JumpDEMAND Inc. Data Protection Addendum
READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY BEFORE ACCEPTANCE. BY SIGNING INTO THE SERVICES, YOU AGREE TO FOLLOW AND BE BOUND BY THE TERMS AND CONDITIONS IN THIS ADDENDUM. YOU REPRESENT THAT YOU HAVE THE AUTHORITY AND POWER TO BIND A COMPANY OR LEGAL ENTITY IN THE CASE YOU ENTER THIS AGREEMENT ON BEHALF OF A COMPANY OR LEGAL ENTITY. IF YOU DO NOT AGREE TO EACH TERM AND CONDITION OF THIS ADDENDUM, DO NOT SIGN INTO THE SERVICES. YOU MAY NOT USE THESE SERVICES WITHOUT ACCEPTING THE TERMS AND CONDITIONS OF THIS ADDENDUM.
Upon signing into the Services for the First Time, you (the “Subscriber”) and JumpDEMAND Inc. (the “Service Provider”) are bound by this Addendum effective immediately (the “Addendum Effective Date”).
Background
(A) The Subscriber and the Service Provider are parties to an existing Agreement, pursuant to which the Service Provider provides the Services.
(B) The Service Provider is incorporated in Alberta, Canada. The European Commission decision of 20 December 2001 (2002/2/EC) determined that the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") provided adequate protection of personal data. To cover the possibility that PIPEDA, combined with any applicable provisional privacy law in Alberta, and/or any future Canadian privacy law, does not afford adequate data protection for transfers of personal data from Europe, the Service Provider offers its subscribers in Europe a separate, pre-signed Transfer Agreement.
(C) The parties wish to enter into this Addendum in order to vary, supplement and update the existing Agreement for the purpose of compliance with European DP Law and to supplement the Transfer Agreement.
Agreed terms
1. Consideration
1.1. In consideration of the mutual benefits of data protection compliance, the parties agree to the provisions of this Addendum.
2. Transfer Agreement
2.1. As set out in paragraph (B) of the Background section above, the Service Provider offers the Subscriber a pre-signed Transfer Agreement. It is the Subscriber's (and not the Service Provider's) responsibility, to request, complete, sign, date and return the Transfer Agreement to the Service Provider. The Transfer Agreement will not take effect unless and until the Service Provider has confirmed receipt of the Transfer Agreement, which the Subscriber has properly completed, signed, dated and returned.
3. Interpretation
3.1. In this Addendum the defined terms set out in Appendix 1 (Interpretation) shall have the meanings given to them there (unless the context requires otherwise) and the rules of interpretation set out in Appendix I (Interpretation) shall apply.
3.2. Where the Subscriber is a marketing agency:
3.2.1. it shall, and shall procure that each of its End Clients shall, comply with the terms of this Addendum;
3.2.2. the parties record their understanding that each End Client is a Controller, the Subscriber is likely to be a Processor, and the Service Provider is likely to be a sub-Processor; and
3.2.3. all subsequent references to the "Subscriber" in this Addendum shall be construed as including a reference to the Subscriber's End Clients.
4. Application of this Addendum
4.1. This Addendum amends and forms part of the Agreement, whose terms apply to this Addendum. The parties agree that the click-wrap mechanism for acceptance constitutes "an instrument in writing signed by the parties" as set out in the Agreement. The Addendum supplements the Transfer Agreement. It shall take effect on the Addendum Effective Date, and shall continue for the Term.
4.2. Subject to article 9.4 (commercial terms), to the extent that there is any conflict between the requirements of this Addendum, the Transfer Agreement and the remaining provisions of the Agreement, it shall be resolved in the following order of precedence:
4.2.1. First the Transfer Agreement;
4.2.2. Secondly this Addendum; and
4.2.3. Finally, the remaining provisions of the Agreement.
5. Processor provisions
5.1. Subject to article 3.2.2, the parties acknowledge that the Subscriber is a Controller and that the Service Provider is a Processor of the Relevant Data.
5.2. Details of the Processing the Service Provider carries out on behalf of the Subscriber under the Agreement are set out in Part 1 of Appendix 2 (Details of Data Processing). The Subscriber's documented instructions are set out in Part 3 of Appendix 2 (Details of Data Processing).
5.3. The Service Provider shall:
5.3.1. Process the Relevant Data only in accordance with documented instructions from the Subscriber (including with regard to transfers of Relevant Data to a Restricted Country), unless required to do so by European Law to which the Service Provider is subject; in such a case, the Service Provider shall inform the Subscriber of that legal requirement before Processing, unless that European Law prohibits such information on important grounds of public interest;
5.3.2. ensure that persons authorised to process the Relevant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.3.3. take all measures required pursuant to Article 32 GDPR;
5.3.4. comply with the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another Processor (a "Sub-processor") as further set out in Part 2 and Part 3 of Appendix 2 (Details of Data Processing);
5.3.5. taking into account the nature of the Processing, assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR;
5.3.6. assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Service Provider;
5.3.7. at the choice of the Subscriber, delete or return all the Relevant Data to the Subscriber after the end of the provision of the Services or other services relating to Processing, and delete existing copies unless European Law requires storage of the Relevant Data, in accordance with article 9.4.3; and
5.3.8. make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber in accordance with article 9.4.2, and shall immediately inform the Subscriber if, in its opinion, an instruction infringes the GDPR, other European DP Law or other data protection provisions in European Law.
