JumpDEMAND, Inc. GDPR Addendum
READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY BEFORE ACCEPTANCE. BY SELECTING “I ACCEPT”, YOU AGREE TO FOLLOW AND BE BOUND BY THE TERMS AND CONDITIONS IN THIS ADDENDUM. YOU REPRESENT THAT YOU HAVE THE AUTHORITY AND POWER TO BIND A COMPANY OR LEGAL ENTITY IN THE CASE YOU ENTER THIS AGREEMENT ON BEHALF OF A COMPANY OR LEGAL ENTITY. IF YOU DO NOT AGREE TO EACH TERM AND CONDITION OF THIS ADDENDUM, SELECT “I DECLINE”. YOU MAY NOT USE THESE SERVICES WITHOUT ACCEPTING THE TERMS AND CONDITIONS OF THIS ADDENDUM.
Upon selecting “I Accept” you (the “Subscriber”) and JumpDEMAND Inc. (the “Service Provider”) are bound by this Addendum on the later of (a) the time/date the Subscriber selects “I Accept” and (b) 25 May 2018 (the “Addendum Effective Date”).
|(A)||The Subscriber and the Service Provider are parties to an existing Agreement, pursuant to which the Service Provider provides the Services.|
|(B)||The Service Provider is incorporated in Alberta, Canada. The Service Provider is not subject to the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) but is subject to the Personal Information Protect Act (Alberta) (“Alberta PIPA”), in respect of the collection, use and disclosure of personal information that occurs in Alberta. Alberta PIPA is provincial legislation that is deemed to be substantially similar to PIPEDA, and an exemption order was granted by the Federal Government, exempting organizations from PIPEDA application in respect of the collection, use and disclosure of personal information that occurs within the Province of Alberta. The possibility of such an exemption is referred to in recital 6 of the European Commission’s adequacy decision in respect of Canada dated 20 December 2001: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32002D0002. Moreover, PIPEDA applies where personal information collected in Alberta is disclosed across provincial borders. However to cover the possibility that this combination of Alberta PIPA/PIPEDA does not afford adequate data protection for transfers of personal data from Europe, the Service Provider offers its subscribers in the European Economic Area a separate pre-signed Model Clause Agreement.|
|(C)||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 came into force on 24 May 2016 and becomes directly applicable on 25 May 2018.|
|(D)||The parties wish to enter into this Addendum in order to vary, supplement and update the existing Agreement for the purpose of GDPR compliance and to supplement the Model Clause Agreement.|
- 1. Consideration
- 1.1 In consideration of the mutual benefits of data protection compliance, the parties agree to the provisions of this Addendum.
- 2. Definitions
- 2.1 In this Addendum the defined terms set out in Appendix 1 (Definitions) shall have the meanings given to them there (unless the context requires otherwise).
- 2.2 Where the Subscriber is a marketing agency, it shall, and shall procure that each of its end clients shall, comply with the terms of this Addendum. All subsequent references to the “Subscriber” in this Addendum shall be construed as including a reference to the Subscriber’s end clients.
- 3. Application of this Addendum
- 3.1 This Addendum amends and forms part of the Agreement, whose terms apply to this Addendum. The parties agree that the click-wrap mechanism for acceptance constitutes “an instrument in writing signed by the parties” as set out in the Agreement.The Addendum supplements the Model Clause Agreement. It shall take effect on the Addendum Effective Date, and shall continue for the Term.
- 3.2 Subject to article 4 (commercial terms), to the extent that there is any conflict between the requirements of this Addendum, the Model Clause Agreement and the Agreement, it shall be resolved in the following order of precedence:
- 3.2.1 First the Addendum (because it reflects the GDPR requirements, for example new or upgraded individual rights, data protection impact assessments and breach notification, which post-date the 2010 standard contractual clauses on which the Model Clause Agreement is based);
- 3.2.2 Secondly the Model Clause Agreement; and
- 3.2.3 Finally, the Agreement.
- 4. Processor provisions
- 4.1. The parties acknowledge that the Subscriber is a Controller and that the Service Provider is a Processor of the Relevant Data.
