Data Processing Addendum
This Data Processing Addendum (this “Addendum”) is hereby incorporated into and made part of the Platform Services Agreement (“Agreement”) entered into between Vocareum, Inc. on behalf of itself and its Affiliates and subsidiaries (collectively “Supplier”) and you, (referred to herein as “Customer”). If any provisions of this Addendum conflicts with any provision of the Agreement, then the applicable provisions of this Addendum control. Capitalized terms used in this Addendum without definition have the meanings assigned to them in the Agreement.
1. Certain Definitions.
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
“EEA” means the European Economic Area (including the United Kingdom).
“EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union).
“Model Clauses” means the standard contractual clauses for transfer of personal data from an EU data controller to a Non-EU data processors as approved by the European Commission.
“Non-EU Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”).
“Personal Data” means any personal data that Supplier processes on behalf of Customer via the Platform Services, as more particularly described in this DPA and the Agreement.
“Security Incident” means the unauthorized access, collection, acquisition, use, disclosure or loss of Customer’s Personal Data in the possession and/or control of Supplier.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-processor” means any processor engaged by Supplier or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of Supplier but shall exclude employees, contractors, or consultants.
The terms “Controller”, “Data Subjects”, “Processor”, “Processing”, and “Personal Data”, have the meanings given to them in Applicable Data Protection Laws. If and to the extent that Applicable Data Protection Laws do not define such terms, then the definitions given in Applicable Data Protection Law will apply.
2.2 Customer remains responsible in its capacity as Controller for determining the purposes and general means, and the appropriate Services, of Supplier’s processing of Customer’s Data under the Agreement subject to Supplier’s responsibility for determining and implementing the technical and organizational means of the processing envisaged by the Agreement and complying with its obligations with respect to Personal Data prescribed by Applicable Data Protection Laws. Customer will not provide (or cause to be provided) any Sensitive Data to Supplier for processing under the Agreement, and Supplier will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.3 Supplier and each Supplier Affiliate may continue to use those Sub-processors already engaged by Supplier or any Supplier Affiliate as at the date of this Addendum. Supplier shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Supplier to breach any of its obligations under this DPA.
2.4 Supplier shall give Customer prior written notice of the appointment of any new Sub-processor. If, within five (5) days of receipt of that notice, Customer notifies Supplier in writing of any objections (on reasonable grounds) to the proposed appointment, Supplier shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor.
The current listing of Supplier’s Sub-processors:
Amazon Web Services Seattle, WA
Sendgrid Denver, CO
3. Information Security;
3.1 Supplier will maintain reasonable technical, operational and security procedures in accordance with industry standard security risk management practices designed to protect from Security Incidents and to preserve the security, integrity and confidentiality of Personal Data.
4. Compliance with Applicable Data Protection Law;
4.1 Each Party will comply with its obligations under Applicable Data Protection Law(s) with respect to any Personal Data it processes under the Agreement. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Supplier; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Supplier to process Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer will ensure that Supplier’s processing of the Personal Data in accordance with Customer’s instructions will not cause Supplier to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Supplier shall promptly notify Customer in writing, unless prohibited from doing so under EU Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates the GDPR or any UK implementation of the GDPR.
4.2 If Supplier is processing Personal Data in performing services under the Agreement and Personal Data of EU residents is reasonably likely to be processed outside the EEA, Supplier shall, upon request, execute the Model Clauses with respect to such Personal Data.
4.3 Supplier may disclose Personal Data to the extent required to meet a legal obligation, including national security or law enforcement obligations and applicable law, rule, order, or regulation.
5.1 Supplier will reasonably cooperate with Customer to enable Customer to respond to third party requests, complaints or other communications from Data Subjects and governmental, regulatory, or judicial bodies relating to the processing of Personal Data under the Agreement, including requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws. If any such request, complaint or communication is made directly to Supplier, Supplier will promptly pass this onto Customer and, unless otherwise required by applicable law, will not respond to such communication without Customer’s express authorization.
6. Security Incidents
6.1 Subject to any restrictions or obligations of applicable law or confidentiality, Supplier will inform Customer promptly, but in any event within 48 hours after Supplier reasonably believes it has discovered a Security Incident by providing notice via e-mail to the Customer’s main point of contact with Supplier or, if none, the authorized person listed on any Order Form or Statement Of Work, as executed by the parties. Supplier will promptly take reasonable steps to contain and investigate any Security Incident. Supplier will provide Customer with information available to Supplier through commercially reasonable security review regarding any Security Incident.
6.2 Except to the extent required by applicable law, Supplier agrees not to notify any regulatory authority on behalf of Customer of any Security Incident unless Customer specifically requests that Supplier do so and, in such event, Customer reserves the right to review and approve the form and content of any notification before it is provided to such regulatory authority.
6.3 In the event of a Security Incident, Supplier will:
(a) provide timely information and commercially reasonable cooperation so that Customer may fulfill its obligations under Applicable Data Protection Laws; and
(b) take commercially reasonable measures and actions, as appropriate, to remedy or mitigate the effects of the Security Incident and will keep Customer up-to-date about all developments in connection with the Security Incident.
Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Service.
7. Audit Rights
7.1 The parties hereby agree that Customer will have the right to audit Supplier’s information security program and processing of Personal Data once each calendar year during the Term. Any initial audit will consist of an audit questionnaire to be answered by Supplier. In the event that Customer reasonably believes Supplier’s answers to the audit questionnaire warrant further examination of Supplier’s information security program and/or processing of Personal Data, upon Customer’s request, one follow-up audit per calendar year during the Term may be conducted at a representative Supplier facility involved in delivery of the Services upon reasonable notice to Supplier, at reasonable times during business hours and at Supplier’s then-current rates.
8. International Transfers
8.1 Data center locations. Subject to Section 6.2, Customer acknowledges that Supplier may transfer and process Personal Data to and in the United States and anywhere else in the world where Supplier, its Affiliates or its Sub-processors maintain data processing operations. Supplier shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
8.2 Australian data. To the extent that Supplier is a recipient of Personal Data protected by the Australian Privacy Law, the parties acknowledge and agree that Supplier may transfer such Personal Data outside of Australia as permitted by the terms agreed upon by the parties and subject to Supplier complying with this DPA and the Australian Privacy Law.
8.3 European Data transfers. To the extent that Supplier is a recipient of Personal Data protected by EU Data Protection Laws (“EU Data”) in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), Supplier agrees to abide by and process EU Data in compliance with the Model Clauses in the form set out in Annex C. For the purposes of the descriptions in the Model Clauses, Supplier agrees that it is the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside Europe).
9. Data Subject Rights
9.1 Supplier agrees to provide reasonable additional assistance to Customer to the extent possible to enable Customer to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to Supplier directly, Supplier shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact Customer) or legally required, without Customer’s prior authorization. If Supplier is required to respond to such a request, Supplier shall promptly notify Customer and provide Customer with a copy of the request unless Supplier is legally prohibited from doing so. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent Supplier from responding to any data subject or data protection authority requests in relation to personal data for which Supplier is a controller.
9.2 Data protection impact assessment. To the extent required under applicable Data Protection Laws, Supplier shall provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws.
10.1 Except for the changes made by this Addendum, the Agreement remain unchanged and in full force and effect.
10.2 The obligations placed upon the parties under this Addendum will survive so long as Supplier processes Personal Data collected via Customer’s use of the Services.
10.3 This Addendum may be amended or modified by Supplier from time to time in its reasonable discretion.
10.4 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
End of Terms
Annex B: Security Measures (Available Upon Request)