GDPR Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service (“Agreement”) for Customers using the Services. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. The parties agree that the obligations under this DPA are specific to the European Data Protection Regulation ("GDPR") as it comes into effect May 25, 2018.

Definitions

  • “Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data;
  • “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
  • “EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the GDPR;
  • “Personal Data” means any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.
  • “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
  • “Standard Contractual Clauses” means the clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council that were adopted by the Commission Decision of 5 February 2010 on standard contractual clauses (notified under document C(2010) 593), as such clauses may be amended from time to time.
  • “Privacy Shield” means the EU-U.S. Privacy Shield Framework and its Principle and the Swiss-U.S. Privacy Shield Framework and its Principles.
  • “GDPR”, General Data Protection Regulation, means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • “processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” shall have the meanings ascribed to them in EU Data Protection Laws.

Scope and Applicability of the DPA

This DPA applies where and only to the extent that we process Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.

In this context, Customer is the "controller" of Personal Data and we will process Personal data only as "processor" on behalf of Customer, for the following purposes: (i) processing in accordance with this DPA and the Agreement; (ii) processing to comply with Customer’s documented instructions which are consistent with the Agreement; and (iii) processing initiated by Customer or Customer Users in their use of the Services. Notwithstanding anything to the contrary, we may use or share data otherwise collected and processed independently of Customer's use of the Services.

Customer shall, in its use of the Services, process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer’s instructions and actions for the processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer agrees that it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws to transfer, or provide access to the Personal Data in the context of processing and use of the Services pursuant to the Agreement and this DPA.

The type of Personal Data processed pursuant to this DPA may include, but is not limited to First and last names, titles, position, employer, contact information (email, phone, fax, physical address, etc.), identification data, professional life data, personal life data, device data, connection data or localization data (including IP addresses).

Security

We shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data. Upon becoming aware of a Security Incident, we shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

Sub-processing

Customer grants us a general authorization to appoint third party data center operators, and outsourced marketing, business, engineering and customer support providers as sub-processors to support the provision and performance of the Service. We shall make available to Customer a current list of sub-processors upon request.

For any sub-processor engaged, we shall enter into a written agreement imposing data protection terms no less protective of Personal Data than those in this DPA to the extent applicable to the nature of the Services provided by such sub-processor.

International Transfers

Customer acknowledges and accepts that the provision of the Service under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA.

To the extent Personal Data is processed or transferred under this DPA outside of the EEA (except in an Adequate Country), we shall be deemed to provide adequate safeguards for such data, such as:

  • Entering into the Standard Contractual Clauses; or
  • Any other specifically approved safeguard as recognized under EU Data Protection Laws and/or a European Commission finding of adequacy.

Miscellaneous

  1. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, so far as the subject matter concerns the processing of Personal Data.
  2. Our liability under or in connection with this DPA (including under the Standard Contractual Clauses) is subject to the limitations on liability contained in the Agreement.
  3. Except to the extent specified in the Standard Contractual Clauses, if applicable, this DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
  4. This DPA and any action related thereto shall be governed by and construed in accordance with the Governing Law and Venue clauses of the Main Agreement.

Annex 1 - List of Sub-processors

Available upon request