Appendix F - Privacy and Data Processing Addendum

Version 1.1 | September 2019 - FOR CONTRACTS BEFORE MAR 1, 2022.

1. Introduction

This Appendix F - Privacy and Data Processing Addendum (“DPA”) reflects our agreement about the processing of Customer Data including Personal Data, in accordance with the requirements of Data Protection Laws and Regulations.

Capitalized terms used in this Appendix F (and not otherwise defined) shall have the meaning given to that term in Appendix A - General Terms and Conditions.

2. Data Processing Terms

Customer and Company hereby agree that the following terms govern Customer’s transmission of any Personal Data to Company in connection with the Services.

3. Definitions

  1. “Data Controller” means the entity that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, Customer is the Data Controller.

  2. “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Company, including its affiliates, is the Data Processor.

  3. “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, and Switzerland, applicable to the Processing of Personal Data under the Agreement.

  4. “Data Subject” means the individual to whom Personal Data relates.

  5. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  6. “Personal Data” means data about a living individual transmitted to Company as part of the Customer Data from which that person is identified or identifiable, as defined in the GDPR, or any replacement legislation.

  7. “Processing” has the meaning given to it in the GDPR.

  8. “Sub-processor” means any Data Processor engaged by Company.

  9. “Technical and Organizational Measures” means the list of controls, processes, and procedures, as updated from time to time, regarding Company’s privacy and data security practices.

  10. “Userful Cloud” means Company’s online software platform, including the “Userful Control Center” when employed for remote access and customer support.

4. Processing of Personal Data

  1. Customer’s Responsibilities. Customer will, in its use of the Services, comply with the requirements of Data Protection Laws and Regulations. In addition, Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including providing any required notices to and obtaining any necessary consents from, Data Subjects.

  2. Company’s Processing of Personal Data. Company will process and use Customer Data on your behalf and only in accordance with your instructions (including via email), where such instructions are consistent with the terms of this Agreement, and to the extent required by law. Customer hereby acknowledges that by virtue of using the Services it gives Company instructions to process and use Customer Data in order to provide the Products in accordance with the Agreement. Personal Data is Confidential Information pursuant to the Agreement. Taking into account the nature of the processing and the information available to Company, Company will provide such reasonable information and assistance as Customer reasonably requires in assisting with Customer’s obligations under GDPR with respect to data protection impact assessments (as such term is defined under GDPR.)

  3. Product Configuration. Customer has and will continue to have the “Userful Cloud” enabled for its networks. Customer acknowledges that, at no additional cost, it can instruct the Company to significantly limit the Customer Data and Personal Data that are transmitted to Company.

  4. Details of the Processing. Company Processes Customer Data to provide the Services to Customer in accordance with the Agreement. The nature and scope of the processing, the types of Personal Data, and the categories of Data Subjects processed under this DPA are specified in a separate data sheet to be agreed to by Customer and Company.

5. Rights of Data Subjects

  1. Deletion of Personal Data: Company gives Customer the ability to delete Personal Data of an individual Data Subject, as may be required by Data Protection Laws and Regulations, in such a way as to render the data inaccessible and unidentifiable to Customer or any third party. Following such deletion by Customer, Company will fully remove such data from its systems as soon as reasonably practicable and within a maximum period of 14 months.

  2. Data Subject Requests: Company will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, restriction, portability, or deletion of such Data Subject’s Personal Data. Except as required by law, Company will not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer and to direct the Data Subject to the Customer as appropriate. Taking into consideration the nature of the Processing, Company will assist Customer through reasonable and appropriate technical and organizational measures in responding to any Data Subject request to the extent Company is legally permitted to do so and the response to such Data Subject request is legally required. To the extent legally permitted and outside the ordinary course and cost of business, Customer is responsible for the costs associated with any such assistance provided by Company.

6. Company Personnel

  1. Confidentiality: Company will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Company will ensure that such confidentiality obligations survive the termination of the personnel engagement.

