JumpDEMAND, Inc. GDPR Addendum

READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY BEFORE ACCEPTANCE. BY SELECTING “I ACCEPT”, YOU AGREE TO FOLLOW AND BE BOUND BY THE TERMS AND CONDITIONS IN THIS ADDENDUM. YOU REPRESENT THAT YOU HAVE THE AUTHORITY AND POWER TO BIND A COMPANY OR LEGAL ENTITY IN THE CASE YOU ENTER THIS AGREEMENT ON BEHALF OF A COMPANY OR LEGAL ENTITY. IF YOU DO NOT AGREE TO EACH TERM AND CONDITION OF THIS ADDENDUM, SELECT “I DECLINE”. YOU MAY NOT USE THESE SERVICES WITHOUT ACCEPTING THE TERMS AND CONDITIONS OF THIS ADDENDUM.

Upon selecting “I Accept” you (the “Subscriber”) and JumpDEMAND Inc. (the “Service Provider”) are bound by this Addendum on the later of (a) the time/date the Subscriber selects “I Accept” and (b) 25 May 2018 (the “Addendum Effective Date”).

Background

(A) The Subscriber and the Service Provider are parties to an existing Agreement, pursuant to which the Service Provider provides the Services.
(B) The Service Provider is incorporated in Alberta, Canada. The Service Provider is not subject to the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) but is subject to the Personal Information Protect Act (Alberta) (“Alberta PIPA”), in respect of the collection, use and disclosure of personal information that occurs in Alberta. Alberta PIPA is provincial legislation that is deemed to be substantially similar to PIPEDA, and an exemption order was granted by the Federal Government, exempting organizations from PIPEDA application in respect of the collection, use and disclosure of personal information that occurs within the Province of Alberta. The possibility of such an exemption is referred to in recital 6 of the European Commission’s adequacy decision in respect of Canada dated 20 December 2001: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32002D0002. Moreover, PIPEDA applies where personal information collected in Alberta is disclosed across provincial borders. However to cover the possibility that this combination of Alberta PIPA/PIPEDA does not afford adequate data protection for transfers of personal data from Europe, the Service Provider offers its subscribers in the European Economic Area a separate pre-signed Model Clause Agreement.
(C) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 came into force on 24 May 2016 and becomes directly applicable on 25 May 2018.
(D) The parties wish to enter into this Addendum in order to vary, supplement and update the existing Agreement for the purpose of GDPR compliance and to supplement the Model Clause Agreement.

