Data Processing Addendum
LAST UPDATED: June 10, 2022
This Data Processing Addendum (“DPA”) is entered into between Privy, LLC (“Privy” or “Company”) and the counterparty agreeing to these terms (“Customer”) and forms part of the Terms and Conditions or other written or electronic agreement for the Services provided by Privy, along with any applicable Order Forms (the “Agreement”). Customer and Privy are individually referred to as “Party” and collectively as the “Parties.”
This DPA governs the manner in which Privy shall process Personal Data on behalf of Customer (and, where applicable, Customer’s Affiliates) and pursuant to the Agreement. All capitalized terms not defined in this DPA will have meaning set forth in the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement, and this DPA, this DPA shall control. The Parties agree that this DPA shall supersede and replace any existing data protection terms the Parties may have previously entered into in connection with the Agreement.
1. Defined Terms. In this DPA:
(a) “Service” means the services provided to Customer by the Company in accordance with the Agreement.
(b) “GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), and any local implementations or applications of the same in any EEA Member State; and/or the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, as the context permits and to the extent applicable to a Party.
(c) “SCCs” means “SCCs” means: (i) where the EU GDPR or Swiss Federal Act on Data Protection applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR, including the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
(d) In Sections 2 through 6 of this DPA, the following terms have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”): “controller”, “personal data”, “processor”, “data subject” and “processing.”
2. Subject Matter, Nature, Purpose and Duration. Section 1(b) and Sections 2 through 6 of this DPA apply to the processing of personal data (a) relating to data subjects located in the European Economic Area or the United Kingdom or (b) that is otherwise regulated by the GDPR, by the Company solely on behalf of Customer for the purpose of providing the Service (“EU Personal Data”). As between the parties, (i) Customer is a controller and the Company is a processor on behalf of Customer with regard to EU Personal Data or (ii) Customer is a processor and the Company is a subprocessor on behalf of Customer with regard to EU Personal Data. The subject matter of EU Personal Data processing, the nature of the processing operations carried out by the Company on behalf of Customer, the categories of data subjects whose EU Personal Data is subject to this DPA, the types of EU Personal Data subject to this DPA, the purpose of the processing under this DPA and Customer’s data processing instructions for the Company, are set forth in Annex 1 to this DPA and as otherwise as provided in reasonable written instructions by Customer to the Company from time to time. This DPA shall remain in effect, and the duration of the processing under this DPA shall continue, as long as the Company carries out EU Personal Data processing operations on behalf of Customer (and until all EU Personal Data has been returned or deleted in accordance with Section 3(g)).
3. Processing Covenants. In processing EU Personal Data hereunder, the Company shall:
(a) process EU Personal Data only on documented instructions from Customer, unless otherwise required to do so by applicable law, in which case the Company will inform Customer of that legal requirement before processing, unless applicable law prohibits the Company from informing Customer. For the avoidance of doubt, this DPA shall constitute Customer’s documented instructions to the Company to process EU Personal Data in connection with the Company’s provision of the Service to Customer;
(b) use commercially reasonable efforts intended to ensure that persons authorized to process EU Personal Data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality or are subject to ethical rules of responsibility that include confidentiality;
(c) taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement commercially reasonable technical and organizational measures intended to meet the security requirements described in Article 32 of the GDPR;
(d) taking into account the nature of the processing, use commercially reasonable efforts to assist Customer, at Customer’s expense, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subjects’ rights with respect to their EU Personal Data under the GDPR and any applicable national implementing legislation, regulations and secondary legislation relating to the processing of EU Personal Data (the “Data Protection Laws”).
(e) taking into account the nature of processing and the information available to the Company, use commercially reasonable efforts to assist Customer, at Customer’s expense, in ensuring compliance with Customer’s obligations described in Articles 32 through 36 of the GDPR;
(f) notify Customer promptly if the Company becomes actually aware of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, EU Personal Data (an “Incident”), provided that the provision of such notice by the Company shall not be construed as an acknowledgement of fault or liability with respect to any such Incident;
(g) at the choice of Customer upon Customer’s request, delete or return all EU Personal Data to Customer within ninety (90) days after the end of the provision of the Service to Customer and delete existing copies unless applicable law requires retention of EU Personal Data;
(h) make available upon Customer’s reasonable request information reasonably necessary to demonstrate material compliance with the obligations laid down in this DPA and allow for and contribute to audits (each, an “Audit”), at Customer’s expense, conducted by Customer or another auditor chosen by Customer (an “Auditor”), provided that no Auditor shall be a competitor of the Company, and provided further that in no event shall Customer have access to the information of any other client of the Company and the disclosures made pursuant to this Section 3(h) (“Audit Information”) shall be held in confidence as the Company’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit shall be undertaken unless or until Customer has requested, and the Company has provided, documentation pursuant to this Section 3(h) and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents.