- 4.2. Details of the Processing the Service Provider carries out on behalf of the Subscriber under the Agreement are set out in part 1 of Appendix 2 (Details of Data Processing). The Subscriber’s documented instructions are set out in part 2 of Appendix 2 (Details of Data Processing).
- 4.3. The Service Provider shall:
- 4.3.1. Process the Relevant Data only in accordance with documented instructions from the Subscriber (including with regard to transfers of Relevant Data to a Restricted Country), unless required to do so by European Law to which the Service Provider is subject; in such a case, the Service Provider shall inform the Subscriber of that legal requirement before Processing, unless that European Law prohibits such information on important grounds of public interest;
- 4.3.2. ensure that persons authorised to process the Relevant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- 4.3.3. take all measures required pursuant to Article 32 GDPR;
- 4.3.4. comply with the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another Processor (a “Sub-processor”);
- 4.3.5. taking into account the nature of the Processing, assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR;
- 4.3.6. assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Service Provider;
- 4.3.7. at the choice of the Subscriber, delete or return all the Relevant Data to the Subscriber after the end of the provision of the Services or other services relating to Processing, and delete existing copies unless European Law requires storage of the Relevant Data, in accordance with article 7.4.3; and
- 4.3.8. make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber in accordance with article 7.4.2, and shall immediately inform the Subscriber if, in its opinion, an instruction infringes the GDPR, other European DP Law or other data protection provisions in European Law.
- 5. Controller provisions
- 5.1 The Subscriber is a Controller of the Relevant Data. The Subscriber shall comply with its obligations under European DP Law, in addition to its obligations to comply with applicable laws under the Agreement.
- 5.3 The Subscriber (and not the Service Provider) is responsible selecting secure passwords to access the Services and for maintaining the confidentiality and security of those passwords and its user names. The Service Provider has access to the passwords, which are encrypted, and has a mechanism for resetting passwords.
- 5.4 The Subscriber acknowledges and agrees that it, and not the Service Provider, is responsible for making backups of the Relevant Data. The Service Provider backs up all data for system recovery purposes only. The Service Provider does not back up data for the Subscriber. If the Subscriber inadvertently deletes its Relevant Data or other data, it is gone. The Service Provider does provide a service for data recovery, but it is expensive. If the Subscriber needs to purchase a data recovery service from the Service Provider, the Subscriber may ask the Service Provider for details of the extent to which the Service Provider can assist, and the cost.
- 6. Change in Data Protection Requirements
- 6.1. The Service Provider may, at any time on not less than 30 days’ notice, revise this Addendum by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme, or to reflect any change in applicable Data Protection Requirements. The revised terms shall be deemed to apply in place of this Addendum at the end of the 30-day notice period, unless the Subscriber, acting reasonably, objects with good reason, in which case this Addendum shall, if the Service Provider agrees, continue to apply in the absence of the parties’ agreement to a variation to the revised terms. If the Service Provider does not agree to the continuation of this Addendum, the Subscriber may terminate the Agreement as permitted by Article 13 – Termination of the Agreement, and co-terminate this Addendum and the Model Clause Agreement, or the Service Provider may terminate all those agreements, after giving a further 30 days’ notice to the Subscriber to terminate.
- 7. Commercial terms
- 7.1. The Service Provider will automate its assistance provided pursuant to this Addendum as far as reasonably practicable, in order to provide self-help features for the Subscriber. The Service Provider reserves the right to charge the Subscriber for any human assistance provided pursuant to this Addendum at its standard rates, or to charge the Subscriber as permitted by applicable law.
- 7.2. Except where used to assist the Subscriber to use automated (self-help) features of the Services, technical support services provided under the Agreement do not include assistance provided pursuant to this Addendum.
- 7.3. The Subscriber shall have no right to conduct an on-premises audit of the Service Provider’s compliance with the performance of the Services or compliance with the requirements of this Addendum or the Model Clause Agreement (the “Requirements”). No more than once annually, the Subscriber shall have the right to request from the Service Provider its certification of compliance with the Requirements. Where the Service Provider cannot give that certification or the Subscriber, acting reasonably, is not satisfied with the certification, the Subscriber may terminate the Agreement as permitted by Article 13 – Termination, of the Agreement, and co-terminate this Addendum and the Model Clause Agreement. The Subscriber acknowledges that the audit rights in this article 7.3 make mutual the Service Provider’s audit rights in Article 9 of the Agreement, and are therefore fair and reasonable.
