EU DATA PROCESSING ADDENDUM

Last Updated: June 4, 2018

INTRODUCTION

This Data Processing Addendum (this “ DPA”) together with the Terms of Service (the “ Terms”) and Privacy Policy , form a single, binding agreement (this “ Agreement”) between you (“ you” or “ Subscriber”) and ConferencePulse, Inc. (along with its affiliated companies, “ we,” “ us” or “ ConferencePulse”). By using or accessing the Services (as defined below), you agree to be bound by this Agreement.

IF YOU DO NOT ACCEPT THIS AGREEMENT, WE DO NOT GRANT YOU ANY LICENSE OR USE RIGHTS HEREUNDER, AND YOU MUST NOT USE OR ACCESS THE SERVICES.

DEFINITIONS

Below are definitions of some of the important terms we use in this DPA. In addition, some terms are defined within the text of the DPA. If you see terms in this document that are capitalized but not defined, they have the definitions given to them in either the Terms of Service or Privacy Policy, unless otherwise specified.

Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.

Agent” means any of your employees, contractors or other individuals or entities authorized to interact with the Services on your behalf.

Content” means any information, text, images, photos, audio, video, data, and any other materials that are sent, uploaded or otherwise transmitted to the Services by you, your Agents, or your Customers.

controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Privacy Directive” means Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under this Agreement, including, where applicable, EU Data Protection Law.

data subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

EEA” means the European Economic Area.

e-Privacy Directive” means Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

EU Data Protection Law” means, to the extent applicable to Subscriber Controlled Data, any data protection or data privacy law or regulation of Switzerland or any country in the European Economic Area, including (i) prior to 25 May 2018, the Data Privacy Directive and, on and after 25 May 2018, the GDPR; and (ii) the e-Privacy Directive.

GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which is commonly called the General Data Protection Regulation.

personal data” means any information relating to a “data subject” (as defined above).

Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016) 4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).

processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.

Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Subscriber Controlled Data.

Services” means any product or service provided by ConferencePulse pursuant to this Agreement.

Subprocessors” means the other processors that are used by ConferencePulse to process personal data.

Subscriber Controlled Data” means the personal data in the Content that ConferencePulse processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Subscriber Controlled Data does not include personal data when controlled by us, including without limitation certain data we collect (e.g. IP address, device/browser details and web pages visited prior to coming to Your Site) with respect to third parties’ interaction with you on the Services.

RELATIONSHIP TO OTHER PARTS OF THIS AGREEMENT

Conflicting Provisions

Except for the changes made by this DPA, the other parts of this Agreement remain unchanged and in full force and effect. If there is any conflict between this DPA and other parts of this Agreement, this DPA shall prevail to the extent of that conflict.

Claims

Any claims brought under or in connection with this DPA shall be subject to the Terms of Service, including but not limited to, the exclusions and limitations set forth in therein.

Total Liability

Subscriber further agrees that any regulatory penalties incurred by ConferencePulse in relation to Subscriber Controlled Data that arise as a result of, or in connection with, Subscriber’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count towards and reduce ConferencePulse’s liability under this Agreement pursuant to the limitations on liability set forth in the other parts of this Agreement.

Enforcing Parties

No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

Governing Law

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of the Terms, unless required otherwise by applicable Data Protection Laws.

SCOPE AND APPLICABILITY

This DPA applies where, and only to the extent that, ConferencePulse processes Subscriber Controlled Data that (1) originates from the EEA or Switzerland or (2) that is otherwise subject to EU Data Protection Law and where ConferencePulse conducts such processing on behalf of Subscriber as a processor in the course of providing Services pursuant to this Agreement.

PROCESSING ROLES AND ACTIVITIES

Subscriber as Controller

As between ConferencePulse and Subscriber, Subscriber is controller of Subscriber Controlled Data, and ConferencePulse shall process Subscriber Controlled Data only as a processor acting on behalf of Subscriber.

Subscriber Processing

Subscriber agrees that (1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Subscriber Controlled Data and any processing instructions it issues to ConferencePulse; and (2) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for ConferencePulse to process Subscriber Controlled Data and provide the Services pursuant to this Agreement.