  2. Reliability: Company will take commercially reasonable steps to ensure the reliability of any Company personnel engaged in the Processing of Personal Data, including by conducting background checks on all new employees to the extent permitted and in compliance with applicable law and Company’s policies.

  3. Limitation of Access: Company will ensure that access to Personal Data is limited to the personnel who require such access to perform the Agreement.

7. Sub-Processors

  1. Appointment of Sub-processors: Customer acknowledges and agrees that (i) Company is entitled to retain its affiliates as Sub-processors, and (ii) Company or any such affiliate may engage any third parties from time to time to process Customer Data in connection with making the Services available to Customer. Company or its affiliates will only disclose Personal Data to Sub-processors that are parties to written agreements with Company or its affiliates, as applicable, that include obligations no less protective than the obligations of this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the processing provided by such Sub-processor.

  2. Current Sub-processors/ Notification of New Sub-processors: Company will make available to Customer a list of current Sub-processors for the Products upon request and as updated from time to time. Company will provide notice to Customer before authorizing any new Sub-processor(s) in connection with providing the Products. If Customer objects to Company’s use of a new Sub-processor, Customer may terminate any Hosted Software Licenses in respect of only those Products that cannot be provided by Company without the use of the objected-to new Sub-processor (the “New Sub-processor”), by providing written notice to Company within a reasonable period of time following the Dashboard Notice, such period not to exceed thirty (30) days (the “Notice Period”); provided, that Company will not be prohibited from engaging the New Subprocessor during or after the Notice Period.

  3. Liability: Company will be liable for the acts and omissions of its Sub-processors to the same extent Company would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

8. Security

  1. Technical and Organizational Measures. Company regularly monitors compliance with the technical and organizational safeguards that have been implemented and will continue to maintain appropriate safeguards during the term of the Agreement.

9. Security Breach Management

  1. At the termination of the Agreement, upon Customer’s written request and within a reasonable period, Company will: (i) make available to Customer all Personal Data, or (ii) delete, restrict processing, and/or de-identify Customer Data, including Personal Data, in such a way as to render such data inaccessible and unidentifiable to Customer or any third party. Unless such return, deletion, restriction of processing, or de-identification is not feasible or continued retention and processing is required or permitted by applicable law, Company will respond to such request as soon as reasonably practicable.

10. Return and Deletion of Customer Data

  1. Company maintains security incident management policies and procedures. If Company becomes aware of any unlawful destruction, loss, alteration or unauthorized disclosure of Customer Data (a “Security Incident”), then Company will notify Customer without undue delay and provide Customer with relevant information about the Security Incident, including the type of Customer Data involved, the volume of Customer Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken. The obligations in this Section 9 do not apply to Security Incidents caused by Customer or Customer’s authorized users.

11. Transfers of Personal Data Outside EU

  1. Transfer Mechanisms: Subject to the terms of this DPA, Company makes available the following transfer mechanisms which will apply, in the order of precedence set out below, only to Personal Data transferred from the European Union, European Economic Area (EEA), and/or their member states, and Switzerland, either directly or via onward transfer, to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations, to the extent such transfers are subject to Data Protection Laws and Regulations:

    1. EU-U.S. and Swiss-U.S. Privacy Shield Frameworks: Company will maintain its self-certification to, and compliance with, the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as administered by the U.S. Department of Commerce, or successor frameworks, with respect to the transfer of Personal Data from the European Economic Area and/or Switzerland to the United States.

    2. Standard Contractual Clauses: Customer and Company may also enter into standard contractual clauses. Any enforcement of such standard contractual clauses by a “data subject” or an association or other body on a data subject’s behalf, will be subject to the terms of this DPA, with such enforcing party standing in the shoes of Customer.

For the avoidance of doubt, this DPA shall only become legally binding between Customer and Company when the Userful Order Form has been fully completed. For the avoidance of doubt, this DPA will immediately and automatically terminate in the event that any network of Customer does not subscribe to “Userful Cloud” or support subscription that employs Userful Control Center.

Last updated