This DPA applies where, and to the extent that, Spreedly, Inc. (“Processor”) processes personal data of data subjects on behalf of a customer (the “Customer”), or Customer’s customers (where relevant), when providing access to its software platform, support services and/or professional services (collectively for the purposes of this DPA, the “Services”) under one or more written agreements (collectively, the “Agreement”). This DPA may be supplemented with additional jurisdiction-specific clauses as described in Section 14(f) below.
In consideration of the mutual obligations set forth herein, the parties agree to the terms and conditions of this DPA, effective as of the earlier of the effective date of the Agreement or the processing of personal data.
1. Defined Terms. For the purposes of this DPA only, the following terms have the meanings given to such terms below:
- “Customer Personal Data” means any personal data processed by Processor on behalf of the Customer (or its customers) pursuant to the Agreement. For the avoidance of doubt, all Customer Data that constitutes personal data is Customer Personal Data.
- “EEA” means the European Economic Area.
- “Data Privacy Framework” means the EU-US Data Privacy Framework implemented by the European Commission decision of July 10 2023 on the adequate level of protection of personal data and the UK Extension pursuant to the Data Protection (Adequacy) (United States of America) Regulations 2023 in force since October 12, 2023 (“UK-US Data Bridge”).
- “Data Privacy Laws” means applicable laws relating to the privacy and protection of personal data, including without limitation (but only where applicable) GDPR.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, including the recitals. Where personal data of data subjects in the United Kingdom is involved, “GDPR” more specifically means and refers to Regulation (EU) 2016/679, the General Data Protection Regulation together with and as implemented by the UK Data Protection Act of 2018 and the implementing rules or regulations that are issued by the UK Information Commissioner's Office (“ICO”).
- “personal data” means and includes “personal information” and “personal data” as defined under Data Privacy Laws.
- “Restricted Transfer” means a transfer of Customer Personal Data from the Customer to Processor or any onward transfer of Customer Personal Data from Processor to a Subprocessor, in each case where such transfer would be prohibited by Data Privacy Laws in the absence of the parties’ agreement to the Standard Contractual Clauses or another data transfer mechanism permitted by Data Privacy laws.
- “Standard Contractual Clauses” means, collectively, (i) where personal data of data subjects in the EEA is involved, the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to GDPR (referred to herein more particularly as the “EU SCCs”), and (ii) where personal data of data subjects in the United Kingdom is involved, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (referred to herein more particularly as the “UK SCCs”).
- “Subprocessor” means any person or entity (excluding employees of Processor) appointed by or on behalf of Processor to Process Customer Personal Data on behalf of the Customer (and its customers) in connection with the Agreement.
- Additionally, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “process,” “processor,” and “supervisory authorities” (or their respective substantially corresponding equivalents under Data Privacy Laws) will have the meanings given to such terms under Data Privacy Laws.
2. Nature of Relationship. The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer may act either as a controller or processor and Processor acts as a processor (where Customer is a controller) or subprocessor (where Customer is a processor) under Data Privacy Laws.
3. Customer Representations and Warranties. The Customer represents and warrants to Processor that, prior to transferring any Customer Personal Data to Processor for processing, asking Processor to collect Customer Personal Data on the Customer’s (or its customers) behalf in connection with the Services, or otherwise providing or making available any personal data to Processor in connection with Processor’s performance of the Services, the Customer has provided to the applicable data subjects every type of notice and obtained from the applicable data subjects every type of consent in each case as required by Data Privacy Laws pertaining to such disclosures of personal data to or collection of personal data on the Customer’s behalf by Processor. The Customer will indemnify and hold harmless Processor from and against all claims, liabilities, fines, penalties, costs or other expenses, of any kind or nature whatsoever, arising out of the Customer’s breach of this Section 3.
4. Description of Processing.
- Data Subjects: Personnel and customers of the Customer.
- Categories of Data: With respect to personnel of the Customer, personal details, including information that identifies the data subject such as name, employer, address, e-mail, telephone number, location and other contact details. With respect to customers of the Customer, name, address, e-mail, telephone number, location, and billing and payment details such as bank account and credit or debit card numbers.
- Special Categories of Data: None.
- Nature and Purpose of Processing: All processing operations required to facilitate provision of Services to the Customer in accordance with the Agreement.
- Frequency of Transfer (per Section 12 of this DPA): Continuously throughout the term of the Agreement.
- Period of Retention of Personal Data: Except as otherwise provided in the Agreement or this DPA, in accordance with the retention policy of the Processor, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Processor will continue to protect such personal data in accordance with the Agreement and this DPA.
- For transfers to Subprocessors, the subject matter, nature and duration of the Processing: As described in Section 10 of this DPA.
