DATA PROCESSING AGREEMENT
(Online as of May 24, 2023)
THIS CUSTOMER DATA PROTECTION AGREEMENT (the “DPA”) executed by and between Selligent (“Company”, “We”, “Us”, “Our”) and the Customer (each a “Party” and collectively, the “Parties”) forms a part of the Terms of Use agreement, or if Customer and Company execute a superseding written agreement for use of the Services, then this DPA forms part of that executed agreement (in either case, the “Agreement”). This DPA reflects the parties’ agreement with respect to any Personal Data Processed by Company.
The Parties agree as follows:
1. DEFINITIONS.
For the purposes of this DPA, any terms defined by Applicable Privacy Laws (including any capitalized terms herein) shall have the same meaning as in the Applicable Privacy Laws. If Applicable Privacy Laws do not define such terms then definitions given in Applicable Privacy Laws for functionally similar terms will apply. References to “Paragraphs” in this DPA are to paragraphs of this DPA, excluding the EU SCCs and UK IDTA. References to “Clauses” in this DPA will be to clauses of the Standard Contractual Clauses. References to “Sections” in this DPA are to sections of the UK IDTA. All other capitalized terms used herein, but not otherwise defined, shall have the meanings assigned to them in the Agreement. In addition to terms defined elsewhere in this DPA, the following definitions will apply to capitalized words in this DPA:
- “Affiliate” of a party means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of a party or the right to receive more than fifty percent (50%) of the profits or earnings of the entity.
- “Applicable Privacy Law(s)“ means all worldwide data protection and privacy laws and regulations applicable to the Personal Data Processed by Company in connection with the Agreement, including, where applicable, EU Data Protection Law, GDPR as implemented within the UK (“UK GDPR”), Swiss Federal Act on Data Protection (“FADP”), and US Data Protection Laws.
- “Authorized Persons“ means any person or entity who provides services on Company’s behalf, including Company’s employees, officers, partners, principals, contractors and Sub-processors.
- “Company Data” means data related to the operation, performance, support, provisioning, and/or use of the Services, including, but not limited to information related to: (i) invoicing, billing and other business inquiries, (ii) information on usage of the Services, and (iii) contract management.
- “Customer” means a party to the Ordering Document that has signed this DPA.
- “Customer Affiliate” means an Affiliate of Customer that is: (i) a Controller of Customer Data in relation to the Services; (ii) subject to Data Protection Laws; and (iii) a signing party to an Ordering Document with Company.
- “Customer Data” means any Personal Data that Company Processes as a Processor on behalf of the Customer in the course of providing the Services under an Ordering Document.
- “EU Data Protection Law“ means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“), Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (“e-Privacy Directive“), and any national implementations of such laws (as may be amended, superseded or replaced).
- “Ordering Document” means any form provided by Company (including an electronic form or SOW), either executed by the Parties or agreed to Customer via the Site, that sets out the commercial terms of Customer’s purchase of the Services.
- “Sensitive Information” means: (a) protected health information (“PHI”), as that term is defined under the Health Insurance Portability and Accountability Act (“HIPAA”); (b) “nonpublic personal information” as defined under the Gramm-Leach-Bliley Financial Modernization Act of 1999 (“GLBA”); (c) data on any minor under the age of thirteen that would be subject to the Children Online Privacy Protection Act (“COPPA”); (d) card holder data under the Payment Card Industry Data Security Standard; (e) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (the “special categories of personal data” identified in Article 9 of GDPR); or (f) social security numbers, driver’s license or state identification number or other government related identifier, financial account numbers (i.e., credit card, checking account, savings account, etc.), medical, employment, criminal records, or insurance numbers, passport numbers, or other sensitive personal information.
- “Services” means the products, services, applications, tools and other resources provided or made available by Company to Customer pursuant to and as more particularly described in the Ordering Document.
- “Sub-processor“ means any third party (including applicable Company Affiliates) engaged directly or indirectly by Company to Process any Personal Data relating to this DPA and/or the Agreement.
