Data Processing Addendum
Last Updated: April 20, 2023
(For Processors or Sub-Processors to Kustomer)
THIS DATA PROCESSING ADDENDUM (THE “DPA”) FORMS A PART OF, AND IS INCORPORATED INTO, THE CONSULTING AGREEMENT OR PROFESSIONAL SERVICES AGREEMENT OR OTHER WRITTEN OR ELECTRONIC AGREEMENT FOR THE PROVISION OF PROFESSIONAL OR OTHER SERVICES (THE “AGREEMENT”) BETWEEN KUSTOMER, LLC (“KUSTOMER”) AND THE ENTITY (“SERVICE PROVIDER”) THAT ENTERED INTO THE AGREEMENT WITH KUSTOMER.
- Definitions
1.1 “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement. With respect to Personal Data relating to EEA, UK, and/or Switzerland Data Subjects, “Applicable Data Protections Laws” shall include, but not be limited to, EU & UK Data Protection Laws. With respect to Personal Data relating to California, Colorado, Connecticut, Utah, and/or Virginia Data Subjects, “Applicable Data Protection Laws” shall include, but not be limited to, US Privacy Laws.
1.2 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. With respect to Personal Data relating to California, Colorado, Connecticut, Utah, and Virginia Data Subjects, Controller shall include, but is not limited to, the term “Business” or “Controller,” as applicable, under the relevant US Privacy Laws.
1.3 “Data Subject” means (i) an identified or identifiable natural person to whom Personal Data relates, and who is in the EEA, UK or Switzerland or whose rights are protected by EU & UK Data Protection Laws; or (ii) a “Consumer” or if applicable “Household” as the term is defined under the applicable US Privacy Law.
1.4 “EEA” means the European Economic Area.
1.5 “EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the United Kingdom’s Data Protection Act 2018 (“UK DPA”); the UK General Data Protection Regulation as defined by the UK DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the UK DPA, the “UK GDPR”); (iii) the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the Processing of Personal Data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time (including, for purposes of clarification and without limitation, the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time) (“Swiss DPA”)).
1.6 “EU Transfer Clauses” means the Standard Contractual Clauses approved by EC Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) and Module 3 (Processor to Processor) as applicable to the activities of the parties under the Agreement, as may be amended, updated or replaced from time to time by the European Union, for the transfer of personal data from the European Economic Area (“EEA”) to a Third Country.
1.7 “Kustomer Personal Data” means Personal Data received by Service Provider pursuant to this Agreement and pertaining to Kustomer’s current, former, or potential business, customers, employees, vendors, or other individuals.
1.8 “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Laws.
1.9 “Process”, “Processes”, “Processing”, “Processed” shall have the meanings assigned to them in the Applicable Data Protection Laws.
1.10 “Processor” means the entity which Processes Personal Data on behalf of the Controller. With respect to Personal Data covered under US Privacy Laws, from California, Colorado, Connecticut, Utah, and/or Virginia Data Subjects, Processor shall include the term “Processor” or “Service provider”, as applicable, according to the meaning given to that term by the relevant US Privacy Law.
1.11 “Security Incident” means an event about which Service Provider knows, discovers, is notified of, or reasonably suspects that Kustomer Personal Data has been accessed, disclosed, acquired or used by unauthorized persons, in violation of Applicable Data Protection Laws.
1.12 “Services” means the services provided to Kustomer by Service Provider pursuant to the Agreement.
1.13 “Standard Contractual Clauses” or “SCCs” means EU Transfer Clauses and the UK International Data Transfer Addendum, provided that their Appendices and Annexes are set forth in Schedule 1 to this DPA.
1.14 “Sub-Processor” means Service Provider’s contractors, agents, vendors, and third-party service providers, that Process Kustomer Personal Data.
1.15 “Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR or Swiss data protection law, any country outside of the scope of the data protection laws of the UK or Switzerland (as applicable), excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK or Switzerland (as applicable) from time to time.
1.16 “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK information Commissioner, as may be amended from time to time, for the transfer of personal data from the UK to a Third Country and the processing of Personal Data.