5. Processing of Personal Data.
Processor will process Customer Personal Data only as needed to perform the Services and otherwise only on documented instructions from Customer (including, for the avoidance of doubt, as described in the Agreement), unless Processor is required to do so by applicable law to which Processor is subject, in which case Processor will inform the Customer of that legal requirement before processing (unless the applicable law prohibits providing such information to the Customer on important grounds of public interest). The Customer will ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Customer Personal Data, and that the processing of Customer Personal Data in accordance with the Customer’s instructions will not cause Processor to be in breach of Data Privacy Laws or any other laws, rules or regulations applicable with respect to the Customer Personal Data. Processor represents that it has implemented appropriate technical and organizational measures in such a manner that its processing of Customer Personal Data will meet the requirements of Data Privacy Laws and ensure the protection of the rights of the data subjects.
6. Confidentiality of Personal Data.
Processor will ensure that all persons (including Subprocessors) authorized to process Customer Personal Data have committed to keeping such Customer Personal Data confidential or are under an appropriate statutory obligation of confidentiality with respect to such Customer Personal Data. Processor will take steps to ensure that any natural person acting under the authority of the Processor who has access to Customer Personal Data does not process such Customer Personal Data except as needed to perform the Services or otherwise upon instructions from the Customer, unless the Processor is required to do so by applicable law to which Processor is subject.
7. Security of Personal Data.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor will implement appropriate technical and organizational measures to ensure a level of security for Customer Personal Data appropriate to the risk, including in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed. Such measures will include, inter alia as appropriate: (a) the pseudonymization or encryption of Customer Personal Data, (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used to process Customer Personal Data, (c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Additionally, such measures will include those set forth in the Processor’s Data Security Policy attached as Schedule B to the Agreement.
8. Assistance and Cooperation.
- Processor will provide, at the Customer’s cost, reasonable assistance to Customer in performing any data protection impact assessments and/or relevant consultations with supervisory authorities or other competent data privacy authorities, in each case to the extent required by Data Privacy Laws (such as, where applicable, GDPR Articles 35 or 36), and in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Processor and its Subprocessors.
- Taking into account the nature of the Processing and the information available to Processor, Processor will, at the Customer’s cost, assist Customer as Customer may reasonably require, including by appropriate technical and organizational measures, insofar as this is possible, in ensuring compliance with the Customer’s obligations under Data Privacy Laws to appropriately secure and safeguard Customer Personal Data (such as, where applicable, pursuant to GDPR Article 32).
- Taking into account the nature of the Processing, Processor will, at the Customer’s cost, assist Customer as Customer may reasonably require, including by appropriate technical and organizational measures, insofar as this is possible, to enable the Customer to comply with requests by data subjects to exercise their rights under Data Privacy Laws. Processor will: (i) promptly notify the Customer if Processor receives a request from a data subject under Data Privacy Laws with respect to Customer Personal Data, and (ii) not respond to that request except on the written instructions of the Customer or as required by applicable law to which Processor is subject, in which case Processor will (to the extent permitted by applicable law) inform Customer of that legal requirement before Processor responds to the request.
9. Recordkeeping; Information and Audit Rights.
Processor will maintain all records pertinent to its processing of Customer Personal Data that are required by Data Privacy Laws, such as, where applicable, Article 30(2) of the GDPR, and (to the extent they are applicable to Processor’s activities for the Customer) Processor will make such records available to the Customer upon the Customer’s reasonable written request. Processor will make available to the Customer on the Customer’s reasonable request all information necessary to demonstrate compliance with this DPA, and will, at the Customer’s cost, allow for and cooperate with audits, including inspections, by the Customer or an auditor appointed by Customer in relation to the Processing of the Customer Personal Data by Processor, subject to the following:
- Information disclosed to the Customer or its auditor or that is otherwise revealed in such records, inspections or audits will be the Confidential Information of Processor under the confidentiality provisions of the Agreement.
- The Customer may request an audit by emailing success@spreedly.com.
- Audits may not be conducted more than once per year or more frequently: (i) to the extent required by a supervisory authority, or (ii) in the event of and in connection with a particular personal data breach.
- Audits will be conducted only during Processor’s normal business hours and only with reasonable advance written notice of not less than 15 business days (except in the event of a personal data breach or if the Customer has a reasonable basis to believe (supported by substantial evidence) that Processor is in material non- compliance with this DPA, in which case advance notice will be not less than 72 hours).
- Following the Processor’s receipt of the Customer’ written request to conduct an audit and/or inspection, the Processor and Customer will discuss and agree in advance on the reasonable scope, start date and duration of this audit, as well as any applicable security and confidentiality controls that may be required.
- No such audit will include access to Processor’s (or any Subprocessors’) facilities or systems (e.g., computing infrastructure, servers, data storage mechanisms and infrastructure, audit logs, activity reports, system configuration, etc.) without Processor’s prior written consent, except to the extent required by a supervisory authority.