- “Tracking Technologies” means cookies, tags, web beacons, pixels and/or other similar technologies.
- “US Data Protection Laws” means any U.S. laws in effect which govern the privacy and protection of Personal Data, including the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act.
2. INTERNATIONAL DATA TRANSFERS
- Location(s) of Processing. Company may, in the provision of the Services, Process Customer Data that is protected by Applicable Privacy Laws which require measures to ensure the adequate protection of Personal Data subject to such transfers to third countries. A list of current locations of Processing can be found within Attachment 1 below.
- International Transfers. Company and/or its Authorized Persons shall not Process or transfer any Personal Data in or to a territory other than the territory in which the Personal Data was first collected (nor permit such data to be so Processed or transferred) unless it takes all such measures as are necessary to ensure such Processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by Customer to Company). For the avoidance of doubt, transfers of Personal Data to Company Affiliates established within territories which have been deemed adequate by the European Commission will be undertaken pursuant to each territory’s applicable adequacy decision(s). Customer understands that Company will Process Personal Data in the locations listed in Attachment 1 of this DPA. Subject to Customer signing up for Privacy Updates at https://app.e2ma.net/app2/audience/signup/1982867/1955909/, Company shall inform Customer of any new international transfers of Personal Data in advance of making the transfer and shall assist Customer in assessing the parties’ respective obligations to comply with Applicable Privacy Laws.
3. CUSTOMER AFFILIATES
- Contractual Relationship. By executing this DPA, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Customer Affiliates, thereby establishing a separate DPA between Company and each such Customer Affiliate and for the purposes of such DPA, wherever the DPA references “Customer” or “data exporter” it shall mean “Customer Affiliate”. Each Customer Affiliate shall be bound by the obligations of this DPA.
- Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Company under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Customer Affiliates.
- Rights of Customer Affiliates. If a Customer Affiliate becomes a party to the DPA with Company, it shall, to the extent required under Applicable Privacy Laws, also be entitled to exercise its rights and seek remedies under this DPA, provided that: (i) solely the Customer that is the contracting party to the Ordering Document shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate, and (ii) the Customer that is the contracting party to the Ordering Document shall exercise any such rights under this DPA only in the aggregate on behalf of itself and all of its Customer Affiliates. The foregoing shall not apply to the extent Applicable Privacy Laws require the Customer Affiliate to exercise a right or seek any remedy under this DPA against Company directly by itself.
4. ROLE AND SCOPE OF PROCESSING
- Roles of the Parties. As between Company and Customer, Customer is the Controller of Customer Data, and Company shall Process Customer Data only as a Processor on behalf of Customer.
- Company Data. Customer understands and acknowledges that Company is a Controller as it relates to Company Data. Notwithstanding the foregoing, Company will not retain Company Data beyond the term of this Agreement unless required to fulfill the purpose of Processing.
- Processing Instructions. Customer hereby instructs Company to Process Customer Data for the following purposes: (i) to perform the Services; (ii) to perform any steps necessary for the performance of the Agreement and this DPA; (iii) to perform any Processing initiated by Users in their use of the Services; and/or (iv) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) provided such instructions are consistent with the terms of the Agreement and this DPA (collectively, the “Instructions“). Company shall immediately inform Customer if, in Company’s opinion, an instruction infringes Applicable Privacy Laws or if Company can no longer comply with its obligations under this DPA.
- Customer’s Processing of Personal Data. Customer shall comply, and shall cause each User to comply, with its obligations as a Controller under Applicable Privacy Laws in respect of the Processing of Personal Data and any Processing instructions it issues to Company. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer and/or its Users (as applicable) acquired Customer Data. Notwithstanding the foregoing, in the event Company becomes aware that the Personal Data it has received is inaccurate, or has become outdated, it shall inform Customer without undue delay and cooperate with Customer’s request to erase or rectify the data. Without prejudice to the generality of the foregoing, Customer shall be responsible for complying with, and shall be responsible for causing its Users to comply with all laws (including Applicable Privacy Laws), including those relating to acquiring consents, the use of third party Processors such as Company, and the content of the emails and its email deployment practices.