6. Controller provisions
6.1. The Subscriber is a Controller of the Relevant Data. The Subscriber shall comply with its obligations under European DP Law, in addition to its obligations to comply with applicable law under the Agreement, including in relation to all aspects of its decision to use the Services, its use of the Services and the operation of its business.
6.2. The Subscriber can find a description of the cookies and other tracking technologies used in the Services on the Cookies Page. The Subscriber must incorporate the description into the cookie policy on the Subscriber's website and obtain Data Subjects' consent to the use . Without limiting the generality of Article 11 of the Agreement, it is the Subscriber's (and not the Service Provider's) responsibility to ensure its use of these cookies and other tracking technologies and the description in its cookie policy complies with the local laws in the Subscriber's Country, and to take independent legal advice in the Subscriber's Country if required. If the Subscriber needs further information about these cookies/tracking technologies from the Service Provider in order to comply with the local laws in the Subscriber's Country, it must ask the Service Provider for the information it needs.
6.3. The Service Provider shall notify the Subscriber of any changes to the third party functionality referenced in section 6.2 by email to the email address notified by Subscriber to the Service Provider for that purpose and the Subscriber shall not be obliged to comply with the requirements of section 6.2 until the elapse of 14 days after the date of Service Provider’s notice.
6.4. The Subscriber (and not the Service Provider) is responsible for selecting secure passwords to access the Services and for maintaining the confidentiality and security of those passwords and its user names.
6.5. The Subscriber acknowledges and agrees that it, and not the Service Provider, is responsible for making backups of the Relevant Data . The Service Provider backs up all data for system recovery purposes only. The Service Provider does not back up data for the Subscriber. If the Subscriber inadvertently deletes its Relevant Data or other data, it is gone. The Service Provider does provide a service for data recovery, but it is expensive. If the Subscriber needs to purchase a data recovery service from the Service Provider, the Subscriber may ask the Service Provider for details of the extent to which the Service Provider can assist, and the cost.
7. Service Provider's use of data
7.1. The Subscriber acknowledges that the Service Provider shall, as Controller:
7.1.1. use the Subscriber's contact details for account management and, if the Subscriber does not object, for marketing purposes;
7.1.2. use the Subscriber's users' data to:
7.1.2.1. manage the Subscriber's users in the Services; and
7.1.2.2. respond to, and keep a record of, support queries from the Subscriber's users to provide Subscriber support and for product improvement.
7.2. The Subscriber agrees that the Service Provider may:
7.2.1. use the Relevant Data to manage the Services' infrastructure (for example, to ensure database limits are not being exceeded); and
7.2.2. create aggregated data, which does not identify any individual or the Subscriber, for product improvement purposes (for example: how many forms an account has created, how many landing pages etc).
7.3. In giving its authorisation to the Service Provider for the purposes set out in article 7.2, the Subscriber:
7.3.1. acknowledges that the Service Provider's purposes are compatible with its own purposes of receiving the Services since:
7.3.1.1. there is a link between the Service Provider's purposes and the Subscriber's purpose;
7.3.1.2. the Subscriber has benefited or will benefit from the Service Provider's purposes;
7.3.1.3. the Subscriber's users will benefit from the Service Provider's purposes;
7.3.1.4. the Service Provider takes appropriate safeguards to protect the Relevant Data, anonymising or pseudonymising the Relevant Data wherever possible, and using encryption for the Relevant Data in transit and at rest; and
7.3.2. agrees to inform its users and any Data Subjects featuring in the Relevant Data of the Service Provider's use of the Relevant Data, and shall provide them with a link to the Service Provider's privacy policy at https://www.activedemand.com/privacy-policy/ .
8. Change in Data Protection Requirements
8.1. The Service Provider may, at any time on not less than 30 days' notice, revise this Addendum by replacing it in whole or in part with any applicable Controller to Processor standard clauses or similar terms forming part of an applicable certification scheme, to reflect any change in applicable Data Protection Requirements or for other good reasons. The revised terms shall be deemed to apply in place of this Addendum at the end of the 30-day notice period, unless the Subscriber, acting reasonably, objects with good reason, in which case this Addendum shall, if the Service Provider agrees, continue to apply in the absence of the parties' agreement to a variation to the revised terms.