- The Processor may charge a fee (based on the Processor’s reasonable costs) for any such audit. The Processor will provide the Customer with additional details of this fee including the basis of its calculation, in advance of the audit. Additionally, the Customer will be responsible for any fees charged by any third-party auditor appointed by the Customer for this audit.
In lieu of an audit, upon reasonable request by the Customer, but no more than once per year, Processor agrees to complete, within thirty (30) days of receipt, an audit questionnaire provided by the Customer regarding Processor’s compliance with this DPA, of reasonable length and required detail (not to exceed a reasonably-estimated three person- hours to complete unless otherwise agreed to and subject to the payment of additional fees set forth in a separate written agreement by the parties), provided that any such questionnaire responses will be the Processor’s Confidential Information under the confidentiality provisions of the Agreement.
10. Subprocessors
- Processor will not engage any Subprocessor to process Customer Personal Data under the Agreement without written authorization from the Customer. Processor reserves the right to maintain its Subprocessor list through means such as publication of its Subprocessor list online, and the Customer hereby provides written authorization for Processor to engage the Subprocessors listed online at https://www.spreedly.com/gdpr- subprocessors. Customer may receive notifications of new Subprocessors by emailing subprocessor@spreedly.com with the subject “Subscribe,” and once subscribed in this manner Customer will receive notification of new Subprocessors before those Subprocessors are authorized to process Customer Personal Data on behalf of the Processor. Processor will send notice to Customer by email of any additional or replacement Subprocessors at least 10 days in advance of engaging any such additional or replacement Subprocessors to process Customer Personal Data under the Agreement. Customer may object to any such additional or replacement Subprocessor within 10 days of receiving such notice, provided that such objections are reasonable and on grounds relating to the protection or privacy of the Customer Personal Data involved in accordance with Data Privacy Laws or this DPA. Processor will use commercially reasonable efforts to resolve any such objection by the Customer, and the Customer will reasonably and in good faith cooperate with Processor in such efforts. If Processor cannot resolve the Customer’s objection within a reasonable period of time following receipt of Customer’s objection (such period of time not to exceed 60 days), and if Processor is unable to provide some or all of the Services without the use of the objected-to Subprocessor, then the Customer may terminate the applicable Services (such termination being without cause) which cannot be provided by Processor without the use of the objected-to Subprocessor by providing written notice to Processor.
- Where Processor engages a Subprocessor for carrying out specific processing activities on behalf of the Customer with respect to Customer Personal Data, Processor will by contract impose on the Subprocessor substantially the same data protection obligations as set forth in this DPA. Where the Subprocessor fails to fulfil such data protection obligations, Processor will remain fully liable to the Customer for the performance of that Subprocessor’s obligations.
- The Customer understands, acknowledges and agrees that the Processor is (and its Subprocessors may be) based in the United States and that the Processor provides (and the Subprocessors may provide) services under the Agreement from the United States, and the Customer hereby consents to the transfer of Customer Personal Data to the United States for Processing by the Processor and its Subprocessors in accordance with Section 12 below.
- Customer and Processor acknowledge that the Customer may engage a third-party payment gateway service provider and/or a third-party payment processing service provider to facilitate payment transactions in connection with the Agreement. Any such third parties engaged by the Customer will not be deemed a Subprocessor of the Processor for purposes of this DPA. Accordingly, nothing in this DPA obligates the Processor to enter into a data protection agreement with any such third party or to be responsible or liable for such third party’s acts or omissions.
11. Return or Deletion of Customer Personal Data.
- Subject to Sections 11(b), 11(c) and 11(d) below, Processor will at Customer’s request within thirty (30) days after the date of cessation of Services involving the Processing of Customer Personal Data, either; (i) return to the Customer the Customer Personal Data in a mutually agreeable format; or (ii) delete and ensure the deletion of all copies of Customer Personal Data.
- Processor (and Processor’s Subprocessors) may retain Customer Personal Data to the extent and for such period as is required by applicable law, rule or regulation, provided that Processor will ensure the continued confidentiality of all such Customer Personal Data, and will ensure that the Customer Personal Data are only accessed and used for the purpose(s) specified in the applicable law, rule or regulation requiring its retention. Additionally, solely to the extent not prohibited by Data Privacy Laws, Processor (and Processor’s Subprocessors) may retain Customer Personal Data stored in electronic archived or backup systems until such copies are deleted in the ordinary course in accordance with Processor’s data retention policies, provided that any such retained Customer Personal Data will remain protected to the standards of this DPA for so long as it is retained.