1.17 “US Privacy Laws” means (i) as of January 1, 2020, the California Consumer Privacy Act (“CCPA”), (ii) as of January 1, 2023, the CCPA as amended by the California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“VCDPA”), (iii) as of July 1, 2023, the Connecticut Data Privacy Act (“CTDPA”), the Colorado Privacy Act (“CPA”), and (iv) as of December 31, 2023, the Utah Consumer Privacy Act (“UCPA”). “Business”, “Business Purpose”,
“Commercial Purposes”, “Sell”, “Share”, and “Service Provider” have the meanings given in the applicable US Privacy Laws.
- Data Handling and Access
2.1 Controller Instructions and General Compliance. Service Provider will Process Kustomer Personal Data only in accordance with the written instructions of Kustomer, or the written instructions of the applicable data controller to which Kustomer is acting as a Processor in regards to the Kustomer Personal Data. Kustomer hereby authorizes and instructs Service Provider, and Service Provider will, and will require Sub-Processors, to Process Kustomer Personal Data in compliance with the terms of the Agreement, this DPA, other documented instructions provided by Kustomer (e.g. via email), and all Applicable Data Protection Laws. Service Provider will promptly notify Kustomer about any circumstance where it is unable to comply with the Applicable Data Protection Laws or any actual or potential changes to the Applicable Data Protection Laws, which affect Service Provider’s ability to comply with Kustomer instructions or Service Provider’s obligations under this DPA or the Agreement.
2.2 Service Provider Personnel. Service Provider shall: (i) ensure that its personnel will not Process Kustomer Personal Data except in accordance with the provisions of this DPA, and (ii) require that personnel are contractually obligated to maintain the security and confidentiality of any Kustomer Personal Data in Service Provider’s possession, even after their engagement ends. Service Provider shall take reasonable steps to ensure the reliability of the Service Provider personnel processing Kustomer Personal Data and that the personnel Processing Kustomer Personal Data receive appropriate training on compliance with this DPA and the Applicable Data Protection Laws applicable to the Processing.
2.3 Authorization to Use Sub-Processors. Service Provider will not permit Sub-Processors to Process Kustomer Personal Data without the authorization of Kustomer. Service Provider will provide Kustomer, upon Kustomer’s request, the name, address and role of each approved Sub-Processor used to Process Kustomer Personal Data and any other records of Processing of Kustomer Personal Data that Sub-Processors are required to maintain and provide under Applicable Data Protection Laws.
2.4 Service Provider and Sub-Processor Compliance. Service Provider agrees to (i) enter into a written agreement with Sub-Processors regarding such Sub-Processors’ Processing of Kustomer Personal Data that imposes on such Sub-Processors data protection and security requirements for Kustomer Personal Data that are compliant with Applicable Data Protection Laws, that are consistent with the requirements under this DPA and that, at a minimum, require a level of data protection and security equal to or superior to the level of data protection and security under this DPA; (ii) reasonably enforce compliance with such written agreement; and (iii) remain responsible to Kustomer for the actions or omissions of Service Provider’s Sub-Processors (and their sub-processors if applicable) with respect to the Processing of Kustomer Personal Data.
2.5 Objection Right for New Sub-Processors. Service Provider will inform Kustomer of any new Sub-Processor at least sixty (60) days before authorizing such new Sub-Processor to Process Kustomer Personal Data. Kustomer may object to Service Provider’s use of a new Sub-Processor by notifying Service Provider in writing within 30 days after receipt of such information. In the event Kustomer objects to a new Sub-Processor, as permitted in the preceding sentence, Service Provider may address the concerns with respect to the Sub-Processor, make available to Kustomer a change in the Services, or recommend a commercially reasonable change to Kustomer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to Sub-Processor without unreasonably burdening Kustomer. If Service Provider does not do so within a reasonable period of time, which shall not exceed thirty (30) days, Kustomer may terminate the applicable Agreement by providing written notice to Service Provider. Service Provider will refund Kustomer any prepaid fees covering the remainder of the term following the effective date of such termination.
2.6 Details of the Processing. The subject matter of Processing of Personal Data by Service Provider is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in the schedules to this DPA.