- 7.4. The Subscriber acknowledges and accepts that the Service Provider would not be prepared to do business without managing its risk and exposure through following commercial provisions, which shall apply to, and prevail over, any contrary express or implied terms in this Addendum and/or in the Model Clause Agreement:
- 7.4.1. Articles 7.1 and 7.2 of this Addendum (costs);
- 7.4.2. Article 7.3 of this Addendum (audit);
- 7.4.3. Article 15 of the Agreement – Return of Subscriber Data; and
- 7.4.4. Article 22 of the Agreement – Indemnification and Limitation of Liability
- provided that no disclosures or other processing of Relevant Data by the Service Provider or the Subscriber will compromise Data Subjects’ fundamental rights to respect for a private life, to the protection of Personal Data and to effective judicial protection as set out in the Charter of Fundamental Rights of the European Union.
Appendix 1: Definitions
|“Agreement”||the agreement(s) between the Service Provider and the Subscriber from time to time, other than the Model Clause Agreement.|
|“Applicable DP Law”||in relation to data protection terms defined in this paragraph 1 of Appendix 1, means:
(a) applicable data protection law in the Subscriber’s Country, if the term is (i) defined in that law
and (ii) applies to the Processing in question; or
(b) if (a) does not apply, the GDPR.
|“Controller”||has the meaning given to it in Applicable DP Law.|
|“Data Protection Requirements”||as applicable, European DP Law and any other applicable laws and regulations relating to the processing of personal data or personally identifiable information anywhere in the world.|
|“Data Subject”||has the meaning given to it in Applicable DP Law.|
|“ePrivacy Regulation”||the European Regulation of the European Parliament and of the Council which supersedes Directive 2002/58/EC, and unless and until that Regulation does supersede Directive 2002/58/EC, means the implementation of Directive 2002/58/EC in the Subscriber’s Country.|
|“European DP Law”||as applicable, (a) the GDPR and any data protection legislation applicable from time to time accompanying the GDPR in the Subscriber’s Country together with (b) the ePrivacy Regulation and any privacy legislation applicable from time to time accompanying the ePrivacy Regulation in the Subscriber’s Country.|
|“European Law”||European Union or European Member State law (as referred to in the GDPR).|
|“GDPR”||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.|
|“Model Clause Agreement”||the Model Clause Agreement offered by the Service Provider to the Subscriber and comprising Commission Decision C(2010)593 Standard Contractual Clauses (processors).|
|“Personal Data”||has the meaning given to it in Applicable DP Law.|
|“Processing”||has the meaning given to it in Applicable DP Law.|
|“Processor”||has the meaning given to it in Applicable DP Law.|
|“Relevant Data”||all Personal Data of which the Subscriber (or where the Subscriber is an agency, its client) is the Controller and which are Processed by the Service Provider for the purpose of providing the Services.|
|“Restricted Country”||any third country or international organisation as described in the GDPR.|
|“Services”||the services provided by the Service Provider to the Subscriber from time to time under or pursuant to the Agreement, and as defined in that Agreement.|
|“Subscriber’s Country”||the Subscriber’s country of incorporation and/or (if different) country or countries of operation.|
|“Term”||the duration of the Processing of Relevant Data pursuant to (a) the Agreement, (b) the Model Clause Agreement and/or (c) this Addendum, including during any transitional arrangements on entrance or exit.|
Appendix 2: Details of Data Processing
Part 1: Processor requirements
|Requirement in Article 28(3) GDPR||Details for this Addendum|
|The subject matter and duration of the Processing||Subject matter: performance based marketing and analysis carried out by the Subscriber using the Service Provider’s Services.
The Subscriber uses the Services in relation to its own website or (if it is an agency) in relation to its client’s website.