- Processor may retain and use for its business purposes any aggregated or de-identified data (i.e., data that is no longer personal data) created from or using Customer Personal Data, during and after termination of the Agreement.
- The Processor’s obligations under this Section 11 will be subject to any agreed-upon post-termination data retrieval provisions in the Agreement.
12. Restricted Transfers.
Processor participates in and complies with the principles of the Data Privacy Framework. Customer acknowledges that Processor will use the Data Privacy Framework to lawfully receive personal data from the EEA and the United Kingdom and Gibraltar in the United States and will ensure that it provides at least the same level of protection to such personal data as is required by the Data Privacy Framework principles. If Customer (as “Data Exporter”) carries out a Restricted Transfer to Processor (as “Data Importer”) from the EEA, Switzerland or the United Kingdom and Gibraltar, the parties hereby agree to apply one of the following, to the extent that a GDPR (Chapter V) data transfer mechanism or equivalent is legally required in descending order of preference, such that the item higher in the list that is applicable and available will automatically apply during the term of this DPA and for as long as Customer Personal Data is retained by Processor: (i) a suitable framework or other legally adequate transfer mechanism recognized by the European Commission or United Kingdom Government or Swiss Government (or other relevant authority or court as applicable) providing an adequate level of protection for personal data, including the Data Privacy Framework; (ii) any mechanism, derogation, exemption, or exception that a party is able to invoke, such as the consent of the relevant data subjects, or a derogation under Article 49 of the GDPR or its equivalent under Data Privacy Laws; or (iii) the applicable Standard Contractual Clauses (or variations of those Standard Contractual Clauses made under Section 14(e) or as otherwise proposed by the Subprocessor or Processor as long as such variations are compliant with Data Privacy Laws). Processor will ensure that before it commences any Restricted Transfer to a Subprocessor, that one of the foregoing mechanisms in descending order of preference is implemented.
- With respect to the EU SCCs, the same are incorporated by reference into this DPA on an unchanged basis save for the following:
- With respect to the EU SCCs, the same are incorporated by reference into this DPA on an unchanged basis save for the following:
- Where Customer’s customers act as a controller, Customer acts as a processor, and Processor acts as a subprocessor, “Module 3” (processor-to-processor) of the EU SCCs applies;
- For the purposes of clause 9(a) of the EU SCCs, option 2 (“General Prior Authorisation”) is selected and the specified time period is 10 days in advance;
- For the purposes of clause 11(a) of the E.U. Standard Contractual Clauses, the optional language is deleted;
- For the purposes of clause 13 of the EU SCCs: (i) if Customer is established in an EU Member State, the relevant supervisory authority acting as the competent supervisory authority is the supervisory authority of the EU Member State in which Customer is established, (ii) if Customer is not established in an EU Member State but has appointed a representative pursuant to GDPR Article 27(1), the relevant supervisory authority acting as the competent supervisory authority is the supervisory authority of the EU Member State in which Customer’s representative is established, and (iii) if Customer is not established in an EU Member State and has not appointed a representative pursuant to GDPR Article 27(1), then the supervisory authority of one of the EU Member States in which the data subjects whose Customer Personal Data is transferred under the EU SCCs in relation to the offering of goods or services to them are located will act as competent supervisory authority. This paragraph will constitute “Annex I.C” for purposes of the EU SCCs;
- For the purposes of clause 14(a) of the EU SCCs, the Assessment attached hereto as Appendix 1 is incorporated herein by reference.
- For the purposes of clause 17 of the EU SCCs, the governing law is Ireland;
- For purposes of clause 18(b) of the EU SCCs, the selection is Ireland; and
- The relevant party identification information from the Agreement and the description of processing in Section 4 of this DPA together will constitute “Annex 1” for the purposes of the EU SCCs. Sections 6 and 7 of this DPA will constitute “Annex 2” for the purposes of the EU SCCs.
- With respect to the UK SCCs, the same are incorporated by reference into this DPA on an unchanged basis save for the following:
- With respect to the UK SCCs, the same are incorporated by reference into this DPA on an unchanged basis save for the following:
- In Table 2, the selections made are those that match the EU SCCs as described and detailed in clause (a) of this Section 12;
- In Table 4, both “importer” and “exporter” are selected; and
- The relevant party identification information from the Agreement, the description of processing in Section 4 of this DPA, and Sections 6 and 7 of this DPA will be incorporated into (and will constitute) Tables 1 and 3 of the UK SCCs, as applicable.
Nothing in the interpretation of this DPA is intended to conflict with either party’s rights or responsibilities under the EU SCCs or UK SCCs (where applicable) and, in the event of such conflict, the EU SCCs (incorporating the UK SCCs where applicable) shall prevail. To the extent a transfer mechanism other than the foregoing becomes reasonably available to the parties after the effective date of this DPA, the parties will consult with each other in good faith on whether to rely on such transfer mechanism in lieu of the applicable Standard Contractual Clauses.