Agreed terms

  • 1. Consideration
    • 1.1 In consideration of the mutual benefits of data protection compliance, the parties agree to the provisions of this Addendum.
  • 2. Definitions
    • 2.1 In this Addendum the defined terms set out in Appendix 1 (Definitions) shall have the meanings given to them there (unless the context requires otherwise).
    • 2.2 Where the Subscriber is a marketing agency, it shall, and shall procure that each of its end clients shall, comply with the terms of this Addendum. All subsequent references to the “Subscriber” in this Addendum shall be construed as including a reference to the Subscriber’s end clients.
  • 3. Application of this Addendum
    • 3.1 This Addendum amends and forms part of the Agreement, whose terms apply to this Addendum. The parties agree that the click-wrap mechanism for acceptance constitutes “an instrument in writing signed by the parties” as set out in the Agreement.The Addendum supplements the Model Clause Agreement. It shall take effect on the Addendum Effective Date, and shall continue for the Term.
    • 3.2 Subject to article 4 (commercial terms), to the extent that there is any conflict between the requirements of this Addendum, the Model Clause Agreement and the Agreement, it shall be resolved in the following order of precedence:
      • 3.2.1 First the Addendum (because it reflects the GDPR requirements, for example new or upgraded individual rights, data protection impact assessments and breach notification, which post-date the 2010 standard contractual clauses on which the Model Clause Agreement is based);
      • 3.2.2 Secondly the Model Clause Agreement; and
      • 3.2.3 Finally, the Agreement.
  • 4. Processor provisions
    • 4.1. The parties acknowledge that the Subscriber is a Controller and that the Service Provider is a Processor of the Relevant Data.
    • 4.2. Details of the Processing the Service Provider carries out on behalf of the Subscriber under the Agreement are set out in part 1 of Appendix 2 (Details of Data Processing). The Subscriber’s documented instructions are set out in part 2 of Appendix 2 (Details of Data Processing).
    • 4.3. The Service Provider shall:
      • 4.3.1. Process the Relevant Data only in accordance with documented instructions from the Subscriber (including with regard to transfers of Relevant Data to a Restricted Country), unless required to do so by European Law to which the Service Provider is subject; in such a case, the Service Provider shall inform the Subscriber of that legal requirement before Processing, unless that European Law prohibits such information on important grounds of public interest;
      • 4.3.2. ensure that persons authorised to process the Relevant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      • 4.3.3. take all measures required pursuant to Article 32 GDPR;
      • 4.3.4. comply with the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another Processor (a “Sub-processor”);
      • 4.3.5. taking into account the nature of the Processing, assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR;
      • 4.3.6. assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Service Provider;
      • 4.3.7. at the choice of the Subscriber, delete or return all the Relevant Data to the Subscriber after the end of the provision of the Services or other services relating to Processing, and delete existing copies unless European Law requires storage of the Relevant Data, in accordance with article 7.4.3; and
      • 4.3.8. make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber in accordance with article 7.4.2, and shall immediately inform the Subscriber if, in its opinion, an instruction infringes the GDPR, other European DP Law or other data protection provisions in European Law.
  • 5. Controller provisions
    • 5.1 The Subscriber is a Controller of the Relevant Data. The Subscriber shall comply with its obligations under European DP Law, in addition to its obligations to comply with applicable laws under the Agreement.
    • 5.2 The Subscriber can find a description of the cookies and other tracking technologies used in the Services here: https://www.activedemand.com/activedemand-tracking/.The Subscriber must incorporate the description into the cookie policy on the Subscriber’s website and obtain Data Subjects’ consent to the use. Without limiting the generality of Article 11 of the Agreement, it is the Subscriber’s (and not the Service Provider’s) responsibility to ensure its use of these cookies and other tracking technologies and the description in its cookie policy complies with the local laws in the Subscriber’s Country, and to take independent legal advice in the Subscriber’s Country if required. If the Subscriber needs further information about these cookies/tracking technologies from the Service Provider in order to comply with the local laws in the Subscriber’s Country, it must ask the Service Provider for the information it needs.
    • 5.3 The Subscriber (and not the Service Provider) is responsible selecting secure passwords to access the Services and for maintaining the confidentiality and security of those passwords and its user names. The Service Provider has access to the passwords, which are encrypted, and has a mechanism for resetting passwords.
    • 5.4 The Subscriber acknowledges and agrees that it, and not the Service Provider, is responsible for making backups of the Relevant Data. The Service Provider backs up all data for system recovery purposes only. The Service Provider does not back up data for the Subscriber. If the Subscriber inadvertently deletes its Relevant Data or other data, it is gone. The Service Provider does provide a service for data recovery, but it is expensive. If the Subscriber needs to purchase a data recovery service from the Service Provider, the Subscriber may ask the Service Provider for details of the extent to which the Service Provider can assist, and the cost.
  • 6. Change in Data Protection Requirements
    • 6.1. The Service Provider may, at any time on not less than 30 days’ notice, revise this Addendum by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme, or to reflect any change in applicable Data Protection Requirements. The revised terms shall be deemed to apply in place of this Addendum at the end of the 30-day notice period, unless the Subscriber, acting reasonably, objects with good reason, in which case this Addendum shall, if the Service Provider agrees, continue to apply in the absence of the parties’ agreement to a variation to the revised terms. If the Service Provider does not agree to the continuation of this Addendum, the Subscriber may terminate the Agreement as permitted by Article 13 – Termination of the Agreement, and co-terminate this Addendum and the Model Clause Agreement, or the Service Provider may terminate all those agreements, after giving a further 30 days’ notice to the Subscriber to terminate.
  • 7. Commercial terms
    • 7.1. The Service Provider will automate its assistance provided pursuant to this Addendum as far as reasonably practicable, in order to provide self-help features for the Subscriber. The Service Provider reserves the right to charge the Subscriber for any human assistance provided pursuant to this Addendum at its standard rates, or to charge the Subscriber as permitted by applicable law.
    • 7.2. Except where used to assist the Subscriber to use automated (self-help) features of the Services, technical support services provided under the Agreement do not include assistance provided pursuant to this Addendum.
    • 7.3. The Subscriber shall have no right to conduct an on-premises audit of the Service Provider’s compliance with the performance of the Services or compliance with the requirements of this Addendum or the Model Clause Agreement (the “Requirements”). No more than once annually, the Subscriber shall have the right to request from the Service Provider its certification of compliance with the Requirements. Where the Service Provider cannot give that certification or the Subscriber, acting reasonably, is not satisfied with the certification, the Subscriber may terminate the Agreement as permitted by Article 13 – Termination, of the Agreement, and co-terminate this Addendum and the Model Clause Agreement. The Subscriber acknowledges that the audit rights in this article 7.3 make mutual the Service Provider’s audit rights in Article 9 of the Agreement, and are therefore fair and reasonable.
    • 7.4. The Subscriber acknowledges and accepts that the Service Provider would not be prepared to do business without managing its risk and exposure through following commercial provisions, which shall apply to, and prevail over, any contrary express or implied terms in this Addendum and/or in the Model Clause Agreement:
      • 7.4.1. Articles 7.1 and 7.2 of this Addendum (costs);
      • 7.4.2. Article 7.3 of this Addendum (audit);
      • 7.4.3. Article 15 of the Agreement – Return of Subscriber Data; and
      • 7.4.4. Article 22 of the Agreement – Indemnification and Limitation of Liability
    • provided that no disclosures or other processing of Relevant Data by the Service Provider or the Subscriber will compromise Data Subjects’ fundamental rights to respect for a private life, to the protection of Personal Data and to effective judicial protection as set out in the Charter of Fundamental Rights of the European Union.

