprocessor;

1.1.3 “Data Controller Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Principal Agreement;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.6 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Principal Agreement;

1.1.7 “Subprocessor” means any person (including any third party, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Principal Agreement.

1.2 The terms, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Data Controller Personal Data

2.1 Data Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and

2.1.2 not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.

2.2 Data Controller shall instruct Data Processor to:

2.2.1 process Data Controller Personal Data and

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.

4. Data Processor

Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5.3 Details on applicable security measures are provided in Annex 2.

6. Subprocessing

6.1 Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 6 and any restrictions in the Principal Agreement.

6.2 Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 6.4.

6.3 Data Processor shall give Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 3 (three) calendar days of receipt of that notice, Data Controller notifies Data Processor in writing of any objections to the proposed appointment:

6.3.1 Data Processor shall work with Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

6.3.2 where such a change cannot be made within 30 (thirty) calendar days from Data Processor’s receipt of Data Controller’s notice, notwithstanding anything in the Principal Agreement, Data Controller may by written notice to Data Processor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.

6.4 With respect to each Subprocessor, Data Processor shall:

6.4.1 before the Subprocessor first Processes Data Controller Personal Data (or, where relevant), in accordance with section 6.1., shall ascertain that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Principal Agreement;

6.4.2 ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR; and

6.4.3 provide to Data Controller for review such copies of the Contracted Processors' agreements with Subprocessors as Data Controller may request from time to time.

6.5 Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.

6.6 List of Subprocessors

Google LLC
Services: Web analytics (Google Analytics), website optimization (Google Optimize), online advertising (Google Ads), tag management (Google Tag Manager), data visualization (Google Data Studio)
Registered Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043
Country: United States of America

Rocket Science Group LLC d/b/a Mailchimp
Services: Email marketing and distribution (email campaigns, newsletters)
Registered Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308
Country: United States of America

Meta Platforms, Inc.
Services: Social media platforms (Facebook, Instagram), targeted advertising (ad placements, user engagement tracking)
Registered Address: 1 Hacker Way, Menlo Park, CA 94025
Country: United States of America

Zendesk, Inc.
Services: Customer support software (helpdesk solutions, customer relationship management - CRM)
Registered Address: 989 Market Street, San Francisco, CA 94103
Country: United States of America

Stripe, Inc.
Services: Payment processing (online payments, billing, fraud prevention)
Registered Address: 354 Oyster Point Blvd, South San Francisco, CA 94080
Country: United States of America

YouTube, LLC
Services: Video hosting and streaming (content distribution)
Registered Address: 901 Cherry Avenue, San Bruno, CA 94066
Country: United States of America

Hetzner Online GmbH
Services: Web hosting and cloud services (data centers)
Registered Address: Industriestr. 25, 91710 Gunzenhausen
Country: Germany

Amplitude Inc.
Services: User behavior analytics (product usage tracking, cohort analysis)
Registered Address: 201 3rd Street, Suite 200, San Francisco, CA 94103
Country: United States of America

Pinterest, Inc.
Services: Social media platforms (visual discovery engine, targeted advertising)
Registered Address: 651 Brannan Street, San Francisco, CA 94107
Country: United States of America

Honeycomb (Hound Technology, Inc.)
Services: Data processing and analytics (observability, performance monitoring)
Registered Address: 548 Market Street #25362, San Francisco, CA 94104-54013
Country: United States of America

TYPEFORM SL
Services: Online forms and surveys (data collection)
Registered Address: Carrer de Bac de Roda, 163, 08018 Barcelona
Country: Spain

Telegram Messenger Inc.
Services: Messaging platforms (secure communication, chat services)
Registered Address: Area Sh Zayed Road, Business Central Towers, Tower A, Office 2301, Dubai
Country: United Arab Emirates

Otter.ai, Inc.
Services: Speech recognition and transcription (meeting notes, voice-to-text)
Registered Address: 800 W El Camino Real, Suite 170, Mountain View, CA 94040
Country: United States of America

LinkedIn Corporation
Services: Professional networking (job postings, social media, targeted advertising)
Registered Address: 1000 West Maude Avenue, Sunnyvale, CA 94085
Country: United States of America

FirstPromoter
Services: Affiliate tracking and referral program management (marketing analytics)
Registered Address: 30 Talmacelului St., Talmaciu, Talmaciu city, Sibiu County, 555700
Country: Romania

TikTok (Beijing ByteDance Technology Co., Ltd.)
Services: Social media platforms (video sharing, targeted advertising)
Registered Address: Room 1001, Building E, No. 6, Middle 8th Ring Road, Haidian District, Beijing, 100020
Country: China

Cookiebot
Services: Cookie consent management (GDPR/ePrivacy compliance, user tracking control)
Registered Address: Cybot A/S, Havnegade 39, 1058 Copenhagen
Country: Denmark

OWOX
Services: Marketing analytics (data integration, business intelligence)
Registered Address: OWOX, 2 St. Moritz, CH-7500, St. Moritz
Country: Switzerland

ProfitWell by Paddle
Services: Subscription analytics (revenue recognition, pricing optimization)
Registered Address: 75 State Street, Suite 100, Boston, MA 02109
Country: United States of America

ZenLeads Inc.
Services: Data processing (analytics and tracking) and Marketing services (provision of personalized marketing)
Registered Address: 440 N Barranca Ave #4750, Covina, CA 91723-1722
Country: United States of America

We may update this list from time to time. Any changes will be published on this page, and you will be notified of any significant changes via email or other means if required by law.

