Data Processing Addendum
This Data Processing Addendum including its Annexes (“Data Processing Addendum” or “Addendum”) is entered into by and between ContactMonkey, an Ontario corporation, having its principal place of business at 200 Adelaide Street West, Toronto, ON (“Company” or “ContactMonkey”) and you (“Customer”).
This Data Processing Addendum forms part of the ContactMonkey software-as-a-service agreement or other written or electronic agreement between ContactMonkey and Customer for the purchase of hosted online services (including any associated offline, mobile or software components) from ContactMonkey (identified as either “Services”, “ContactMonkey Solution”, “ContactMonkey Services” or otherwise in the applicable agreement, and hereinafter defined as the “Services”) (the “Agreement”), to reflect the Parties’ agreement with regard to the Processing of Personal Information.
To complete this Data Processing Addendum,the Customer must:
- Complete the information in the signature box;
- Send the signed Data Processing Addendum to ContactMonkey by email toprivacy@contactmonkey.com, indicating, if applicable the Customer’s account number (as set out on an applicable Order Form or invoice).
Upon receipt of the validly completed Data Processing Addendum by ContactMonkey at this email address above, this Data Processing Addendum will become legally binding. This Data Processing Addendum shall only become binding between ContactMonkey and Customer when the formalities set out above have been fully completed and then such Data Processing Addendum will then become an addendum to and forms part of the Agreement.
In the event of any conflict between the Agreement and this Data Processing Addendum, the terms and conditions of this Data Processing Addendum shall control. Except to the extent expressly superseded or modified in this Data Processing Addendum, the terms and conditions of the Agreement will apply to this Data Processing Addendum and remain in full force and effect.
Definitions.
“Processing” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, storage, anonymization, deletion, and/or management Personal Information.
“Personal Information” means any information that constitutes “Personal Data” or “Personal Information” under Regulation(EU) 2016/679 (“EU GDPR”) and Directive2002/58/EC EU, or “personal information” under thePersonal Information Protection and Electronic Documents Act,SC 2000, c.5 (“PIPEDA”) or theCalifornia Consumer Privacy Actand related regulations and guidance (“CCPA”), transferred by Customer or its permitted agents to Company in performance of or pursuant to the Agreement or this Addendum, and any information relating to an identified or identifiable individual derived or otherwise created by Company in connection therewith.
“Privacy Laws” means all applicable laws and regulations governing the processing or protection of Personal Information as amended, modified or replaced from time to time, including for example and without limitation Regulation(EU) 2016/679 (“GDPR”) and Directive2002/58/EC, thePersonal Information Protection and Electronic Documents Act,s.c. 2000, and theCalifornia Consumer Privacy Actand related regulations and guidance (“CCPA”), as well as any implementing legislation or further particularising rules, regulatory decisions or orders, or regulations.
Data Processing and Security Responsibilities.
- Customer and Company shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum, as set out in the description of Services in Annex A to this Addendum.
Customer agrees that it has:
- made and shall maintain all necessary registrations and notifications as required in order to permit Company to perform its obligations and exercise its rights under this Addendum;
- obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Company to perform its obligations and exercise its rights under this Addendum, and shall inform Company immediately if any such consents are withdrawn;
- ensured and shall continue to ensure that all Personal Information Processed by Company is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Company to perform its obligations and exercise its rights under this Addendum;
- ensured and shall continue to ensure that there are valid legal bases to enable Company to Process Customer’s Personal Information;
- Processed and will continue to Process the Personal Information in accordance with all applicable Privacy Laws.
In the course of Processing Personal Information on behalf of Customer in connection with the Services as set out in Annex A to this Addendum, Company shall:
- only Process Personal Information as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law. Company shall not retain, use, disclose, or otherwise Process Personal Information outside of the direct business relationship between Company and Customer;
- immediately inform the Customer if, in Company’s opinion, any instruction received from the Customer infringes any Privacy Laws;
- not disclose (and not allow any of its employees, or permitted agents or representatives to disclose) any Personal Information to any third party without the prior written authorization of Customer unless required to do so under applicable law;
- not sell the Personal Information;
- where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest);
- promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under applicable law regarding Personal Information, and provide prompt reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, erase or restrict the processing of Personal Information; (ii) complaint or correspondence received by Company relating to the Processing of Personal Information, and (iii) order, demand, warrant or any other document purporting to compel the production of any Personal Information, and provide reasonable assistance at Customer’s cost to facilitate Customer’s compliance with Customer’s obligations under Privacy Laws;
- implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Information, to protect the Personal Information against loss, theft, destruction, damage, alteration and unauthorized or unlawful access, use, disclosure or other risks incurred by Processing in pursuit of the Services, as further described in Annex B, as would allow Company to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services and to provide reasonable assistance at Customer’s cost to ensure compliance with Customer’s obligations to implement such security measures;
- limit access to Personal Information only to those employees and authorized agents of Company who need to have access to the Personal Information and solely for the purposes of Company rendering the Services;
- ensure or cause each of the employees and permitted contractors of Company to agree in writing to keep and to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum, and otherwise properly advise and train each of its employees and permitted subcontractor of the requirements of Company under this Addendum and applicable Privacy Law;
- ensure that each employee or permitted contractor of Company involved in rendering the Services hereunder is appropriately screened to confirm the suitability of the performance of their duties in connection with the Services, including the access to and Processing of Personal Information;
- except as otherwise agreed to in writing by Customer only maintain and otherwise process the Personal Information in Canada and the United States;and
- provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws to carry out a data protection impact assessment or to consult with the relevant supervisory authority in respect of any such data protection impact assessment).