The Services (called ActiveDEMAND) do not track across websites. The features may include (depending on package selected by the Subscriber) email marketing, call tracking, appointment scheduling, dynamic website content, autoresponders, exit intent popups, landing pages, drip campaigns, dashboards and reports, call forensics, multivariate testing, event marketing, behavioural segmentation, lead scoring, social media and web forms, as may be updated from time to time.
The Service Provider’s software is stored on Amazon Web Services, Inc.’s servers in the USA. The Service Provider’s email service is provided by SendGrid, Inc. If calls are recorded, the Service Provider’s call recording service is provided by Twilio Inc. (the Service Provider downloads the recording and deletes it from Twilio). If calls are transcribed, then the recording is sent to Voicebase, Inc. The Service Provider sends emails to Olark for anyone who logs into the Service Provider’s platform, or anyone who uses the Service Provider’s support portal. The Service Provider also sends email addresses to Olark if the other person has Olark installed on their own site (their own Olark account).
The Relevant Data are accessed:
The Service Provider aggregates anonymous statistics across its subscribers’ accounts but this does not use or reveal any Relevant Data or other Personal Data.
As at April 2018, Amazon Web Services, Inc., Habla, Inc (trading name Olark), SendGrid, Inc., Twilio Inc and Voicebase, Inc. are in the EU-US and Swiss-US Privacy Shield Frameworks.
Duration: from the Addendum Effective Date for the Term.
|The nature and purpose of the Processing||Nature: activities initiated by the Subscriber and/or enabled by the Service Provider’s software. The software collects, organizes, records, structures, modifies, presents, aggregates, calculates inferences, appends, and may delete/rewrite/update the Relevant Data.
Purpose: the provision of marketing automation and reporting software as a service and related services (more particularly, the Services) by the Service Provider to the Subscriber.
|The type of Personal Data||Employees: contact details, financial details, employment details, user details and email address, platform/support portal usage details.
Special categories of Personal Data: None unless volunteered by the Data Subject or obtained by the Subscriber from a third party source. The Service Provider does not track any of this data. The Subscriber can upload whatever data it wishes to the Service Provider’s platform (so could upload this type of data), but the Service Provider does not collect the data from any source.
|The categories of Data Subjects||Employees: Data Subjects who are the Subscriber’s:
and whose Personal Data are collected by the Services or stored through the Services.
Customers: Data Subjects who are website visitors, prospects or customers/clients of the Subscriber, and whose Personal Data are collected by the Services or stored through the Services.
|The Controller’s obligations and rights||The obligations on the Subscriber in article 5.
The rights to enforce the Service Provider’s Processor obligations, as set out in article 4 (Processor provisions).
Part 2: Documented Instructions
The Service Provider is hereby instructed by the Subscriber:
- to Process the Relevant Data for the sole purpose of providing the Services and to the extent necessary to provide the Services, and not to Process the Relevant Data for its own purposes or third party purposes;
- to transfer the Relevant Data to a Restricted Country provided that the Service Provider complies with the requirements laid down in Chapter V GDPR; and
- for the purpose of article 28(3)(d) and article 28(2) GDPR, not to engage a Sub-processor without the Subscriber’s general written authorisation (which, insofar as they maybe Sub-processors rather than controllers, is hereby granted by the Subscriber in respect of Amazon Web Services, Inc., SendGrid, Inc., Twilio Inc and Voicebase, Inc.); the Service Provider shall inform the Subscriber of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Subscriber the opportunity to object to such changes; the Subscriber does not require the Service Provider to obtain prior specific authorisation to each individual Sub-processor. The Subscriber acknowledges that Third Party Tools (as defined in the Agreement) are not part of the Services and the providers of those Third Party Tools are not Subprocessors. The Subscriber is free to choose whether or not to use those Third Party Tools. The Subscriber further acknowledges that Habla, Inc (trading name Olark) is the Service Provider’s own provider for the purposes described under “subject matter and duration of the Processing” above and not a Sub-processor.
The parties have caused this Addendum to be executed by their duty authorized representatives as of the Addendum Effective Date by the Service Provider offering this Addendum and the Subscriber clicking “I Accept”.