- Rights of Data Subjects
Service Provider will promptly notify (but in no case less than five (5) days of Service Provider’s receipt thereof) Kustomer if Service Provider receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or its right not to be subject to any automated individual decision making (“Data Subject Request”). Service Provider will assist Kustomer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Kustomer’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, Service Provider will, provide commercially reasonable efforts to assist Kustomer in responding to such Data Subject Request.
- Compliance
4.1 Service Provider Data Transfer Mechanism. This parties hereby incorporate by reference the SCCs. For the avoidance of doubt, signature to the Agreement that incorporates this DPA by reference shall be deemed to constitute signature and acceptance of the SCCs incorporated herein, including their appendices and annexes set forth on the schedules attached hereto. The parties agree that (i) purely for the purposes of the descriptions in the SCCs, Service Provider shall comply with the “data importer” obligations and Kustomer shall comply with the “data exporter” obligations in the SCCs (notwithstanding that Kustomer is located outside Europe and/or Kustomer may be acting as a processor on behalf of third party controllers); (ii) with respect to subprocessing, Service Provider may commission Sub-Processors, in accordance with Section 2 of this DPA, to process Kustomer Personal Data in a Third Country, in which case Service Provider shall execute the Processor to Processor SCCs, if applicable and available, with any relevant Sub-Processor; and (iii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCS shall prevail to the extent of such conflict. The parties may also agree to separately execute a copy of the SCCs, in which case, such signed SCCs shall govern.
4.2 Prior Consultation. Service Provider agrees to provide reasonable assistance to Kustomer where, in Kustomer’s judgment, the type of Processing performed by Service Provider is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
4.3 Demonstrable Compliance. Service Provider agrees to keep records of its Processing in compliance with Applicable Data Protection Laws and provide such records to Kustomer upon request. If Service Provider is collecting Kustomer Personal Data on Kustomer’s behalf, such records may include, to the extent reasonably requested by Kustomer, records of the verifiable consent under Applicable Data Protection Laws.
4.4 Service Provider. Service Provider shall not retain, use, or disclose Kustomer Personal Data (i) for any purpose other than for the specific purpose of performing the services specified in the Agreement, or (ii) outside of the direct business relationship between Kustomer and Service Provider, in each case except as otherwise permitted by US Privacy Laws.
- Information Security
Service Provider agrees that it has implemented and will maintain throughout the term of the Agreement appropriate technical and organizational measures, internal controls and information security routines intended to protect Kustomer Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction, which shall at all times be: (i) of at least the minimum standard required by Applicable Data Protection Laws; and (ii) so as to ensure a level of security for the Kustomer Personal Data appropriate to the risk. Service Provider shall ensure that all Kustomer Personal Data is encrypted at all times while in the possession or under the control of Service Provider. Where directed by Kustomer, Service Provider shall also ensure that Kustomer Personal Data Processed by it is pseudonymized (as defined under Applicable Data Protection Laws). Except as expressly authorized by Kustomer in writing, Service Provider shall not access any Kustomer systems remotely or otherwise. In the event that Service Provider receives or is given access to Personal Data in connection with this Agreement that is not necessary to fulfil Service Provider’s obligations hereunder or that Service Provider knows it does not have authorization to receive or access, Service Provider shall: (a) notify Kustomer of such unauthorized data without undue delay, and (b) immediately cease all use of or access to such unauthorized data.
- Assessments, Audits and Remediations
6.1 Assessments. Records to demonstrate compliance with this DPA and Applicable Data Protection Laws will be maintained by Service Provider through the duration of the Agreement and for a period of three (3) years thereafter, and provided to Kustomer upon request. Service Provider will promptly complete any reasonable data protection questionnaire provided by Kustomer.
6.2 Audits. For the purpose of verifying Service Provider’s compliance with Applicable Data Protection Laws and the Agreement, upon reasonable notice, Service Provider agrees to permit Kustomer, to conduct audits of Service Provider’s Processing either directly or, at Kustomer’s sole option, through a Kustomer-approved third party auditor. Service Provider agrees to cooperate in good faith with the audit and promptly (i) provide access to books, records (including, but not limited to, security scan records), and other information necessary for the audit, and (ii) at Kustomer’s request enable access to Service Provider’s premises to properly conduct the audit or required under Applicable Data Protection Laws. Kustomer agrees to (x) schedule audits to minimize disruption to Service Provider’s business, (y) require any third party it employs to sign a non-disclosure agreement, and (z) make the results of the audit available to Service Provider.