Audit Rights.
Company shall provide and Customer agrees to accept Company’s most current third-party certifications as may be relevant and available in respect of the Services. Company shall provide Customer (or its representatives) with access to information necessary to demonstrate Company’s compliance with this Addendum and to the records, facilities and premises of Company during business hours and upon at least 30 days’ advance notice in writing, at most once per year, for the purposes of verifying Company’s compliance with this Addendum.
Subcontracting.
Customer acknowledges and agrees that Company shall use sub-processors (including Company affiliates) to provide the Services set out in Annex A. Company shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Company under this Addendum. Company shall only retain sub-processors that Company can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Information. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Company shall notify Customer of such sub-processors, whereupon Customer shall have 10days to object to such appointment by providing detailed reasons for such objection to Company.
Data Transfers.
Company will transfer Personal Information in accordance with applicable Privacy Laws. As Company is a Canadian company subject to PIPEDA transfers from the European Economic Area and the UK to Company are permitted pursuant to European Commission Decision 2002/2/EC (as amended or replaced from time to time).
Security Breach Notification.
- Company shall notify Customer within 48 hours upon Company becoming aware of any accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of or other Processing of Personal Information (“Privacy Breach”).
- Company shall reasonably cooperate with Customer in notifying individuals affected by a Privacy Breach and other parties, including relevant supervisory authorities, in accordance with applicable law.
Termination.
Upon the termination of the Agreement or at such other times as instructed by Customer in writing, Company shall either return or, upon the written instruction of Customer, securely dispose of the Personal Information and all existing copies. In the event applicable law does not permit Company to comply with the delivery or destruction of the Personal Information, Company warrants that it shall ensure the confidentiality of the Personal Information in accordance with applicable law.
IN WITNESS WHEREOF, the parties’ authorized signatories have duly executed this Addendum:
ContactMonkey Customer Name: ___________________
Signature: ___________________________ Signature: _________________________
Print Name: __________________________ Print Name: _______________________
Title: _______________________________ Title: ___________________________
Date: _______________________________ Date: ___________________________
ANNEX A
DATA PROCESSING DESCRIPTION
Subject-matter and duration of the Processing.
The Services are intended to allow the customer to design their HTML employee newsletters, send those newsletters to their employees from their email client (Outlook or Gmail), and track the engagement of those emails.
The duration of the Processing is the duration of the Agreement.
Nature and purposes of the Processing.
Personal Data will be Processed by Company for purposes of providing the Services set out in the Agreement and any applicable statement of work.
Data Categories.
The following types of Personal Information will be Processed:
- Name, email address, phone number and other contact information and other Personal Data needed to perform the Services.
- IP address, location, email open and click rates
The following categories of Data Subjects are involved:
- Employees of Customer
ANNEX B
SECURITY MEASURES
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The following measures are subject to change based on operational requirements and the evolution of technology and security threats. These measures apply generally to all transfers contemplated by this Agreement.
The information security organization has established relevant technical standards documented as follows:
- Measures of encryption of personal data
- HTTPS encryption for data in transit (using TLS 1.2 or greater) on every login interface, using industry standard algorithms and certificates.
- Encryption of data at rest using the industry standard AES-256 algorithm
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Multi-Factor Authentication (MFA)
- Differentiated rights system based on security groups and access control lists.
- Secure transmission of credentials using TLS 1.2 (or greater)
- Passwords require a defined minimum complexity. Initial passwords must be changed after the first login.
- Automatic account locking
- Guidelines for handling of passwords
- Access controls to infrastructure that is hosted by cloud service provider
- Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights.