ConferencePulse Processing of Subscriber Controlled Data

ConferencePulse shall process Subscriber Controlled Data only for the purposes described in this Agreement and only in accordance with Subscriber’s documented, lawful instructions. The parties agree that this DPA together with the rest of this Agreement set out Subscriber’s complete and final instructions to ConferencePulse in relation to the processing of Subscriber Controlled Data, and that processing outside the scope of these instructions (if any) shall require prior written agreement between Subscriber and ConferencePulse.

ConferencePulse as Controller

ConferencePulse may also be an independent controller for some personal data relating to you or your Customers. Please see our Privacy Policy and Terms of Service for details about the personal data that we control. For clarity, any such data does not fall under the definition of Subscriber Controlled Data. We decide how to use and process such personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as access to data regarding your Customers’ interactions with your Subscriber Site, you will receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.

Details of Data Processing

  1. Subject matter. The subject matter of the data processing under this DPA is Subscriber Controlled Data.

  2. Duration. As between ConferencePulse and Subscriber, the duration of the data processing under this DPA is until the termination of this Agreement in accordance with its terms.

  3. Purpose. The purpose of the data processing under this DPA is the provision of the Services to Subscriber and the performance of ConferencePulse's obligations under this Agreement (including this DPA) or as otherwise agreed by the parties.

  4. Nature of the Processing. ConferencePulse provides email messaging, analytics technology and other related services, as described in this Agreement.

  5. Categories of Data Subjects. Subscribers and End Users are the data subjects contemplated by this DPA.

  6. Types of Subscriber Controlled Data. Subscribers may control multiple types of personal data, including, without limitation: identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).

Data Used for ConferencePulse’s Legitimate Business Purposes

Notwithstanding anything to the contrary in this Agreement (including this DPA), Subscriber acknowledges that ConferencePulse shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, ConferencePulse is the controller of such data and accordingly shall process such data in accordance with the ConferencePulse Privacy Policy and Data Protection Laws.

Tracking Technologies

Subscriber acknowledges that in connection with the performance of the Services, ConferencePulse employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“ Tracking Technologies”). Subscriber shall maintain appropriate notice, consent, opt -in and opt-out mechanisms as are required by Data Protection Laws to enable ConferencePulse to deploy Tracking Technologies lawfully on, and collect data from, the devices of End Users (defined below) in accordance with and as described in the Privacy Policy .

SUBPROCESSING

Authorized Subprocessors

Subscriber generally authorizes ConferencePulse to engage Subprocessors to process Subscriber Controlled Data on Subscriber's behalf. The Subprocessors currently engaged by ConferencePulse and authorized by Subscriber are listed in Exhibit A.

Subprocessor Obligations

ConferencePulse shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect Subscriber Controlled Data to the standard required by the Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause ConferencePulse to breach any of its obligations under this DPA.

Changes to Subprocessors

ConferencePulse shall (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from Subscriber; and (ii) notify Subscriber (for which email shall suffice) if it adds Subprocessors at least ten (10) days prior to any such changes.

Subscriber may object in writing to ConferencePulse’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Subscriber may suspend or terminate this Agreement (without prejudice to any fees incurred by Subscriber prior to suspension or termination).

DATA SECURITY

Security Measures

ConferencePulse shall implement and maintain appropriate technical and organizational security measures to protect Subscriber Controlled Data from Security Incidents and to preserve the security and confidentiality of Subscriber Controlled Data, in accordance with ConferencePulse's security standards described in this DPA and in the Privacy Policy .

Updates to Security Measures

Subscriber is responsible for reviewing the information made available by ConferencePulse relating to data security and making an independent determination as to whether the Services meet Subscriber’s requirements and legal obligations under Data Protection Laws. Subscriber acknowledges that the Security Measures are subject to technical progress and development and that ConferencePulse may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Subscriber.

Confidentiality of Processing

ConferencePulse shall ensure that any person who is authorized by ConferencePulse to process Subscriber Controlled Data (including its employees, agents and contractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Incident Response

Upon becoming aware of, and confirming the occurrence of, a Security Incident for which notification is required under applicable Data Protection Laws, ConferencePulse shall notify Subscriber without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Subscriber.