4. Subprocessors. Customer hereby grants the Company general authorization to engage another processor to process EU Personal Data on behalf of the Company (each, a "subprocessor") to assist the Company in processing EU Personal Data as set out in this DPA. The Company shall enter into contractual arrangements with such subprocessors requiring the same level of data protection compliance and information security as that provided for herein. The Company will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the subprocessors. Customer hereby consents to the processing of EU Personal Data by, and the disclosure and transfer of EU Personal Data to, the subprocessors listed on Annex 3 to this DPA. The Company shall inform Customer of any intended changes concerning the addition or replacement of subprocessors at least ten (10) calendar days before the new subprocessor processes EU Personal Data. Customer may object to such changes in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an “Objection”). In the event of an Objection, the parties will discuss such concerns in good faith with the intention of achieving a resolution. If the parties are not able to achieve a resolution as described in the previous sentence, Customer, as its sole and exclusive remedy, may terminate the Company’s provision of the Service for convenience, on the condition that Customer provides written notice to the Company within five (5) calendar days of being informed of the engagement of the subprocessor. Customer shall not be entitled to any refund of fees paid prior to the date of any termination pursuant to this Section 4.
5. Customer Obligations. Customer represents, warrants and covenants that (i) it shall comply with its obligations as a controller under the GDPR in respect of its processing of EU Personal Data and any processing instructions it issues to the Company as referred to in Section 3(a); (ii) it has provided notice and obtained all consents and rights required by the Data Protection Laws to transfer EU Personal Data outside the European Economic Area or United Kingdom and for the Company to process EU Personal Data pursuant to the Agreement and this DPA; and (iii) the processing of EU Personal Data by the Company upon the documented instructions of Customer under Section 3(a) shall have a lawful basis of processing pursuant to Article 6 of the GDPR. If Customer is a processor, Customer represents and warrants to the Company that Customer’s instructions and actions with respect to EU Personal Data, including its appointment of the Company as another processor, have been duly authorized by the relevant controller. Customer shall indemnify, defend and hold the Company harmless from and against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 5 shall not be subject to any limitations of liability set forth in the Agreement.
6. Data Transfer. In connection with the Services, the Parties acknowledge and agree that EU Personal Data shall be processed outside of the European Economic Area and the United Kingdom in the jurisdictions set out in this DPA or the Agreement, including jurisdictions that have not been designated as providing an adequate level of protection under Data Protection Laws (“Third Country”), and to support such transfers to Third Countries (hereinafter, “Restricted Transfers”), Data Protection Laws may require the execution of additional contractual terms and additional compliance measures to be taken. The Parties agree that to the extent Restricted Transfers occur pursuant to this Agreement, the Restricted Transfer shall be subject to:
(a) the data exporter ensuring that all Restricted Transfers comply with Data Protection Laws and, where required, a transfer impact assessment (“TIA”) is carried out;
(b) the data importer ensuring that all subsequent Processing in the Third Country and any onward transfers comply with Data Protection Laws, and that, where required, the data importer supports and assists the data exporter with carrying out a TIA and implements any supplementary measures required to safeguard the Personal Data from unauthorized access from government authorities in the Third Country;
(c) where the Restricted Transfer is to a subprocessor, ensuring that a written contract is in place and the provisions of Section 4 have otherwise been complied with;
(d) the appropriate SCCs as follows:
i. Transfers Restricted by EEA Data Protection Laws. The Parties agree Restricted Transfers Protected by EEA Data Protection Laws shall be subject to the SCCs as follows:
ii. Transfers Restricted by United Kingdom Data Protection Laws. Where the Parties are lawfully permitted to rely on the SCCs for transfers of Personal Data from the United Kingdom subject to completion of the UK Addendum, then:
7. Other Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that the Company shall have a right to use and disclose data relating to representatives of Customer that relates to the operation, support and/or use of the Service for the Company’s legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by, the GDPR (as defined in Section 1(b))), the Company is the controller (as defined in the GDPR) of such data and accordingly shall process (as defined in the GDPR) such data in accordance with the GDPR. To the extent any such data is considered personal information (as defined in, and regulated by, the CCPA (as defined in Section 8)), then, to the extent the Company is subject to the CCPA as a business (as defined in the CCPA), the Company is the business with respect to such data and accordingly shall process (as defined in the CCPA) such data in accordance with the CCPA.
8. CCPA Provisions. This Section 8 shall apply from and after the CCPA Effective Date (as defined below) and shall not apply before such CCPA Effective Date. As between the parties, the Company is a service provider to Customer with respect to Consumer Information (as defined below).
(a) In this Section 8:
(b) Except as otherwise required by applicable law, the Company shall:
(i) implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the Consumer Information to protect such Consumer Information from unauthorized access, destruction, use, modification, or disclosure;
(ii) not retain, use or disclose Consumer Information for any purpose outside the scope of the business relationship of the parties and other than for the specific purpose of providing the Service (including retaining, using or disclosing the Consumer Information for a commercial purpose other than providing the Service) or as otherwise permitted by the CCPA as applicable to service providers;
(iii) not collect or use Consumer Information except as reasonably necessary to provide the Service;
(iv) not sell Consumer Information;
(v) to the extent necessary, use commercially reasonable efforts to assist Customer, at Customer’s expense, in Customer’s fulfilment of Customer’s obligation to respond to California residents’ requests to exercise rights with respect to their Consumer Information under the CCPA; and
(vi) use commercially reasonable efforts to assist Customer, at Customer’s expense, to the extent necessary to support Customer’s compliance with Customer’s obligations under the CCPA.
