This Data Protection Addendum (hereinafter referred to as the "Addendum" or the "DPA") forms part of the CUSTIFY TERMS AND CONDITIONS regarding the use of the Services (hereinafter referred to as the "Agreement" or the “Principal Agreement”) between: (i) Custify (hereinafter referred to as "Custify" or the "Processor") and (ii) the Customer (the "Customer" or the "Controller").
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
- 1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- 1.1.1 "Controller Personal Data" means any Personal Data processed by the Processor on behalf of the Controller pursuant to or in connection with the Agreement;
- 1.1.2 "Processor" means Custify;
- 1.1.3 "Controller" means the Customer;
- 1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the applicable data protection or privacy laws of any other country;
- 1.1.5 "EU Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR;
- 1.1.6 "GDPR" means EU General Data Protection Regulation 2016/679;
- 1.1.7 "Subprocessor" means any person (sub)contracted by Custify to Process Personal Data on behalf of the Controller in connection with the Principal Agreement and the DPA; and
- 1.2 The terms, "Processor", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" and any other terms defined in the GDPR, shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- 1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. The subject-matter of the processing of the Controller Personal Data
- 2.1 This DPA applies when Controller Personal Data is processed by the Processor on the Controller's behalf according with the Agreement. The purpose of this DPA is to define the conditions in which the Processor will carry out, on the Controller's behalf, the processing of the Controller Personal Data.
- 2.2 The Processor will process on the Controller's behalf all the Controller Personal Data provided by the Controller according with the Agreement, namely the provided personal data of the users that are natural persons (hereinafter also referred to as the “data subjects").
- 2.3 As part of their contractual relations, the parties shall undertake to also comply with the EU Data Protection Laws, as and if the case may be.
3. Duration of the processing of the Controller Personal Data
- 3.1 The Processor will process on the Controller's behalf the Controller Personal Data till the termination of the Principal Agreement and only as long as the Controller is not deleting (certain) Controller Personal Data.
- 3.2 In case that any processing is necessary after the termination of the Agreement, the provision of the DPA shall apply to any such supplementary processing.
- 3.3 Except otherwise expressly included into a paid subscription plan, all the events that are representing Controller Personal Data will be automatically deleted 730 days after Custify receives them.
- 3.4 Except otherwise expressly provided in the Agreement or DPA or agreed by the Parties, the present DPA is valid till the termination of the Agreement when it ceases automatically.
- 3.5 Except otherwise mentioned in the Principal Agreement and/or in the DPA and/or otherwise expressly agreed by the Parties, the Controller Personal Data will be stored by the Processor (into a database) into the Processor (or Processor’ third party service provider’s) servers till the termination of the Principal Agreement and of the DPA.
- 3.6 The Controller has the right to delete (through the API) any Controller Personal Data available through the Services at any time, as long as the Agreement is not suspended or terminated for any reason, and, unless otherwise expressly mentioned in the DPA, once deleted, such Controller Personal Data will be permanently deleted from Processor (or Processor’ third party service provider’s) servers and there will not be available anymore through the Services.
- 3.7 The Processor, on the Controller's behalf, will delete at the termination of the Agreement, the database with the Controller Personal Data that the Processor keeps on the Controller's behalf, without fulfilling any previous formality.
4. Description of the processing
4.1. The nature of the Controller Personal Data processing
The Controller Personal Data may be collected, extracted, compiled, synthetized, analysed, organized, structured, stored, consulted, used and disclosed, including by transmission and/or otherwise processed as permitted in accordance with the Agreement and/or as permitted by the Services and/or otherwise necessary for the purpose(s) mentioned below.4.2. The purpose(s) of the processing the Controller Personal Data
- 4.2.1 The Controller Personal Data will be mainly processed by the Processor for the purpose of being organized and structured, according with the needs of the Customer, based on the (permitted) requests of the Customer, in accordance with the Services, the subscription plan(s) and the attributes selected/chosen by the Customer, the events and attributes transmitted by the Customer, the customizations agreed by Custify but, for the sake of clarity, all the previous ones only as (usually) permitted by the Services. For the sake of clarity, the processed Controller Personal Data as previously mentioned are designated to be used for the internal business purposes of the Customer only and solely for his own benefit and the Customer understands and agrees with such use.