Appendix 1: Definitions

In this Addendum the following terms shall have the following meanings.

Term Definition
“Agreement” the agreement(s) between the Service Provider and the Subscriber from time to time, other than the Model Clause Agreement.
“Applicable DP Law” in relation to data protection terms defined in this paragraph 1 of Appendix 1, means:
(a) applicable data protection law in the Subscriber’s Country, if the term is (i) defined in that law
and (ii) applies to the Processing in question; or
(b) if (a) does not apply, the GDPR.
“Controller” has the meaning given to it in Applicable DP Law.
“Data Protection Requirements” as applicable, European DP Law and any other applicable laws and regulations relating to the processing of personal data or personally identifiable information anywhere in the world.
“Data Subject” has the meaning given to it in Applicable DP Law.
“ePrivacy Regulation” the European Regulation of the European Parliament and of the Council which supersedes Directive 2002/58/EC, and unless and until that Regulation does supersede Directive 2002/58/EC, means the implementation of Directive 2002/58/EC in the Subscriber’s Country.
“European DP Law” as applicable, (a) the GDPR and any data protection legislation applicable from time to time accompanying the GDPR in the Subscriber’s Country together with (b) the ePrivacy Regulation and any privacy legislation applicable from time to time accompanying the ePrivacy Regulation in the Subscriber’s Country.
“European Law” European Union or European Member State law (as referred to in the GDPR).
“GDPR” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Model Clause Agreement” the Model Clause Agreement offered by the Service Provider to the Subscriber and comprising Commission Decision C(2010)593 Standard Contractual Clauses (processors).
“Personal Data” has the meaning given to it in Applicable DP Law.
“Processing” has the meaning given to it in Applicable DP Law.
“Processor” has the meaning given to it in Applicable DP Law.
“Relevant Data” all Personal Data of which the Subscriber (or where the Subscriber is an agency, its client) is the Controller and which are Processed by the Service Provider for the purpose of providing the Services.
“Restricted Country” any third country or international organisation as described in the GDPR.
“Services” the services provided by the Service Provider to the Subscriber from time to time under or pursuant to the Agreement, and as defined in that Agreement.
“Subscriber’s Country” the Subscriber’s country of incorporation and/or (if different) country or countries of operation.
“Term” the duration of the Processing of Relevant Data pursuant to (a) the Agreement, (b) the Model Clause Agreement and/or (c) this Addendum, including during any transitional arrangements on entrance or exit.

Appendix 2: Details of Data Processing

Part 1: Processor requirements

Requirement in Article 28(3) GDPR Details for this Addendum
The subject matter and duration of the Processing Subject matter: performance based marketing and analysis carried out by the Subscriber using the Service Provider’s Services.

The Subscriber uses the Services in relation to its own website or (if it is an agency) in relation to its client’s website.

The Services (called ActiveDEMAND) do not track across websites. The features may include (depending on package selected by the Subscriber) email marketing, call tracking, appointment scheduling, dynamic website content, autoresponders, exit intent popups, landing pages, drip campaigns, dashboards and reports, call forensics, multivariate testing, event marketing, behavioural segmentation, lead scoring, social media and web forms, as may be updated from time to time.

The Service Provider’s software is stored on Amazon Web Services, Inc.’s servers in the USA. The Service Provider’s email service is provided by SendGrid, Inc. If calls are recorded, the Service Provider’s call recording service is provided by Twilio Inc. (the Service Provider downloads the recording and deletes it from Twilio). If calls are transcribed, then the recording is sent to Voicebase, Inc. The Service Provider sends emails to Crisp IM SARL for anyone who logs into the Service Provider’s platform, or anyone who uses the Service Provider’s support portal. The Service Provider also sends email addresses to Crisp IM SARL if the other person has Crisp installed on their own site (their own Crisp account).