13. Personal Data Breach. Taking into account the nature of processing and the information available to the Processor, Processor will reasonably assist the Customer in the Customer’s efforts to comply with its obligations regarding personal data breaches as set forth in Data Privacy Laws, such as, where applicable, GDPR Articles 33 and 34. If any Customer Personal Data is subject to any personal data breach Processor will, upon becoming aware of the personal data breach, without undue delay notify the Customer, take reasonable steps to contain and counteract the personal data breach and minimize any damage resulting from the personal data breach, and provide Customer with sufficient information to allow the Customer to meet any obligations to report to supervising authorities or inform the applicable data subjects of the personal data breach to the extent required under Data Privacy Laws. Processor will cooperate, at the Customer’s cost, to assist Customer in the investigation, mitigation and remediation of each such personal data breach.
14. Miscellaneous
- Subject to the following sentence of this Section 14(a), in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA will prevail. In any event, Processor’s liability under this DPA, including for breach or other failure under this DPA by Processor or its Subprocessors, will be (to the maximum extent permitted under Data Privacy Laws, the Standard Contractual Clauses and other applicable law) subject to the exclusions and limitations of liability provided for in the Agreement as if this DPA were a part of the Agreement, ab initio.
- To the extent this DPA is not governed exclusively by Data Privacy Laws, it will be governed by and construed in accordance with the laws selected pursuant to the governing law provision set forth in the Agreement.
- This DPA constitutes the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written.
- Except as expressly stated in Data Privacy Laws or the Standard Contractual Clauses attached hereto, the parties to this DPA do not intend to create any rights in any third parties.
- The parties agree that, to the extent required under Data Privacy Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from supervisory authorities, including, without limitation and only where applicable, the adoption of standards for contracts with processors according to GDPR Article 28(7) or (8) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission or ICO in relation to international data transfers on the basis of GDPR Article 45(3) or Article 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the Standard Contractual Clauses or similar transfer mechanisms, the Customer may request reasonable changes or additions to this DPA to reflect applicable requirements. If the Customer makes a request to change or supplement this DPA pursuant to this Section 14(e), the Customer and Processor will in good faith negotiate such changes and additions (including, where applicable, providing for Customer’s reimbursement of Processor’s costs and expenses for undertaking additional obligations) and the Processor will not unreasonably withhold or delay agreement to any variations to this DPA.
- Customer and Processor hereby accept and agree to, and where and as applicable will adhere to, the clauses that appear in the following attachments:
- Attachment 1 – Compliance with the Federal Act on Data Protection of the Swiss Confederation (FADP)
- Attachment 2 – Compliance with U.S. State Consumer Privacy Laws
- Attachment 3 – Compliance with the Brazilian Data Protection Law (LGPD)
- Attachment 4 – Compliance with Argentina’s Pending Data Protection Law
- Based on the Customer Data that Customer will process using the Platform or otherwise provide to Processor, if and to the extent Data Privacy Laws require additional clauses to be executed by Processor beyond those set forth in this DPA, then Customer will notify Processor in writing of such requirement and Processor will in good faith review, negotiate and consider adding such clauses as an additional addendum to the Agreement. In the absence of such notice Customer represents and warrants that no additional clauses are required.
- To the extent this DPA is not governed exclusively by Data Privacy Laws, it will be governed by and construed in accordance with the laws selected pursuant to the governing law provision set forth in the Agreement.
- This DPA constitutes the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written.
- Except as expressly stated in Data Privacy Laws or the Standard Contractual Clauses attached hereto, the parties to this DPA do not intend to create any rights in any third parties.
- The parties agree that, to the extent required under Data Privacy Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from supervisory authorities, including, without limitation and only where applicable, the adoption of standards for contracts with processors according to GDPR Article 28(7) or (8) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission or ICO in relation to international data transfers on the basis of GDPR Article 45(3) or Article 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the Standard Contractual Clauses or similar transfer mechanisms, the Customer may request reasonable changes or additions to this DPA to reflect applicable requirements. If the Customer makes a request to change or supplement this DPA pursuant to this Section 14(e), the Customer and Processor will in good faith negotiate such changes and additions (including, where applicable, providing for Customer’s reimbursement of Processor’s costs and expenses for undertaking additional obligations) and the Processor will not unreasonably withhold or delay agreement to any variations to this DPA.
- Customer and Processor hereby accept and agree to, and where and as applicable will adhere to, the clauses that appear in the following attachments:
- Based on the Customer Data that Customer will process using the Platform or otherwise provide to Processor, if and to the extent Data Privacy Laws require additional clauses to be executed by Processor beyond those set forth in this DPA, then Customer will notify Processor in writing of such requirement and Processor will in good faith review, negotiate and consider adding such clauses as an additional addendum to the Agreement. In the absence of such notice Customer represents and warrants that no additional clauses are required.