- Tracking Technologies. Customer understands and acknowledges that the Services enable Customer to track engagement data and other Personal Data of individuals. Company and/or its Sub-processors may use Tracking Technologies to provide such Services to Customer. Customer shall maintain appropriate notice and consent mechanisms as required by Applicable Privacy Laws and industry best practices, or as Company may reasonably request from time to time, to enable Company and/or its Sub-processors to deploy such Tracking Technologies lawfully on, and collect data from, the devices of individuals whose Personal Data is Processed via the Services by virtue of Customer’s use of the Services. Company shall provide Customer with all details about the Tracking Technologies reasonably requested by the Customer. Customer shall promptly notify Company if it is unable to comply with its obligations under this paragraph (Tracking Technologies).
5. COMPANY’S PROCESSING OF PERSONAL DATA
- Processing Principles. Irrespective of the location of Processing, the location of Company, and/or the location of Customer, Company shall Process Personal Data:
- In compliance with its obligations as a Processor under Applicable Privacy Laws;
- In accordance with the applicable Transfer Mechanism(s);
- According to the instructions of the Customer as defined herein; and
- In compliance with the confidentiality provisions of the Agreement.
- No Rights as a Controller. Except as it relates to Company Data, Company acknowledges that it has no right, title or interest in any Personal Data Processed pursuant to the Agreement and may not sell, rent or lease such data to anyone. For the avoidance of doubt, nothing in the Agreement, this DPA, or any part of the Services provided constitutes sharing for cross-context behavioral advertising or selling, as defined within the Applicable Privacy Laws, of Personal Data between the parties.
6. DATA SUBJECT REQUESTS
Company shall, to the extent legally permitted, and in so far as it is possible to identify the Customer as the Controller of the data, promptly notify Customer if it receives a request from a Data Subject seeking to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to automated individual decision-making (each a “Data Subject Request‘). Taking into account the nature of the Processing, Company shall assist Customer by appropriate technical and organizational measures, in so far as this is possible, for the fulfillment of the Customer’s obligations to respond to a Data Subject Request under applicable Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Company shall upon Customer’s written request provide reasonable co-operation to assist Customer to respond to any such Data Subject Requests, to the extent Company is required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Company’s provision of such assistance, including any fees associated with provision of additional functionality. In the event any Data Subject Request is made directly to Company, Company shall not respond to such communication directly without Customer’s prior authorization (except to instruct the Data Subject to reach out to Customer), unless legally compelled to do so. If Company is required to respond to such request, Company will promptly notify Customer and provide it with a copy of the request, unless legally prohibited from doing so.
7. RETURN/DELETION OF DATA
Company shall comply with Customer’s written request for the return or deletion of Personal Data. In the absence of a specific written request from Customer to delete Customer Data, the Customer Data will be deleted in accordance with Company’s established data retention policies.
8. SECURITY OF PROCESSING.
- Details of Company’s security measures can be found within Attachment 2 of this DPA. Customer acknowledges that the Security Measures described therein are subject to technical progress and development and that Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Notwithstanding Company’s obligations under Applicable Privacy Laws, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to the Services, protecting the security of Customer Data during any transit from the Services unless the Customer Data is transferred using technology developed by Company, and taking any appropriate steps to protect account passwords and/or backup any Customer Data uploaded to the Services.
- Company will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach and will provide all assistance and information relating to the Personal Data Breach as it becomes known or as is reasonably requested in writing by Customer. Company will use reasonable efforts to mitigate and, where possible, to remedy the effect of any Personal Data Breach in accordance with the Security Measures. Where required by applicable Data Protection Laws, Company shall document the facts surrounding the Personal Data Breach, the effects of the Personal Data Breach, and any remedial action taken.