8.2. If the Service Provider does not agree to the continuation of this Addendum, the Subscriber may terminate the Agreement as permitted by Article 13 – Termination of the Agreement, and co-terminate this Addendum and the Transfer Agreement, or the Service Provider may terminate all those agreements, after giving a further 30 days' notice to the Subscriber to terminate.
9. Commercial terms
9.1. The Service Provider will automate its assistance provided pursuant to this Addendum as far as reasonably practicable, in order to provide self-help features for the Subscriber. The Service Provider reserves the right to charge the Subscriber for any human assistance provided pursuant to this Addendum at its standard rates, or to charge the Subscriber as permitted by applicable law.
9.2. Except where used to assist the Subscriber to use automated (self-help) features of the Services, technical support services provided under the Agreement do not include assistance provided pursuant to this Addendum.
9.3. The Subscriber shall have no right to conduct an audit of the Service Provider’s compliance with the performance of the Services or compliance with the requirements of this Addendum or the Transfer Agreement (the "Requirements"). However, no more than once annually, the Subscriber shall have the right to request from the Service Provider its certification of compliance with the Requirements. Where the Service Provider cannot give that certification or the Subscriber, acting reasonably, is not satisfied with the certification, the Subscriber may terminate the Agreement as permitted by Article 13 – Termination, of the Agreement, and co-terminate this Addendum and the Transfer Agreement. The Subscriber acknowledges that the audit rights in this article 9.3 are materially equivalent to the Service Provider's monitoring rights in Article 9 of the Agreement, and are therefore fair and reasonable.
9.4. The Subscriber acknowledges and accepts that the Service Provider would not be prepared to do business without managing its risk and exposure through the following commercial provisions, which shall apply to, and prevail over, any contrary express or implied terms in this Addendum and/or in the Transfer Agreement:
9.4.1. Articles 9.1 and 9.2 of this Addendum (costs);
9.4.2. Article 9.3 of this Addendum (audit);
9.4.3. Article 15 of the Agreement – Return of Subscriber Data; and
9.4.4. Article 22 of the Agreement – Indemnification and Limitation of Liability
provided that no disclosures or other processing of Relevant Data by the Service Provider or the Subscriber will limit either party's liability to Data Subjects, prejudice Data Subjects’ fundamental rights and freedoms or, in relation to any breach of the Transfer Agreement, contradict or undermine the liability schemes of the SCCs.
Appendix 1: Interpretation
1. In this Addendum the following terms shall have the following meanings.
Term |
Definition |
"Addendum " |
this addendum and its appendices. |
"Agreement" |
the agreement(s) between the Service Provider and the Subscriber from time to time, other than the Transfer Agreement. |
"Applicable DP Law" |
in relation to data protection terms defined in this paragraph 1 of Appendix 1, means: (a) applicable data protection law in the Subscriber's Country, if the term is (i) defined in that law and (ii) applies to the Processing in question; or (b) if (a) does not apply, the GDPR. |
"Cookies Page" |
the Service Provider's webpage at https://www.activedemand.com/activedemand-tracking/ , which the Service Provider may update from time to time, containing details of cookies and similar technologies that are used in the Services. |
"Data Protection Requirements" |
as applicable, European DP Law and any other applicable laws and regulations relating to the processing of personal data or personally identifiable information anywhere in the world, together with applicable Guidance. |
"End Client" |
an end client of the Subscriber, where the Subscriber is a marketing agency. |
"ePrivacy Law" |
the European Regulation of the European Parliament and of the Council which supersedes Directive 2002/58/EC, and unless and until that Regulation does supersede Directive 2002/58/EC, means the implementation of Directive 2002/58/EC in the Subscriber's Country, but in the UK shall mean UK ePrivacy Law. |
"Europe" |
the European Economic Area (EEA) and the UK. |
"European DP Law" |
as applicable, (a) the GDPR and any data protection legislation applicable from time to time accompanying the GDPR in the Subscriber's Country together with (b) ePrivacy Law and any privacy legislation applicable from time to time accompanying ePrivacy Law in the Subscriber's Country. |
"European Law” |
as applicable, (a) European Union or European Member State law (as referred to in the GDPR) and/or (b) domestic law (as referred to in the UK GDPR). |
"First Time" |
as applicable: (a) subject to paragraph (b), the first time the Subscriber signs into the Services (which triggers the Addendum Effective Date), or any time after that when the Subscriber signs into the Services and there has been a change to the Agreement or this Addendum, which takes effect as set out in article 8;. (b) where the Subscriber is in the EEA, was an existing subscriber of the Service Provider on 26 December 2022, is presented with this Addendum for the first time, and then signs into the Services, the "First Time" on that occasion is 26 December 2022. |
"GDPR" |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (in the UK referred to in section 3(10A) of the UK Data Protection Act 2018 as the "EU GDPR"), and in the UK shall mean the UK GDPR and if applicable the EU GDPR. |
"Guidance" |