The Relevant Data are accessed:

  • by the Service Provider’s support personnel in Canada for the sole purpose of support, with the Subscriber’s prior consent, and
  • without the Subscriber’s consent, by the Service Provider’s Chief Technical Officer and DevOps member of staff in Canada for the sole purpose of managing the Service Provider’s infrastructure.

The Service Provider aggregates anonymous statistics across its subscribers’ accounts but this does not use or reveal any Relevant Data or other Personal Data.

As at April 2018, Amazon Web Services, Inc., Crisp IM SARL, SendGrid, Inc., Twilio Inc and Voicebase, Inc. are in the EU-US and Swiss-US Privacy Shield Frameworks.

Duration: from the Addendum Effective Date for the Term.

The nature and purpose of the Processing Nature: activities initiated by the Subscriber and/or enabled by the Service Provider’s software. The software collects, organizes, records, structures, modifies, presents, aggregates, calculates inferences, appends, and may delete/rewrite/update the Relevant Data.

Purpose: the provision of marketing automation and reporting software as a service and related services (more particularly, the Services) by the Service Provider to the Subscriber.

The type of Personal Data Employees: contact details, financial details, employment details, user details and email address, platform/support portal usage details.

Customers:

  • Provided/observed/obtained data. Personal Data provided by the Data Subject or observed from the Data Subject’s interactions with the website or obtained from third party sources: online identifiers (cookie IDs, IP address), user agent string (browser and operating system), location data, personal details inserted into forms or shared with the Subscriber during a telephone call or email exchange.
  • Transactional data. Transactional data from interactions between the Subscriber and the Data Subject.
  • Derived data. Derived data including preferences or personal interests from analytics on the Personal Data provided or observed; calls are recorded, changed from voice to text, and the conversation analysed.
  • Imported data. The Subscriber may elect to import the following Personal Data into ActiveDEMAND:
    • its own CRM data if imported using a third party product, e.g. Zapier (https://zapier.com/) (the Subscriber may export data from ActiveDEMAND in the same way, or to a CSV file)
    • website chat (if the third party product (https://www.olark.com/) is licensed in by the Subscriber)
    • Data Subject’s publicly available information which may include a social media profile (if the third party product (https://clearbit.com/) is sublicensed in by the Subscriber from the Service Provider). As at April 2018, Zapier, Inc., Habla, Inc (trading name Olark) and APIHub Inc (trading name Clearbit) are each in the EU-US and Swiss-US Privacy Shield Frameworks.

Special categories of Personal Data: None unless volunteered by the Data Subject or obtained by the Subscriber from a third party source. The Service Provider does not track any of this data. The Subscriber can upload whatever data it wishes to the Service Provider’s platform (so could upload this type of data), but the Service Provider does not collect the data from any source.

The categories of Data Subjects Employees: Data Subjects who are the Subscriber’s:

  • contact points for the Service Provider, or
  • users of the Services

and whose Personal Data are collected by the Services or stored through the Services.

Customers: Data Subjects who are website visitors, prospects or customers/clients of the Subscriber, and whose Personal Data are collected by the Services or stored through the Services.

The Controller’s obligations and rights The obligations on the Subscriber in article 5.

The rights to enforce the Service Provider’s Processor obligations, as set out in article 4 (Processor provisions).

Part 2: Documented Instructions

The Service Provider is hereby instructed by the Subscriber:

  • to Process the Relevant Data for the sole purpose of providing the Services and to the extent necessary to provide the Services, and not to Process the Relevant Data for its own purposes or third party purposes;
  • to transfer the Relevant Data to a Restricted Country provided that the Service Provider complies with the requirements laid down in Chapter V GDPR; and
  • for the purpose of article 28(3)(d) and article 28(2) GDPR, not to engage a Sub-processor without the Subscriber’s general written authorisation (which, insofar as they maybe Sub-processors rather than controllers, is hereby granted by the Subscriber in respect of Amazon Web Services, Inc., SendGrid, Inc., Twilio Inc and Voicebase, Inc.); the Service Provider shall inform the Subscriber of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Subscriber the opportunity to object to such changes; the Subscriber does not require the Service Provider to obtain prior specific authorisation to each individual Sub-processor. The Subscriber acknowledges that Third Party Tools (as defined in the Agreement) are not part of the Services and the providers of those Third Party Tools are not Subprocessors. The Subscriber is free to choose whether or not to use those Third Party Tools. The Subscriber further acknowledges that Habla, Inc (trading name Olark) is the Service Provider’s own provider for the purposes described under “subject matter and duration of the Processing” above and not a Sub-processor.

The parties have caused this Addendum to be executed by their duty authorized representatives as of the Addendum Effective Date by the Service Provider offering this Addendum and the Subscriber clicking “I Accept”.