- Any notification assistance provided by Company pursuant to its obligations under Applicable Privacy Laws that exceeds 8 hours of effort by Company or average monthly fees paid by Customer to Company shall be at Customer’s expense.
9. SENSITIVE DATA
Customer understands and acknowledges that the Services are not configured to Process, receive, and/or store Sensitive Information. As such, Customer agrees not to, and not to permit Users to, transmit, request, provide Company with access to, submit, store, or include any Sensitive Information through the Services. Customer agrees that Company may terminate this Agreement immediately, without refund, if Customer is in violation of this paragraph.
10. AUDITS
Upon Customer’s request, Company will provide Customer with copies of any of Company’s relevant data protection audit report summaries and/or certifications and/or responses to questionnaires as reasonably required by Customer to verify Company’s compliance with Applicable Privacy Laws (“Audit Information“). For the purposes of compliance with Applicable Privacy Laws, Customer agrees to leverage existing documentation and certifications provided by Company to the extent such documentation satisfies the requirements of Applicable Privacy Laws. Company shall further provide written responses to all reasonable written requests for information made by Customer related to data protection that Customer may have in connection with the Audit Information. If Customer determines in its reasonable discretion that the Audit Information does not provide all information necessary to demonstrate compliance with EU Data Protection Law, upon prior written request by Customer and at Customer’s sole expense and during normal operating hours of Company and its Sub-processors, allow for and contribute to audits of the processing activities covered by this DPA, including inspections, conducted by the Customer or another auditor mandated by the Customer.
11. SUB-PROCESSING
- Engagement of Sub-processors. Customer hereby provides its consent to the Processing of Customer Data by the Sub-processors listed within Attachment 1. Company may engage additional Sub-processors by complying with Applicable Privacy Laws. To receive notices of intended updates to Sub-processors, Customer must sign up to receive Privacy Updates at https://app.e2ma.net/app2/audience/signup/1982867/1955909/ after executing this DPA.
- Objection to Sub-processor. If Customer objects, on reasonable data protection grounds, to the appointment or replacement of a Sub-processor, Customer must notify Company in writing within 10 days of receiving written notification of such change from Company (the “Objection Period”). In such event, the parties shall discuss in good faith commercially reasonable alternative solutions. If the parties cannot reach resolution within 30 days of the Objection Period (the “Resolution Period”), Company will either not appoint or replace the Sub-processor or, if this is not possible, Customer may terminate the Agreement (in whole or in part), by providing written notice to Company within 10 days following the Resolution Period.
12. REDRESS
Any cooperation or assistance by Company in addressing and/or resolving disputes caused by the acts or omissions of Customer pursuant to Applicable Privacy Laws shall be at Customer’s expense.
13. DATA PRIVACY IMPACT ASSESSMENTS (“DPIA’S)
To the extent Company is required under Applicable Privacy Laws, Company will assist Customer to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed Processing activity that present a high risk to Data Subjects.
14. LIABILITY
Any claim or remedies the Customer may have against Company, any of Company Affiliates and their respective employees, agents and Sub-processors arising under or in connection with this DPA, including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Customer; (iii) under applicable Data Protection Laws; and (iv) breach of Company (or any of Company Affiliates or their respective employees, agents or Sub-processors) obligations underApplicable Privacy Laws, will be subject to any limitation and exclusion of liability provisions (including any agreed aggregate financial cap) that apply under the Agreement. Notwithstanding the foregoing, the Customer’s maximum recovery arising out of any claim against Company, Company Affiliates, and their respective employees, agents for any losses caused directly or indirectly by a Sub-processor shall be limited to Company’s recovery from that Sub-processor where such recovery is less than the maximum aggregate liability set out in the Agreement. For the avoidance of doubt, Company and Company Group’s total liability for all claims from the Customer and all Customer Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Customer Affiliates, and, in particular, shall not apply individually or severally to Customer or to any Customer Affiliate that is a contractual party to any such DPA. Notwithstanding the foregoing, in no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
15. GENERAL
- Term and Termination. This DPA will come into force upon execution of an Ordering Document that expressly includes reference to this DPA and will in any case terminate upon the termination or expiration of the Ordering Document. This DPA will terminate simultaneously and automatically with the termination or expiration of the Agreement. Notwithstanding the foregoing, until Customer requests deletion of the Customer Data, the Company shall continue to ensure compliance with this DPA for as long as Customer Data is retained.