- Training and confidentiality agreements for internal staff and external staff
- Network separation
- Segregation of responsibilities and duties
- Secure network interconnections ensured by firewalls etc.
- Logging of transmissions of data from IT system that stores or processes personal data. Logging authentication and monitored logical system access
- Logging of data access including, but not limited to access, modification, entry and deletion of data
- Documentation of data entry rights and logging security related entries
- Web Application Firewall (WAF)
- Customer data is backed up to multiple durable data stores and replicated across multiple availability zones
- Protection and encryption of stored backup media
- Measures for ensuring the ability to restore the availability and access to personal Data in a timely manner in the event of a physical or technical incident
- Continuity Planning and Disaster Recovery Plan
- Disaster recovery processes to restore data and processes
- Capacity management measures to monitor resource consumption of systems as well as planning of future resource requirements.
- Procedures for handling and reporting incidents (incident management) including the detection and reaction to possible security incidents.
- Productive data is backed up hourly in incremental form and daily as a full backup. All backups are kept redundant and in encrypted form (AES-256).
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
- Testing of emergency equipment
- Documentation of interfaces and personal data fields
- Internal and external audits
- Security checks (e.g. penetration tests) conducted by external parties
- Bug bounties
- SOC 2 audits
- Regular benchmarking and testing with industry standards, e.g. Cloud Security Alliance, Controls for Internet Security, NIST guidelines, etc.
- Measures for user identification and authorization
- Secure network interconnections ensured by VPN, MFA, firewalls etc.
- Logging of transmissions of data from IT system that stores or processes personal data
- Logging authentication and monitored system access
- Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept in accordance with the “need-to-know” principle.
- IDS/IPS (Intrusion Detection/Prevention System)
- Measures for the protection of Data during transmission
- HTTPS encryption for data in transit (using TLS 1.2 or greater)
- Measures for the protection of Data during storage
- System inputs recorded via log files
- Access Control Lists (ACL)
- Multi-factor Authentication (MFA)
- Measures for ensuring physical security of locations at which personal Data are processed
- Subdivision of the facility into individual zones with different access authorizations
- Physical access protection (e.g. steel doors, windowless rooms or secured windows).
- Electronic access control system to protect security areas.
- Monitoring of the facility by security services and access logging to the facility.
- Video surveillance of all security-relevant security areas, such as entrances, emergency exits and server rooms.
- Central assignment and revocation of access authorizations.
- Identification of all visitors by verification of their identity card and registration (a log of visitors is kept).
- Mandatory identification within the security areas for all employees and visitors.
- Visitors must always be accompanied by employees.
- Measures for ensuring system configuration, including default configuration
- Access Control Policy and Procedures
- Baseline configuration identification
- Configuration Planning and Management
- Configuration Change Management
- Configuration Verification and Audits
- Mobile device management
- Measures for internal IT and IT security governance and management
- Dedicated and identified person to oversee the company’s information security and compliance program
- Information and network security staff holding security certifications
- Information Security Management System around development and maintenance of policy and technical standards
- Audit programs that use Information Security frameworks for measurement (ISO27001, NIST, Cloud Security Alliance, SOC 2)
- Measures for certification/assurance of Processes and products
- Information security or quality management certifications such as ISO 27001, SOC 2, or PCI
- Measures for ensuring Data minimization
- Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.
- Strict time limits for data retention and operational mechanisms that guarantee compliance (e.g. automatic deletion of data after predefined time period).
- Technological barriers to the unauthorized linking of independent sources of data.
- Deletion of metadata generated during certain processes that are not necessary for the pursued goal.
- Measures for ensuring Data quality
- Process for the exercise of data protection rights (right to amend and update information)
- Clear documentation of requirements for all data conditions and scenarios
- Rigorous data profiling and control of incoming data
- Data pipeline design to avoid duplicate data
- Quality Assurance team
- Enforcement of data integrity
- Measures for ensuring limited data retention
- In order to ensure the effectiveness and reliability of such retention schedule, the deletion of such data should be automated and tests should be conducted to ensure the effectiveness of such retention policies.
- Measures for ensuring accountability
- Assign responsibility to ensure end-user privacy throughout the product lifecycle and through applicable business processes.
- Document all decisions that are adopted within the organization from a “privacy and security by design thinking” perspective.
- Measures for allowing Data portability and ensuring erasure
- Documented processes in relation to the exercise by users of their privacy rights (e.g. right of erasure or right to data portability)
ANNEX C
SUBCONTRACTORS
Subcontractor | Activity | Country |
Amazon Web Services | Computer storage, network services, and hosting services, including the provision of cloud computing infrastructure. | Canada/United States |
Zendesk | Zendesk provides a platform to manage customer support requests. |