(c) The Company understands the restrictions provided in Sections 8(b)(ii) and 8(b)(iv) and will comply with them.
(d) Customer represents, warrants and covenants that (i) it shall comply with its obligations under the CCPA in respect of its processing of Consumer Information and any processing instructions it issues to the Company; and (ii) it has provided notice and obtained all consents and rights required by the CCPA for the Company to process Consumer Information pursuant to the Agreement and this DPA. Customer shall indemnify, defend and hold the Company harmless from and against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 8(d). Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 8(d) shall not be subject to any limitations of liability set forth in the Agreement.
(e) Nothing in this DPA shall prevent the Company from engaging its own service providers in the processing of Consumer Information, provided that the Company shall enter into contractual arrangements with such service providers requiring a substantially similar level of data protection compliance and information security as that provided in this Section 8 with respect to Consumer Information.
9. Integration. This DPA, including the SCCs, and the Agreement (including the Privacy Policy and Acceptable Use Policy) constitute the parties’ entire agreement and understanding with respect to the subject matter hereof. The obligations contained in this DPA are in addition to the other obligations contained in the Agreement. In the event of a conflict between this DPA and any other terms in the Privacy Policy, the terms of this DPA will govern. Under no circumstances and under no legal theory, whether in tort, contract or otherwise, will the Company be liable to Customer for any indirect, special, incidental, consequential or punitive damages of any character, including, without limitation, damages for loss of goodwill, lost profits, lost sales or business, work stoppage, computer failure or malfunction, lost data or for any and all other damages or losses, even if a representative of Customer has been advised, knew or should have known of the possibility of such damages. In no event will the Company be liable for any direct damages, costs or liabilities in excess of the amounts paid or payable by Customer during the twelve months preceding the incident or claim.
10. Construction. In this DPA, unless a clear contrary intention appears: (a) where not inconsistent with the context, words used in the present tense include the future tense and vice versa, and words in the plural number include the singular number and vice versa; (b) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by this DPA; (c) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (d) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (e) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; and (f) “including” (and with correlative meaning, “include”) means including without limiting the generality of any description preceding such term.
A. List of Parties
Data exporter(s): Customer and/or the Customer Affiliates operating in the countries which comprise the European Economic Area and UK
Name |
Customer and any Customer Affiliates described in the Agreement |
Address |
Addresses of any Customer and any Customer Affiliates described in the Agreement |
Contact Person’s Name, Position and Contact Details |
As set forth in the Agreement |
Activities relevant to Personal Data transferred under the SCCs |
Use of the Services as described in the Agreement |
Signature and Date |
This Annex 1 shall be deemed executed upon execution of the DPA. |
Role |
Controller (or Processor on behalf of a third-party Controller) |
Data importer(s)
Name |
Privy, LLC |
Address |
201 South St, 2nd Floor, Boston, MA 02111 |
Contact Person’s Name, Position and Contact Details |
privacy@privy.com |
Activities relevant to Personal Data transferred under the SCCs |
Processing necessary to provide the Services as set forth in the Agreement |
Signature and Date |
This Annex 1 shall be deemed executed upon execution of the DPA. |
Role |
Processor (or Sub-processor) |
B. Description of Data Processing and Transfer
Subject Matter of Processing |
The subject matter of Processing is the Services pursuant to the Agreement. |
Duration of Processing |
The Processing will continue until Privy’s receipt of notification from Customer of termination of use of all Services. |
Categories of Data Subjects |
Customer’s subscribers and prospective subscribers |
Frequency of the Transfer |
Continuous for the duration of the Agreement |
Nature and Purposes of Processing |
Nature The nature of the processing is the collection of subscriber information and other such Services as described in the Agreement. Purpose The purpose of the processing under this DPA is the provision of the Services initiated by Customer pursuant to the Agreement. |
Types of Personal Data |
The data collected via Privy comprises the following types of EU Personal Data:
|
Sub-processors |
The subject matter, nature and duration of the processing shall be as specified in the Agreement. |
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 of the SCCs) |
In respect of the EU SCCs, means the competent supervisory authority determined in accordance with Clause 13 of the EU SCCs. In respect of the UK SCCs, means the UK Information Commissioner's Office.
|
Annex 2 to the DPA:
Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk.
List of Sub-processors
The following Sub-processors are currently used by Privy to Process EU Personal Data:
Entity Name |
Purpose |
Location |
Amazon Web Services, Inc. |
Cloud hosting provider |
United States |
DigitalOcean |
IP hosting |
United States |
Snowflake |
Data platform provider |
United States |
SparkPost |
Email delivery |
United States |
Twilio, Inc. |
Communications services |
United States |