Attachment 1
Compliance with the Federal Act on Data Protection of the Swiss Confederation as Revised Effective September 1, 2023 (“FADP”)
- This Attachment 1 applies only to any processing of personal data that has actual or potential effects in the Swiss Confederation.
- All provisions of the above DPA are incorporated and restated in this Attachment 1 in their entirety, except as specifically amended or modified below.
- References to Data Privacy Laws in the DPA will mean and include (but only where applicable) FADP.
- Section 12(a) of the DPA is supplemented and amended as follows, as and to the extent required by the FADP:
- All references to the GDPR in Section 12(a) and in the EU SCCs are to be understood as references to the FADP, which governs all data transfers from the Swiss Confederation, and which permits the use of the EU SCCs. This provision will constitute the Annex required by the Federal Data Protection and Information Commissioner (“FDPIC”) in its guidance issued August 27, 2021.
- The term “Member State” must not be interpreted in such a way as to exclude data subjects in the Swiss Confederation from the possibility of suing for their rights in their place of habitual residence, in accordance with Clause 18(c) of the EU SCCs. This provision will constitute the Annex required by the FDPIC in its guidance issued August 27, 2021.
- Section 12(a)(iv) is amended to state: “For the purposes of clause 13 of the EU SCCs, the FDPIC of the Swiss Confederation is the competent supervisory authority. This paragraph will constitute ‘Annex I.C’ for purposes of the EU SCCs.”
- In Sections 12(a)(vi) and 12(a)(vii), “Ireland” is replaced by “Swiss Confederation.”
- Based on the Customer Data that Customer will process using the Platform or otherwise provide to Processor, if and to the extent Data Privacy Laws require additional clauses to be executed by Processor beyond those set forth in this DPA, then Customer will notify Processor in writing of such requirement and Processor will in good faith review, negotiate and consider adding such clauses as an additional addendum to the Agreement. In the absence of such notice Customer represents and warrants that no additional clauses are required.
- To the extent this DPA is not governed exclusively by Data Privacy Laws, it will be governed by and construed in accordance with the laws selected pursuant to the governing law provision set forth in the Agreement.
- This DPA constitutes the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written.
- Except as expressly stated in Data Privacy Laws or the Standard Contractual Clauses attached hereto, the parties to this DPA do not intend to create any rights in any third parties.
- The parties agree that, to the extent required under Data Privacy Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from supervisory authorities, including, without limitation and only where applicable, the adoption of standards for contracts with processors according to GDPR Article 28(7) or (8) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission or ICO in relation to international data transfers on the basis of GDPR Article 45(3) or Article 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the Standard Contractual Clauses or similar transfer mechanisms, the Customer may request reasonable changes or additions to this DPA to reflect applicable requirements. If the Customer makes a request to change or supplement this DPA pursuant to this Section 14(e), the Customer and Processor will in good faith negotiate such changes and additions (including, where applicable, providing for Customer’s reimbursement of Processor’s costs and expenses for undertaking additional obligations) and the Processor will not unreasonably withhold or delay agreement to any variations to this DPA.
- The parties agree that, to the extent required under Data Privacy Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from supervisory authorities, including, without limitation and only where applicable, the adoption of standards for contracts with processors according to GDPR Article 28(7) or (8) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission or ICO in relation to international data transfers on the basis of GDPR Article 45(3) or Article 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the Standard Contractual Clauses or similar transfer mechanisms, the Customer may request reasonable changes or additions to this DPA to reflect applicable requirements. If the Customer makes a request to change or supplement this DPA pursuant to this Section 14(e), the Customer and Processor will in good faith negotiate such changes and additions (including, where applicable, providing for Customer’s reimbursement of Processor’s costs and expenses for undertaking additional obligations) and the Processor will not unreasonably withhold or delay agreement to any variations to this DPA.
- Section 12(b) of the DPA is deleted.
Attachment 2
Compliance with U.S. State Consumer Privacy Law
This Attachment 2 applies where, and to the extent that, Processor processes personal information of consumers within one or more U.S. States that have enacted consumer privacy laws applicable to the Services.