- Modifications & Severability. Applicable Privacy Laws may be updated or changed from time to time. In the event of any such changes, Customer agrees to negotiate in good faith with Company to amend the Agreement, this DPA and/or the Services to ensure each parties continuing compliance with Applicable Privacy Laws, the Agreement, and this DPA. In the event that the parties cannot agree upon any such amendment, notwithstanding anything in the Agreement or this DPA to the contrary, Company will have the right to terminate the Agreement (and any applicable Ordering Documents) without penalty. This DPA may not be modified except by a subsequent written instrument signed by both parties. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
- Order of Precedence. Unless otherwise agreed by the Parties, this DPA takes precedence over any previous data protection terms applicable to Company’s Services. Nothing in the DPA affects any supervisory authority’s or Data Subject’s rights under Applicable Privacy Laws. As it relates to either party’s rights or obligations under Applicable Privacy Law, any conflict or inconsistency between the body of this DPA and any data privacy provisions set out in any Agreement shall be resolved in favor of this DPA.
- Entire Agreement. This DPA, together with the Agreement, contains the entire agreement and understanding between the parties concerning its subject matter. This DPA supersedes all prior proposals, representations, agreements and understandings, written or oral, concerning its subject matter. This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which taken together shall be deemed to constitute one and the same document. The parties may execute and deliver signatures to this DPA electronically, including by facsimile or portable document format (PDF) file.
Attachment 1
PROCESSING DETAILS
Selligent Processing Details | |||
Categories of data subjects | Customer may submit Customer Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include Personal Data belonging to the following categories of Data Subjects (past, present and future), other than Users, any identified or identifiable natural person:
|
||
Categories of personal data | Customer may submit Customer Data to the Services, the extent of which is determined and controlled by Customer and which may include, but is not limited to, Customer Data relating to the following categories of Customer Data:
|
||
Nature of the Processing | The Customer Data transferred will be subject to the following basic Processing activities:
|
||
Purpose(s) for Processing Personal Data |
|
||
Sub-processors and Processing Locations | |||
A list of Selligent Sub-processors and processing locations can be found at https://meetmarigold.com/sub-processors-privacy/ |
Attachment 2
Security Measures
Selligent’s Technical and Organizational measures can be found in our Privacy Center. Additional Technical Measures for data transfers include:
- Encryption in transit over the public internet using HTTPS, TLS, or similarly effective methods.
- Encryption at rest within our services via the most modern cryptology method practical given the nature of our services and data processed on our customers’ behalf. More information can be found here.
CertificationsSelligent invests on a permanent basis in information security and Privacy protection. Selligent efforts in these matters have been awarded by ISO certifications. The ISO certifications provide our customers with independent assessments and evaluations of Selligent’s security controls. These third-party evaluations are available upon request and include the following:
- ISO 27001:2013 Certification
- ISO 27701:2019 Certification
- ISO 27018:2014 Certification
- SOC 2 Type 2 Report
- HDS Certification
[1] A company incorporated under the laws of Belgium and registered under company number BE 0433.657.207, with its registered office at 1420 Braine-l’Alleud, 2 avenue de Finlande, Belgium.
Archived Selligent DPA
Data Processing Agreement 11/10/2021 – 24/05/2023
Data Processing Agreement 27/09/2021 – 11/10/2021
Data Processing Agreement 15/07/2021 – 26/09/2021
Data Processing Agreement 05/03/2021 – 14-07-2021
Data Processing Agreement 25/08/2020 – 11-02-2021
Data Processing Agreement 28/02/2020 – 24-08-2020