This Data Processing Addendum (this “DPA”), effective as of the DPA Effective Date (defined below), is entered into by and between Unbrew Incorporated dba Clientary (“Clientary”, “we”, or “us”) and the customer that electronically accepts or otherwise agrees or opts-in to this DPA (“Customer”, or “you”).
You have entered into one or more agreements with us (each, as amended from time to time, collectively, the “Agreement”) governing the provision of our applications or software services (the “Service”).
This DPA will amend the terms of the Agreement to reflect the parties’ rights and responsibilities with respect to the processing and security of Customer’s data under the Agreement. If you are accepting this DPA in your capacity as an employee, consultant or agent of Customer, you represent that you are an employee, consultant or agent of Customer, and that you have the authority to bind Customer to this DPA.
The following definitions apply to this DPA:
The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this Addendum have the meanings given in the EU GDPR irrespective of which Data Protection Laws apply.
2.1 Roles and Regulatory Compliance; Authorization
a. Processor and Controller Responsibilities. The parties acknowledge and agree as follows: (i) that Clientary is a processor of Customer’s Personal Data under Data Protection Laws; (ii) that you are a controller or processor, as applicable, of the Personal Data under Data Protection Laws; and (iii) that each of us will comply with our obligations under applicable Data Protection Laws with respect to the processing of the Personal Data.
b. Consent obtained from End User. If Data Protection Laws apply to the processing of Customer’s Personal Data and you are a controller of the Personal Data, you acknowledge and agree as follows: (i) You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email or other property as a consequence of your use of Clientary and Unbrew Incorporated products; and (ii) you must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies; and (iii) you must make clear that as a consequence of your use of Clientary and Unbrew Incorporated products, End User data will be processed outside the United Kingdom or the EEA.
c. Authorization by Third Party Controller. If Data Protection Laws apply to the processing of Personal Data and you are a processor of the Personal Data, you warrant to us that your instructions and actions with respect to that Personal Data, including your appointment of Clientary as another processor, have been authorized by the relevant controller.
2.2 Scope of Processing
a. Customer Authorization. By entering into this DPA, you hereby authorize and instruct us to process the Personal Data: (i) to provide the Service, and related technical support; (ii) as otherwise permitted or required by your use of the Service and/or your requests for technical support; (iii) as otherwise permitted or required by the Agreement, including this DPA; and (iv) as further documented in any other written instructions that you give us, provided we acknowledge those instructions in writing as constituting processing instructions for the purposes of this DPA. We will not process the Personal Data for any other purpose, unless required to do so by applicable law or regulation.
b. Prohibition on Sensitive Data. You will not submit, store, or send any sensitive data or special categories of Personal Data (collectively, “Sensitive Data”) to us for processing, and you will not permit nor authorize any of your employees, agents, contractors, or data subjects to submit, store, or send any Sensitive Data to us for processing. You acknowledge that we do not request or require Sensitive Data as part of providing the Service to you, that we do not wish to receive or store Sensitive Data, and that our obligations in this DPA will not apply with respect to Sensitive Data.
3.1 Deletion During Term. We will enable you to delete Personal Data during the Term in a manner that is consistent with the functionality of the Service. If you use the Service to delete any Personal Data in a manner that would prevent you from recovering the Personal Data at a future time, you agree that this will constitute an instruction to us to delete the Personal Data from our systems in accordance with our standard processes and applicable law. We will comply with this instruction as soon as reasonably practicable, but in all events in accordance with applicable law.
3.2 Deletion When Term Expires. When the Term expires, we will either destroy or return to you any Customer Data in our possession or control. This requirement will not apply to the extent that we are required by applicable law to retain some or all of the Customer Data, in which event we will isolate and protect the Customer Data from further processing except to the extent required by law. You acknowledge that you will be responsible for exporting, before the Term expires, any Customer Data you want to retain after the Term expires.
4.1 Security Measures.
a. Security Measures. We will implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (collectively, the “Security Measures”). The Security Measures will have regard to the state of the art, the costs of implementation, and nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Security Measures will include, as appropriate: (i) the ability to ensure the ongoing security, confidentiality, integrity, availability, and resilience of data processing systems and services; (ii) the ability to restore the availability and access to Personal Data in a timely manner, in the event of a Data Incident; and (iii) a process for regularly testing, accessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing. We may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.
b. Security Compliance by our Staff. We will take appropriate steps to ensure that our employees, contractors, and Subprocessors comply with the Security Measures to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligations of confidentiality.