- 4.2.2 The Controller Personal Data will also be processed in order to send (electronic) communications (the “communications”) to the users, according with the needs of the Customer (through different ways of communications like: on web screens, in app-messages, native app screen, via email, SMS and phone calls – any of them only if technically possible), based on the (permitted) requests of the Customer, in accordance with the Services, the subscription plan(s) and the attributes selected/chosen by the Customer, the events transmitted by the Customer, the customizations agreed by Custify but, for the sake of clarity, all the previous ones only as (usually) permitted by the Services.
- 4.2.3 The Controller Personal Data will also be processed for any other purpose(s) chosen by the Customer through the settings of the Customer account, but only as (usually) permitted by the Services and/or (as) otherwise expressly previously agreed by the Processor.
4.3 The types of the Controller Personal Data to be processed
The Controller Personal Data that will be processed by the Processor are the personal data of the users that are natural persons provided by the Controller (e.g. country, name, surname, address, phone no., email address, revenue, etc.)
4.4 The categories of Data Subject(s) to whom the Controller Personal Data relate
The categories of the data subject(s) to whom the Controller Personal Data relates and whose Personal Data will be processed are the categories of the data subject(s) whose Personal Data the Controller decides to be processed through the Services, including without limitation Customer's (potential) clients, partners, employees, agents, etc.
4.5 Documented instructions from the Controller
The Processor will process the Controller Personal Data according with the ones mentioned in the present DPA, as well as on other documented instructions from the Controller. For the sake of clarity, for the purpose of the present DPA, the “documented instructions from the Controller” means the present DPA, any instruction that can be performed through the settings of the Customer account and any other reasonable instructions, within the scope of the present DPA, previously agreed by the Processor; without affecting the generality of the foregoing, for the sake of clarity, in such last case, the Parties have to agree in advance on any additional fees the Controller will pay to the Processor for carrying out such instructions. The Controller may terminate this DPA and the Agreement if the Processor declines to follow any of the instruction(s) of the Controller, this being the only remedy applicable in such case, and for the sake of clarity, without any liability whatsoever to the Customer and without paying any damages or other compensations by the Parties for such termination. To the maximum extent permitted by the legal regulations in force, the Processor shall not be liable in any way, in case an instruction infringes the GDPR or other Union or Member State data protection provisions.
4.6 Instruction that infringes the GDPR or other Union or Member State data protection provisions
- 4.6.1 The Processor shall take reasonable steps and shall make only the reasonable diligences, to immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
- 4.6.2 To the maximum extent permitted by the legal regulations in force the Processor shall not be liable in any way, in case an instruction infringes the GDPR or other Union or Member State data protection provisions and it didn’t immediately inform the Controller that, in its opinion, such instruction infringes the GDPR or other Union or Member State data protection provisions and the Customer acknowledges and agrees that Custify has no liability whatsoever in such cases.
- 4.6.3 For the sake of clarity, the obligation of verifying if an instruction infringes the GDPR or other Union or Member State data protection provisions it is entirely the obligation of the Controller.
- 4.6.4 Without affecting the generality of the foregoing and for the sake of clarity, the Controller is solely responsible for assessing whether or not the Services (and any part thereof) are appropriate for use with respect to the Controller obligations under any applicable laws or regulations.
5. Security of Processing
- 5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate and necessary, the measures referred to in Article 32(1) of the GDPR.
- 5.2 In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.
- 6.1 The Controller expressly acknowledges and agrees that the Processor may continue to use, in the processing of the Controller Personal Data, the Subprocessors already engaged till the acceptance of the present DPA by the Customer, in connection with the processing of the Controller Personal Data received through the Services. Without affecting the generality of the foregoing and for the sake of clarity, the Controller agree that the Processor will process the Controller Personal Data also through the following Subprocessors, that are currently engaged to process the Controller Personal Data, as follows:
- The Controller Personal Data will be sent in order to be stored by the data storage providers and provider of the application logic (at the moment of the present version being Amazon Web Services Emea Société à Responsabilité Limitée, MongoDB, Inc. and Elasticsearch, Inc). If the Controller decides to send emails through the Processor, the email address(es) used will be sent to a verification service in order to avoid bounces (at the moment of the present version being Kickbox, Inc.). If the Controller decides to enter into an email / support / chat conversation with the Processor, the data provided in that chat session will be processed for communication purposes (at the moment of the present version being Slack Technologies Limited, Drift.com, Inc and Google Ireland Limited).