6.3 Remediation. Service Provider agrees to promptly take action, at its own expense, to correct any documented material security issue affecting Kustomer Personal Data identified by such audit and to inform Kustomer of such actions. If action is not promptly taken, Kustomer may terminate the Agreement at Kustomer’s discretion.
- Secure Disposal
Kustomer Personal Data will be securely disposed (i) during the duration of the Agreement upon Kustomer’s written request, or (ii) at the termination of the provision of the services. If instructed by Kustomer, a copy of such Kustomer Personal Data will be returned to Kustomer prior to disposal. Service Provider may retain Kustomer Personal Data to the extent that it is required to do so under Applicable Data Protection Laws.
- Changes to Requirements
The parties will work together in good faith to amend or supplement this DPA from time to time to reflect new requirements under Applicable Data Protection Laws.
- Changes to Requirements
9.1 Policy. Service Provider will notify Kustomer without undue delay (and in any event within 48 hours) if Service Provider becomes aware of or reasonably suspects any Security Incident, including regarding: (i) the nature of the Security Incident, including the categories and approximate numbers of Data Subjects and Personal Data records concerned and the likely consequences of the Security Incident, (ii) any investigations into such Security Incident, and (iii) any measures taken, or that Service Provider recommends, to address the Security Incident, including to mitigate its possible adverse effects. Service Provider will make reasonable efforts to identify the cause of such Security Incident and take those steps as Service Provider or Kustomer deems necessary and reasonable in order to remediate the cause of such Security Incident. Service Provider will fully cooperate with Kustomer to develop and execute a response plan to address the Security Incident.
9.2 Reports. Upon request by Kustomer, Service Provider will enable Kustomer to review the results of and reports relating to the investigation and response to a Security Incident.
- Termination Obligations
10.1 Termination. This Agreement shall automatically terminate in the event that the Agreement is terminated or expires. Notwithstanding anything to the contrary in the Agreement or this DPA, Kustomer may terminate the DPA or any portion thereof immediately upon written notice to Service Provider, and without judicial notice or resolution or prejudice to any other remedies, in the event a data protection or other regulatory authority or other tribunal or court in any country finds there has been a breach of Applicable Data Protection Laws by virtue of Kustomer’s or Service Provider’s Processing of Kustomer Personal Data in connection with the Agreement, and such breach has not been cured within sixty (60) days of the breaching party receiving notice thereof.
10.2 Effect of Termination or Expiration. Kustomer Personal Data will be securely destroyed unless Service Provider is required to retain such information by Kustomer or under Applicable Data Protection Laws. Service Provider’s obligations to protect Kustomer Personal Data will continue until all such information has been permanently and completely destroyed or deleted, including from any back-ups.
- Indemnity
Service Provider shall indemnify Kustomer for all liabilities, fines, penalties, costs, or fees arising from any third-party claim or action relating to: (i) any breach by Service Provider of its obligations under Applicable Data Protection Laws, or its obligations under this DPA, or (ii) Service Provider acting outside or contrary to the lawful Processing instructions of Kustomer, or the applicable data controller, with respect to the Processing of the Kustomer Personal Data.
- Jurisdiction Specific Terms
To the extent Service Provider Processes Personal Data of Data Subjects residing in and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Schedule 2 hereto, then the terms specified in Schedule 2 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence. In case of conflict or ambiguity between the Jurisdiction Specific Terms and the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence.
- Contact Information
Service Provider will designate a point of contact as its Privacy and Security Coordinator. This Privacy and Security Coordinator will: (i) maintain responsibility for applying adequate protections to Kustomer Personal Data, including the development, implementation, and maintenance of its information security program, (ii) oversee application of Service Provider compliance with the requirements of this DPA, and (iii) serve as a point of contact for internal communications and communications with Kustomer pertaining to this DPA and compliance with or any breaches thereof.