Notwithstanding anything to the contrary elsewhere in the DPA, where the California Consumer Privacy Act of 2018 and its implementing regulations, as amended effective January 1, 2023 by the California Privacy Rights Act and its implementing regulations (the two laws collectively, as amended, restated or supplemented from time-to-time, the “CCPA/CPRA”) applies, the terms “business,” “combine,” “commercial purpose,” “consumer,” “contractor,” “personal information,” “processing,” “sell,” “share,” and “service provider” will have the meanings given to such terms in CCPA/CPRA; and where any of the state privacy laws listed below and their respective implementing regulations (each, an “Other State Law,” and, collectively, the “Other State Laws”) apply, the terms “consumer,” “controller,” “processing,” “processor,” “sell” (and its corresponding “sale”) and “targeted advertising” will have the meanings given to such terms in the applicable Other State Law, and the term “personal information” will have the same meaning as the term “personal data” as such term is defined in the applicable Other State Law. The Other State Laws are:
- The Virginia Consumer Data Protection Act, effective January 1, 2023 (as amended, restated or supplemented from time-to-time, the “VCDPA”);
- The Colorado Privacy Act, effective July 1, 2023 (as amended, restated or supplemented from time-to-time, the “CPA”);
- The Connecticut Personal Data Privacy and Online Monitoring Act, effective July 1, 2023 (as amended, restated or supplemented from time-to-time, the “CPDPOMA”); and
- The Utah Consumer Privacy Act, effective December 31, 2023 (as amended, restated or supplemented from time-to-time, the “UCPA”).
In consideration of the mutual obligations set forth herein, the parties agree to the terms and conditions of this Addendum.
- The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer may act either as a business or service provider and Processor acts as a service provider or contractor to the Customer under the CCPA/CPRA, and Customer may act as either a controller or processor and Processor acts as a processor (where Customer is a controller) or subprocessor (where Customer is a processor) under the Other State Laws. Customer represents, warrants and covenants that it has complied and it will comply with the CCPA with respect to all personal information of consumers that Customer has transferred or made available to Processor and its Subprocessors, or that Customer has asked Processor or its Subprocessors to collect on Customer’s behalf for processing in connection with the Services. The Customer will indemnify and hold harmless Processor from and against all claims, liabilities, fines, penalties, costs or other expenses, of any kind or nature whatsoever, arising out of the Customer’s breach of this Section 1.
- In its processing of personal information of consumers that the Customer has transferred to Processor for processing, that Processor may have access to, or that Processor has collected on the Customer’s behalf, in each case in connection with the Services, Processor will comply with all requirements of the CCPA/CPRA that are applicable to service providers and contractors and all requirements of the applicable Other State Laws that are applicable to processors. Without limiting the foregoing, during the term of the Agreement and thereafter, Processor will: (i) not retain, use or disclose the personal information for any purpose (including any commercial purpose) other than for the specific purpose of performing the Services contemplated by the Agreement; (ii) not retain, use or disclose the personal information outside of the direct business relationship between Processor and the Customer; (iii) not sell or (where CCPA/CPRA applies) share the personal information to any third parties; and (iv) not combine the personal information that Processor receives from, or on behalf of, Customer with personal information that Processor receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Processor may combine such personal information (1) for the specific purpose of providing the Services contemplated by the Agreement or (2) to perform any other permitted business purpose under CCPA/CPRA and/or the Other State Laws, as applicable. Processor certifies that it understands and will comply with the restrictions, duties and obligations set forth in this Section 2.
- Where not prohibited by applicable law, nothing in this Addendum will prohibit Processor from retaining, using or disclosing the personal information in connection with: (i) retaining or employing another service provider, contractor or subcontractor (as applicable), provided the service provider, contractor or subcontractor meets the requirements for a service provider, contractor or subcontractor under the CCPA/CPRA or Other State Law, as applicable; (ii) internal use by Processor to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles for use in providing services to another business, or correcting or augmenting data acquired from another source; (iii) detecting data security incidents, or protecting against fraudulent or illegal activity; (iv) complying with federal, state or local laws; (v) complying with a civil, criminal or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities; (vi) cooperating with law enforcement agencies concerning conduct or activity that the Customer, Processor or a third party reasonably and in good faith believes may violate federal, state or local law; or (vii) exercising or defending legal claims.
- If Processor authorizes any Subprocessor to process, retain or use any personal information received from the Customer, accessed in connection with the Services or collected on the Customer’s behalf in connection with the Services, then prior to any disclosure of such personal information to such Subprocessor, Processor will enter into a written agreement with such Subprocessor that includes all required or necessary terms to ensure that such Subprocessor is deemed a service provider or contractor within the meaning of the CCPA/CPRA or a subcontractor within the meaning of any applicable State Law.
- To the extent this Addendum is not governed exclusively by CCPA/CPRA or an Other State Law (as applicable), it will be governed by and construed in accordance with the laws set forth in the governing law section of the Agreement. If there is any conflict between this Addendum and the DPA, the Agreement or any other data protection agreement(s) between the parties, this Addendum will prevail to the extent of that conflict with respect to the personal information of consumers only.