any codes of practice and guidance that apply in the Subscriber's Country, including those codes and guidance issued by a data protection authority in the Subscriber's Country. |
"IDTA" |
the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0), in force 21 March 2022, as may be updated from time to time as set out in that document, which the Service Provider offers to UK Subscribers, as set out in Part 2 of the Transfer Agreement. |
"Relevant Data" |
all Personal Data of which the Subscriber (or where the Subscriber is an agency, its End Client) is the Controller and which are Processed by the Service Provider for the purpose of providing the Services. |
"Requirements" |
has the meaning given to it in article 9.3 of this Addendum. |
"Restricted Country" |
any third country or international organisation as described in the GDPR. |
"Services" |
the services provided by the Service Provider to the Subscriber from time to time under or pursuant to the Agreement, and as defined in that Agreement. |
"Standard Contractual Clause Agreement" or "SCCs" |
standard contractual clause agreement offered by the Service Provider to the Subscriber and comprising modules one (controller to controller), two (controller to processor) and three (processor to processor) of Commission Decision C(2021)3972, as set out in Part 1 of the Transfer Agreement. |
"Subscriber's Country" |
the Subscriber's country of incorporation and/or (if different) country or countries of operation. |
"Sub-processor" |
has the meaning given to it in article 5.3.4 of this Addendum. |
"Term" |
the duration of the Processing of Relevant Data pursuant to (a) the Agreement, (b) the Transfer Agreement and/or (c) this Addendum, including during any transitional arrangements on entrance or exit. |
"Transfer Agreement" |
the SCCs and, where the Subscriber's Country is the UK, the IDTA. |
"UK ePrivacy Law" |
any UK ePrivacy law which applies to the Services or the Processing of Relevant Data, including The Privacy and Electronic Communications (EC Directive) Regulations 2003. |
"UK GDPR" |
has the meaning given to it in section 3(10) of the UK Data Protection Act 2018. |
2. In this Addendum:
2.1. other capitalised terms not set out in paragraph 1 above shall have the meanings given to them in the Agreement;
2.2. references to any statute, enactment, order, regulation or other similar instrument shall be construed as references to the statute, enactment, order, regulation or instrument as amended by any subsequent statute, enactment, order, regulation or instrument or as contained in any subsequent re-enactment, modification or statutory extension of any of the above;
2.3. except where the context requires otherwise the singular includes the plural and vice versa; a reference to one gender includes all genders; words denoting persons include firms and corporations and vice versa;
2.4. headings are included in this Addendum for ease of reference only and shall not affect interpretation or construction;
2.5. any negative obligation imposed on any party shall be construed as if it were also an obligation not to permit or suffer the act or thing in question and any positive obligation imposed on any party shall be construed as if it were also an obligation to procure that the act or thing in question be done;
2.6. the words "include" or "including" or "for example" shall be construed without limitation to the words following;
2.7. the terms "Addendum Effective Date", "Service Provider" and "Subscriber" have the meanings given to them at the start of this Addendum; and
2.8. the terms "Controller", "Data Subject", "Personal Data", "Processing" and "Processor" shall have the meanings given to them in Applicable DP Law.
Appendix 2: Details of Data Processing
Part 1: Processor requirements
Requirement in Article 28(3) GDPR |
Details for this Addendum |
The subject matter and duration of the Processing |
Subject matter: performance based marketing and analysis carried out by the Subscriber using the Services. The Subscriber uses the Services in relation to its own website or (if it is an agency) in relation to its End Client's website. The Services (called ActiveDEMAND) do not track across websites. The features may include (depending on package selected by the Subscriber) email marketing, call tracking, appointment scheduling, dynamic website content, autoresponders, exit intent popups, landing pages, drip campaigns, dashboards and reports, call forensics, multivariate testing, event marketing, behavioural segmentation, lead scoring, social media and web forms, as may be updated from time to time. The Relevant Data are accessed: · by the Service Provider's support personnel in Canada for the sole purpose of support, with the Subscriber's prior consent, and · without the Subscriber's consent, by the Service Provider's Chief Technical Officer and DevOps member of staff in Canada for the sole purpose of managing the Service Provider's infrastructure. The Service Provider aggregates anonymous statistics across its subscribers' accounts but this does not use or reveal any Relevant Data or other Personal Data. Duration: from the Addendum Effective Date for the Term. |
The nature and purpose of the Processing |
Nature: activities initiated by the Subscriber and/or enabled by the Service Provider's software. The software collects, organizes, records, structures, modifies, presents, aggregates, calculates inferences, appends, and may delete/rewrite/update the Relevant Data. Purpose: the provision of marketing automation and reporting software as a service and related services (more particularly, the Services) by the Service Provider to the Subscriber. |
The type of Personal Da |