Schedule 1
Details of Processing/Transfer under the Standard Contractual Clauses
APPENDIX
ANNEX I
A. List of Parties
Data exporter(s):
- Name: Kustomer, LLC
Address: As per the Agreement
Contact person’s name, position and contact details: As per the Agreement
Activities relevant to the data transferred under these Clauses: receipt of the Services pursuant to the Agreement
Signature and date: As per the Agreement
Role (controller/processor): Controller or Processor, as applicable
Data importer(s):
- Name: Service Provider as per the Agreement
Address: As per the Agreement
Contact person’s name, position and contact details: As per the Agreement
Activities relevant to the data transferred under these Clauses: performance of the Services pursuant to the Agreement
Signature and date: As per the Agreement
Role (controller/processor): Processor
B. Processing Details / Description of Transfer
The Agreement describes the nature, purpose, and subject matter of the processing (and any subprocessing), the type of personal data and categories of data subjects. Unless otherwise agreed by the Parties in writing, the duration of the processing shall be until the earlier of the completion of the Services (if applicable) or the termination of the Agreement.
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13
The Irish Data Protection Commission
ANNEX II
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
Description of the technical and organisational security measures implemented by the data importer in accordance with the Standard Contractual Clauses:
Data importer shall implement and maintain appropriate technical and organisational measures to protect any such personal data in their possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by any processing and the nature of the data to be protected.
Schedule 2
Jurisdiction Specific Terms
- Additional Terms for Service Providers for which the Standard Contractual Clauses apply
1.1 For the purposes of Annex I or Part 1 (as relevant) of such the Standard Contractual Clauses, the parties and processing details set out in 1 (Details of Processing) shall apply, as between Service Provider and Kustomer.
1.2 The Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) terms of the EU Transfer Clauses shall apply where relevant.
1.3 For the purposes of Annex II or Part 1 (as relevant) of such Standard Contractual Clauses, the technical and organisational security measures set out in Schedule 1 (Annex II) shall apply.
1.4 For the purposes of Clause 7 of the EU Transfer Clauses, the optional docking clause shall not apply and shall be deleted.
1.5 For the purposes of Clause 9 of the EU Transfer Clauses, Option 2 shall apply and the time period for prior notice of sub-processor changes will be as set forth in Section 2.3 of this DPA.
1.8 For the purposes of Clause 11 of the EU Transfer Clauses, the optional language in relation to independent dispute resolution shall not apply and shall be deleted.
1.9 For the purposes of Clause 13 and Annex I.C, the competent supervisory authority shall be the Irish Data Protection Commissioner.
1.10 For the purposes of Clause 17, Option 1 shall apply and the EU Transfer Clauses shall be governed by Irish law.
1.11 For the purposes of Clause 18, the competent courts shall be the courts of Ireland.
1.12 For the purposes of Part 1 of the UK International Data Transfer Addendum, either party may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor Clauses.
- Additional Terms for Service Providers for which the US Privacy Laws apply
Section 2 shall apply only if and to the extent that Service Provider Processes Personal Data on behalf of Kustomer as part of the Services that is subject to US Privacy Laws (“US Personal Data”). Service Provider shall, to the extent it is required of Processors, as relevant, by US Privacy Laws:
2.1 Not retain, use, or disclose US Personal Data outside of the direct business relationship with Kustomer or for any purpose other than for the specific Business Purposes described in the Agreement, including retaining, using, or disclosing US Personal Data for a Commercial Purpose other than performing the Business Purposes described in the Agreement;
2.2 Not Sell or Share US Personal Data;
2.3 Except to perform a Business Purpose or as otherwise permitted of Processors by US Privacy Laws, not combine US Personal Data with Personal Data that Kustomer received from or on behalf of another person or collected from Service Provider’s own interactions with a consumer;
2.4 Notify Kustomer if Service Provider can no longer meet its obligations under US Privacy Laws; and
2.5 Upon Kustomer’s reasonable written request, and subject to Service Provider’s verification of a violation of US Privacy Laws, Service Provider shall grant Kustomer the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of US Personal Data.