Please note that we are not responsible for the content or policies of third-party websites. We recommend that you review the privacy policies and terms of use of any third-party service providers listed above. The information provided here is for your convenience, and we regularly update this information to the best of our abilities. However, we cannot guarantee the accuracy or completeness of the information provided.

Should you have any questions about our subprocessors, please contact us.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures prior accepted by the Data Controller, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Data Processor shall:

7.2.1 promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and

7.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.

8. Personal Data Breach

8.1 Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Such notification shall as a minimum:

8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

8.2.2 communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;

8.2.3 describe the likely consequences of the Personal Data Breach; and

8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

8.3 Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors. The Data Controller shall ensure that during such data protection impact assessment the usual session at the Data Processor will not cause any unnecessary inconvenience to the Data Processor.

10. Deletion or return of Data Controller Personal Data

10.1 Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 3 (three) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the “Cessation Date”), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.

10.2 Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 3 (three) calendar days of the Cessation Date.

10.3 Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose.

11. Audit rights

11.1 Subject to section 10.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.

11.2 Data Controller undertaking an audit shall give Data Processor reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

12. Indemnification and penalty

12.1 Data Processor shall indemnify Data Controller for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.

12.2 Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 12.1.

13.1 By instructing Data Processor to process personal data from the European Economic Area (“EU Transfer”), Switzerland (“Swiss Transfer”), or the United Kingdom (“UK Transfer”) the Data Controller acknowledge that this constitutes an international transfer of personal data to United States and other countries where Processing may take place, which are not subjects of adequacy decisions of the European Commission or similar decisions (together the “International Transfers”).

13.2 To ensure compliance with Applicable Laws for International Transfers, model 2 of the Standard Contractual Clauses shall be automatically incorporated into and form part of this Addendum, in accordance with the following provisions:

13.2.1 EU Transfers. For these transfers this Addendum includes and excludes:

13.2.1.1 Clause 9: option 2 is included, time period being the same 5 Business days.

13.2.1.2 Clause 11: optional clause is not included.

13.2.1.3 Clause 17: option 1 is included, and the Standard Contractual Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Cyprus.

13.2.1.4 Clause 18, (b): disputes shall be resolved before the Cyprus courts.

13.2.1.5 Annex I: this annex shall be deemed completed with the information set out in Annex 1 of this Addendum. Supervisory Authority identified as the Supervisory Authority of Cyprus.

13.2.1.6 Annex II: this annex shall be deemed completed with the information set out in Annex 2 of this Addendum.

13.2.2 Swiss Transfers. For these transfers, all data processing is agreed to be subject to the EU regulations standards in the same way they apply for EU Transfers. Nonetheless, for these transfers, this Addendum amends the Standard Contractual Clauses according to the following:

13.2.2.1 Clause 13: Switzerland’s Federal Data Protection and Information Commissioner shall be considered as the competent Supervisory Authority.

13.2.2.2 Clause 18, (c): the term "member state" should be interpreted to allow data subjects who are Swiss residents the ability to enforce their rights in the competent courts of their habitual residence.

13.2.3 UK Transfers. For these transfers, all data processing is agreed to be subject to the EU regulations standards in the same way they apply for EU Transfers. Nonetheless, for these transfers, this Addendum amends the Standard Contractual Clauses according to version B1.0 of the Information Commissioner Officer’s International Data Transfer Addendum to the Standard Contractual Clauses (the “IDTA”) and to the following:

13.2.3.1 Part 1, Table 1: this table of the IDTA shall be deemed completed with the information set out in Annex 1 of this Addendum.

13.2.3.2 Part 1, Table 2: this table of the IDTA shall be deemed completed with the information set out in this clause 13, the Addendum and the Principal Agreement.

13.2.3.3 Part 1, Table 3: this table of the IDTA shall be deemed completed with the information set out in Annexes 1 and 2 of this Addendum .

13.2.3.4 Part 2, incorporation of rules: without prejudice to clause 13.3. below, for UK Transfers, Part 2 of IDTA (the “Mandatory Clauses”) shall be automatically incorporated into and form part of this Addendum; “Mandatory Clauses” refers to the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

13.3 For International Transfers, in the event of any inconsistency or conflict among the provisions of the Standard Contractual Clauses, this Addendum, and the Principal Agreement, the provisions of the Standard Contractual Clauses shall prevail.