Attachment 3
Compliance with the Brazilian Data Protection Law (“LGPD”), Retroactively Effective as of September 2020
- This Attachment 3 applies only to processing of personal data that is carried out in Brazil, that has the purpose of offering goods or services to people in Brazil or is done on data that was collected in Brazil.
- Customer and Processor acknowledge that, while the text of the LGPD is available, the full details of the interpretation and enforcement of the LGDP are still being developed. In particular, regulations to be promulgated by the Brazil National Data Protection Authority (ANDP) are not final as of the date of execution of this Brazil Addendum. Customer and Processor therefore agree to attempt in good faith to comply with the LGPD in its current state and amend their respective practices and this Brazil Addendum (in accordance with the procedures set forth in Section 14(e) of the DPA) if and when required by legal developments in Brazil. Customer agrees to inform Processor if Customer becomes aware of LGPD and ANDP developments that require changes in Processor’s practices or its agreements with Customer.
- Because most legal duties and obligations under the LGPD closely track those under the GDPR, all provisions of the above DPA are incorporated and restated in this Brazil Addendum in their entirety, except as specifically amended or modified below. Without limiting the generality of this Section 3, Customer further agrees to comply with current provisions of the LGPD that may impose duties that exceed those imposed by the GDPR, including without limitation those concerning the definition of personal data and the right of data subjects to anonymization of their personal data.
- References to Data Privacy Laws in the DPA will mean and include (but only where applicable) LGPD.
- Customer and Processor acknowledge that the LGPD permits data transfers out of Brazil pursuant to Standard Contractual Clauses, but Brazil has not yet promulgated its own Standard Contractual Clause. Therefore, Customer and Processor will use the EU SCCs as specified in the DPA for such transfers, subject to the amendments and modifications stated below, until such time as Brazil promulgates Standard Contractual Clauses.
- Section 12 of the DPA is supplemented and amended as follows:
- Section 12(a)(iv) is amended to state: “For the purposes of clause 13 of the EU SCCs, the ANDP is the competent supervisory authority. This paragraph will constitute ‘Annex I.C’ for purposes of the EU SCCs.”
- In Sections 12(a)(vi) and 12(a)(vii), “Ireland” is replaced by “Brazil.”
- Section 12(b) of the DPA is deleted.
Attachment 4
Compliance with Argentina’s Pending Data Protection Law
- This Attachment 4 applies only to processing of personal data of data subjects who are in Argentina that is related to the offering of goods or services to such subjects or the monitoring of their behavior within Argentina.
- Customer and Processor acknowledge that, as of the date of execution of this DPA, the protection of personal data in Argentina is governed by Personal Data Protection Law No. 25,326 (2000) as complemented by Regulatory Decree No. 1558/2001 and several resolutions, rules and guidelines. Customer and Processor further acknowledge that a new Data Protection Law has been introduced and is in the process of public consultation and legislative enactment (the current draft has been released as DPA Resolution 119/2022 of Sep. 12, 2022) (“ARG Pending Law”)), and that its enactment is expected in 2023. Customer agrees to inform Processor if Customer becomes aware of Argentina privacy law developments that require changes in Processor’s practices or any its agreements with Customer.
- Because most legal duties and obligations under the ARG Pending Law are expected to closely track those under the GDPR, all provisions of the above DPA are incorporated and restated in this ARG Addendum in their entirety, except as specifically amended or modified below. Without limiting the generality of this Section 3, Customer further agrees to comply with any provisions of the current Personal Data Protection Law No. 25,326 (2000), as complemented, that may impose duties that exceed those imposed by the GDPR.
- References to Data Privacy Laws in the DPA will mean and include (but only where applicable) the current Personal Data Protection Law No. 25,326 (2000), as complemented, and (when in force) the ARG Pending Law.
- Customer and Processor acknowledge that the ARG Pending Law is expected to permit data transfers out of Argentina pursuant to Standard Contractual Clauses, but the specific form of such Clauses is not yet known. Therefore, Customer and Processor will use the EU SCCs as specified in the DPA for such transfers, subject to the amendments and modifications stated below, until such time as Argentina promulgates Standard Contractual Clauses.
- Section 12 of the DPA is supplemented and amended as follows:
- Section 12(a)(iv) is amended to state: “For the purposes of clause 13 of the EU SCCs, the Argentina Agency of Access to Public Information, or any successor thereto, is the competent supervisory authority. This paragraph will constitute ‘Annex I.C’ for purposes of the EU SCCs.”
- In Sections 12(a)(vi) and 12(a)(vii), “Ireland” is replaced by “Argentina.”
- Section 12(b) of the DPA is deleted.
How can I exercise my rights under GDPR?
To exercise your rights under GDPR, or request information Spreedly may have about you, please use this form.
More Questions?
Contact Us and we'll get your questions answered.