- 6.2 The Controller grants to the Processor through the present DPA the general written authorization for the Processor to engage [(sub)contract] any Subprocessor(s) for processing the Controller Personal Data [Subprocessor(s) that the Processor will engage in connection with the processing of any (other) personal data received through the Services] without fulfilling any previous formality in relation with the Controller. At least 30 days before the Processor will engage any new Subprocessor(s) to process any Controller Personal Data, the Processor will update the list of the Subprocessors from the present DPA [being the obligation of the Customer to verify the list of the new Subprocessor(s)] or the Processor will otherwise inform the Customer. If the Customer does not agree with any of the new Subprocessor(s), it has the right to terminate the Agreement and the present DPA, the termination following to be effective at the end of the respective Subscription Period. For the sake of clarity, the Subprocessor(s) shall be subcontracted in order to process the Controller Personal Data.
7. Transfers of the Controller Personal Data to third countries and/or to the international organizations
The Controller grants to the Processor through the present DPA the general written authorization for the Processor to transfer the Controller Personal Data to third countries and/or or the international organizations that ensure an adequate level of protection (transfers on the basis of an adequacy decision) and/or in the absence of a decision of an adequate level of protection, to transfer the Controller Personal Data to third countries and/or or the international organizations only if have been provided appropriate safeguards (transfers subject to appropriate safeguards), in order to be processed by the Subprocessors and without fulfilling any previous formality in relation with the Controller.
8. Personal Data Breach
- 8.1 The Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Controller Personal Data Breach affecting Controller Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- 8.2 The Processor shall co-operate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Custify will keep the confidentiality of the Controller Personal Data and of other Customer Data and will restrict the access to such information to its personnel, agents, representatives, (sub)contractors and/or consultants, if any, who need to have access to such information. Notwithstanding the foregoing, these provisions will not apply to the information that (a) is publicly available or in the public domain at the time disclosed; (b) is or becomes publicly available or enters the public domain through no fault of Custify; (c) is rightfully communicated to Custify by persons not bound by confidentiality obligations with respect thereto; (d) is already in Custify’s possession free of any confidentiality obligations with respect thereto at the time of disclosure; (e) is independently developed by Custify; or (f) is approved for disclosure by the disclosing party without restriction; and (g) is necessary to be disclosed in order to comply with the order of a court or other competent authority, or as otherwise necessary to comply with the applicable law.
10. Other obligations of the Processor
- a) processes the personal data only according with the present DPA and on the documented instructions from the Controller (as defined in the presented DPA);
- b) ensures that persons authorized to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- c) takes all measures regarding Security of Processing as mentioned in the DPA;
- d) respects the conditions referred to in the present DPA for engaging another Subprocessor(s);
- e) taking into account the nature of the processing, assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights.
- f) assists the Controller in ensuring compliance with the obligations regarding Security of Processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment and prior consultation, taking into account the nature of processing and the information available to the Processor;
- g) The Processor, on the Controller's behalf, will delete at the termination of the Agreement, the database with the Controller Personal Data that the Processor keeps on the Controller's behalf, unless Union or Member State law requires storage of such personal data; for the sake of clarity the Controller has the right to download, according with the Agreement and with the present DPA, as long as the Agreement is not suspended for any reason, till the termination of the Agreement, any of Controller Personal Data via the API.
- h) at the request of the Controller, makes available to the Controller all reasonable information necessary to demonstrate compliance with the obligations laid down in this article and allow for and contribute to necessary and reasonably audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Any such requests and intention to perform any audits shall be addressed to the Processor with at least 90 days in advance. The Processor has the right to use external auditors to perform the audits regarding the above mentioned obligations and any such audit will result in generation of an audit report (the “audit report”); In case the Processor will make available such audit report to the Controller, the Controller cannot address other request(s) and/or to ask for other audits and/or inspections, as long as such audit report will treat the issues mentioned above. The audit report shall be treated as strictly confidential by the Controller. If the Processor declines to follow any instruction requested by the Controller regarding any audit(s), the Controller is entitled to terminate this DPA and the Agreement with immediate effect.