4.2 Data Incidents. If we become aware of a Data Incident, we will notify you promptly and without undue delay, and will take reasonable steps to minimize harm and secure Customer Data. Any notifications that we send you pursuant to this Section 4.2 will be sent to your Notification Email Address and will describe, to the extent possible, the details of the Data Incident, the steps we have taken to mitigate the potential risks, and any suggestions we have for you to minimize the impact of the Data Incident. We will not assess the contents of any Customer Data in order to identify information that may be subject to specific legal requirements. You are solely responsible for complying with any incident notification laws that may apply to you, and to fulfilling any third party notification obligations related to any Data Incident(s). Our notification of or response to a Data Incident under this Section will not constitute an acknowledgement of fault or liability with respect to the Data Incident.
4.3 Your Security Responsibilities. You agree that, without prejudice to our obligations under Sections 4.1 or 4.2: (i) you are solely responsible for your use of the Service, including making appropriate use of the Service to ensure a level of security appropriate to the risk in relation to Customer Data, securing any account authentication credentials, systems, and devices you use to use the Service, and backing up your Customer Data. You understand and agree that we have no obligation to protect Customer Data that you elect to store or transfer outside of our or our Subprocessors’ systems (e.g., offline or on-premise storage). You are solely responsible for evaluating whether the Service and our commitments under this Section 4 meet your needs, including with respect to your compliance with any of your security obligations under Data Protection Laws, as applicable. You acknowledge and agree that – taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of Personal Data, as well as the risks to individuals – the Security Measures that we implement in this DPA provide a level of security appropriate to the risk in respect to the Customer Data.
4.4 Audit Rights. Customer has the right to confirm Clientary’s compliance with this Addendum as applicable to the Services by making a specific request in writing, at reasonable intervals, to the address set forth in the Terms of Service. If Clientary declines to follow any instruction requested by Customer regarding a properly requested and scoped audit or inspection, Customer is entitled to terminate this Addendum and the Terms of Service.
5.1 Access; Rectification; Restricted Processing; Portability. During the Term, we will, in a manner consistent with the functionality of the Service, enable you to: (i) access the Customer Data; (ii) rectify inaccurate Customer Data; (iii) restrict the processing of Customer Data; (iv) delete Customer Data; and (v) export Customer Data.
5.2 Cooperation; Data Subjects’ Rights. We will provide you, at your expense, with all reasonable and timely assistance to enable you to respond to: (i) requests from data subjects who wish to exercise any of their rights under Data Protection Laws; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. In the event that any such request, correspondence, enquiry or complaint is made directly to us, we will promptly inform you of it, and provide you with as much detail as reasonably possible.
6.1 Data Storage and Processing Facilities. You agree that we may store and process Customer Data in the United States and any other country in which we or our Subprocessors maintain facilities.
6.2 Application of EU Standard Contractual Clauses. Module Two (Controller to Processor) EU Standard Contractual Clauses or Module Three (Processor to Processor) EU Standard Contractual Clauses will apply to Customer Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Customer Data. These EU Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, these EU Standard Contractual Clauses will not apply where the data is transferred in accordance with a recognized compliance standard for the lawful transfer of Personal Data outside the EEA, such as when necessary for the performance of Services pursuant to the Agreement or with your consent.
List of Parties
Description of Transfer
Competent Supervisory Authority
The technical and organizational security measures implemented by the Data Importer are as in Appendix 2 of this Addendum.
Subprocessors are as covered in 7.2 List of Subprocessors.
6.3 Application of UK International Data Transfer Addendum. The UK International Data Transfer Addendum will apply to Customer Data transferred via Services from the United Kingdom, either directly or via onward transfer, to any country not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Data. The UK International Data Transfer Addendum will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the United Kingdom. Notwithstanding the foregoing, the UK International Data Transfer Addendum will not apply where the data is transferred in accordance with a recognized compliance standard for the lawful transfer of Customer Data outside the United Kingdom, such as when necessary for the performance of Services pursuant to the Terms of Service or with your consent.
For data transfers from the United Kingdom that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
7.1 Consent to Engagement. You specifically authorize us to engage third parties as Subprocessors. Whenever we engage a Subprocessor, we will enter into a contract with that Subprocessor to help ensure that the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement and this DPA.
7.2 List of Subprocessors. A list of our current Subprocessors can be made available upon request to [email protected].
7.3 New Sub-processors. From time to time, we may engage new sub-processors under and subject to the terms of this Addendum.