11. Other obligations of the Controller
- A. shall document, in writing, any instruction bearing on the processing of data by the Processor.
- B. shall pay to the Processor all the relevant fees in order that the Processor to perform the obligations mentioned in art. 9 points e), f) and h); the fees that must be agreed separately by the Parties before the Processor to fulfil any of the previous obligations; otherwise the Processor has no obligation whatsoever to fulfil any of the obligations mentioned in art. 9 points e), f) and h).
- C. shall comply at all time with all applicable laws relating to processing and protecting the personal data, including without limitation the EU Data Protection Laws.
- D. shall comply at all time with all applicable laws concerning the respect for private life and the protection of personal data in electronic communications, including without limitation the Regulation(s) of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications.
- E. shall make all required notifications and information and will obtain all required consents and authorizations from data subjects relating to the processing of their (personal) data (through the solution and by the Processor and Subprocessors) as mentioned in the DPA;
- F. shall assess whether or not the solution is appropriate for Controller use with respect to Controller obligations under any applicable laws or regulations;
- G. shall comply with all applicable laws and regulations that apply to the countries to which the Controller transmits data through use of the solution;
- H. shall not transmit and/or otherwise process any Controller Personal Data that the Controller does not have a right to transmit and/or otherwise process, as the case may be.
- J. shall ensure that has the right to transfer, or provide access to, the Controller Personal Data to the Processor for processing in accordance with the terms of the Agreement and this DPA, including EU Data Protection Legislation;
- K. shall obtain the consent of the users for the use (through/in connection with the Services, if and as the case may be) of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, including about its software and hardware, other than by the end-user, unless other grounds are applicable for such use and/or collection; to assure that the collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be made only according with the legal regulatins in force.
- L. shall obtain the consent of the users for any unsolicited communications, including any direct marketing communications, that are sent to the users (through/in connection with the Services), unless other grounds are applicable in connection with such communications; the Customer shall clearly and distinctly give the opportunity to the users to object, free of charge and in an easy manner, to such unsolicited communications; the right to object shall be given each time a message (an unsolicited communication) is sent; such unsolicited communications shall contain the necessary data according with the applicable laws.
- M. shall not use the Services for the purposes of placing direct marketing calls.
- N. acknowledges and agrees that he is solely responsible and liable for any content and other material that submit, publish, transmit, or display on, through, or with the Services, including through any communications.
- O. shall not use the Services to: (i) upload, post, email, or otherwise transmit any communications that contains unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another’s privacy, hateful, or racially, ethnically, offensive, indecent or otherwise objectionable content; (ii) harm any third parties in any way; (iii) impersonate any person or entity, or otherwise misrepresent himself; (iv) upload, post, email, or otherwise transmit any communications that has no right to transmit under any applicable law; (v) upload, post, email or otherwise transmit any communications that infringes any patent, trademark, trade secret, copyright, or other right of any party; (vi) upload, post, email, or otherwise transmit any unsolicited or unauthorized advertising, promotional materials, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” or any other forms of solicitation; (vii) upload, post, email, or otherwise transmit any communications that contains software viruses or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment; (viii) interfere with or disrupt the Services or servers or networks connected to the Services, or disobey any requirements, procedures, policies or regulations of networks connected to the Services; (ix) violate any applicable laws or regulations.
12. General Terms
- 12.1 The terms used in the present DPA will have the meaning defined in the DPA, in the GDPR and in the Agreement, unless the context otherwise requires or it is otherwise provided herein.
- 12.2 For the sake of clarity, this DPA will apply only to the extent that Custify processes Controller Personal Data on behalf of the Customer.
- 12.3 In the event of any conflict or inconsistency between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement, in relation with the processing of the Controller Personal Data, the provisions of this Addendum shall prevail.
- 12.4 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.