7.4 Objections; Sole Remedy. You have the right to object to the engagement of a Subprocessor by providing documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements set forth in this DPA (each, an “Objection”). If we do not remedy or provide a reasonable workaround for your Objection within a reasonable time, you may, as your sole remedy and our sole liability for your Objection, terminate the Agreement for your convenience, and without further liability to either party. We will not owe you a refund of any fees you have paid in the event you decide to terminate the Agreement pursuant to this Section.
You acknowledge that we are required under Data Protection Laws (i) to collect and maintain records of certain information, including, among other things, the name and contact detail of each processor and/or controller on whose behalf we are acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (ii) to make such information available to the supervisory authorities. Accordingly, you will, when requested, provide this additional information to us, and ensure that the information is kept accurate and up-to-date.
If we believe or become aware that our processing of Customer Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, we will promptly inform you of that risk, and provide you with reasonable and timely assistance as you may require in order to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority.
There are no third party beneficiaries to this DPA. Except as expressly provided herein, nothing in this DPA will be deemed to waive or modify any of the provisions of the Agreement, which otherwise remains in full force and effect. Specifically, nothing in this DPA will affect any of the terms of the Agreement relating to Clientary’s limitations of liability, which will remain in full force and effect. If you have entered into more than one Agreement with us, this DPA will amend each of the Agreements separately. In the event of a conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA will control.
The liability of each party under this Addendum will be subject to the exclusions and limitations of liability set out in the Terms of Service. Customer agrees that any regulatory penalties incurred by Clientary in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Addendum and any applicable Data Protection Laws will count towards and reduce Clientary’s liability under the Terms of Service as if it were liability to the Customer under the Terms of Service.
This Addendum supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and Clientary, whether written or verbal, regarding the subject matter of this Addendum, including any data processing addenda entered into between Clientary and Customer with regard to the processing of personal data and on the free movement of such data. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Addendum and any other terms in this Addendum or the Terms of Service, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Addendum, as applicable, will prevail. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will supersede any conflicting terms.
Subject Matter: Clientary’s provision of the Service to the Customer, and related technical support.
Nature and Purpose of Processing: Clientary will Process Customer Data as necessary to perform the Services pursuant to the Terms of Service and as further instructed by Customer throughout its use of the Services.
Processing Duration: Throughout the Term of the Agreement. Nature and Purpose of the Processing: Clientary will process Personal Data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related technical support in accordance with this DPA.
Categories of Data: Personal data submitted to, stored on, or sent via the Service may include, without limitation, the following categories of data: IP addresses, browser agents, email addresses, usernames, full names, browser and operating system identifiers, and any other personal data that Customer chooses to send us related during the course of our provision of the Service and technical support.
Data Subjects: Personal data submitted, stored, sent or received via the Service may concern the following categories of data subjects, without limitation: Customer’s employees, contractors, and agents; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Service.
Technical and Organizational Measures
We are committed to protect our customers' information. Taking into account the best practices, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons we take the following technical and organizational measures. When selecting the measures the confidentiality, integrity, availability and resilience of the systems are considered.
Data Privacy Program
Our Data Privacy Program is established to maintain a global data governance structure and secure information throughout its lifecycle. This program is driven by the office of the data protection officer, which oversees the implementation of privacy practices and security measures. We regularly test, assess and evaluate the effectiveness of its Data Privacy Program and Security Standards.
Confidentiality. “Confidentiality means that personal data is protected against unauthorized disclosure.”
We use a variety of physical and logical measures to protect the confidentiality of its customers' personal data. Those measures include, but are not limited to:
Integrity. “Integrity refers to ensuring the correctness (intactness) of data and the correct functioning of systems. When the term integrity is used in connection with the term "data", it expresses that the data is complete and unchanged.”
Appropriate change and log management controls are in place, in addition to access controls to be able to maintain the integrity of personal data such as:
Availability. “The availability of services and IT systems, IT applications, and IT network functions or of information is guaranteed, if the users are able to use them at all times as intended.”
We implement appropriate continuity and security measures to maintain the availability of its services and the data residing within those services:
Data Processing Instructions. "Data Processing Instructions refers to ensuring that personal data will only be processed in accordance with the instructions of the data controller and the related company measures"
We have established internal privacy policies, agreements and conduct regular privacy trainings for employees to ensure personal data is processed in accordance with customers’ preferences and instructions.