In order to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, We will provide you with such information about the Security as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as any conflicting confidentiality obligations.

Our obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by ConferencePulse of any fault or liability of ConferencePulse with respect to the Security Incident. Despite the foregoing, ConferencePulse’s obligations under this paragraph do not apply to incidents that are caused by you or any activity on your Account or which are caused by third-party services.

Assistance with Subscriber Responsibilities

  1. Basic Subscriber Responsibilities. Notwithstanding the above, Subscriber agrees that except as provided by this DPA, Subscriber is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Subscriber Controlled Data when in transit to and from the Services and taking any appropriate steps to securely encrypt and backup any Subscriber Controlled Data uploaded to the Services.

  2. Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from one of your Customers or any other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of your Subscriber Controlled Data that we process on your behalf and instructions.

  3. Cooperation with Subscriber Response Efforts. The Services provide Subscriber with a number of controls that Subscriber may use to retrieve, correct, delete or restrict Subscriber Controlled Data, which Subscriber may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Subscriber is unable to independently access the relevant Subscriber Controlled Data within the Services, ConferencePulse shall (at Subscriber's expense) provide reasonable cooperation to assist Subscriber to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under this Agreement. In the event that any such request is made directly to ConferencePulse, ConferencePulse shall not respond to such communication directly without Subscriber's prior authorization, unless legally compelled to do so. If ConferencePulse is required to respond to such a request, ConferencePulse shall promptly notify Subscriber and provide it with a copy of the request unless legally prohibited from doing so.

  4. Government Requests for Subscriber Controlled Data. If a law enforcement agency sends ConferencePulse a demand for Subscriber Controlled Data (for example, through a subpoena or court order), ConferencePulse shall attempt to redirect the law enforcement agency to request that data directly from Subscriber. As part of this effort, ConferencePulse may provide Subscriber’s basic contact information to the law enforcement agency. If compelled to disclose Subscriber Controlled Data to a law enforcement agency, then ConferencePulse shall give Subscriber reasonable notice of the demand to allow Subscriber to seek a protective order or other appropriate remedy unless ConferencePulse is legally prohibited from doing so.

  5. Impact Assessments. To the extent ConferencePulse is required under EU Data Protection Law, ConferencePulse shall (at Subscriber's expense) provide reasonably requested information regarding the Services to enable Subscriber to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

COMPLIANCE VERIFICATION

Upon reasonable request, ConferencePulse will verify its compliance with this DPA, provided that Subscriber shall not exercise this right more than once per year.

INTERNATIONAL TRANSFERS

You authorize us to transfer your Subscriber Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer your Subscriber Controlled Data to the United States. We will transfer Subscriber Controlled Data outside of the Switzerland and the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.

RETURN OR DELETION OF DATA

Upon termination or expiration of this Agreement, ConferencePulse shall (at Subscriber's election) delete or return to Subscriber all Subscriber Controlled Data (including copies) in its possession or control, save that this requirement shall not apply to the extent ConferencePulse is required by applicable law to retain some or all of Subscriber Controlled Data, which Subscriber Controlled Data ConferencePulse shall securely isolate and protect from any further processing, except to the extent required by applicable law.

 

Exhibit A:

List of ConferencePulse Subprocessors

The subprocessors set out below provide various types of services for ConferencePulse. The subprocessors are grouped by processing purpose and listed along with links to their respective privacy policies, where available.

 

Service Policy Link
Advertising and Marketing
HubSpot https://legal.hubspot.com/privacy-policy
Google Adwords https://policies.google.com/privacy?hl=en
Facebook https://www.facebook.com/policy.php
Twitter https://twitter.com/en/privacy
Analytics
Mixpanel https://mixpanel.com/legal/privacy-policy/
Google Analytics https://www.google.com/analytics/terms/us.html
NewRelic https://newrelic.com/termsandconditions/privacy
BugHerd https://bugherd.com/privacy/
Google Places https://developers.google.com/places/web-service/policies
Customer Relationship Management
Mailgun https://www.mailgun.com/privacy-policy
Zapier https://zapier.com/privacy/
Slack https://slack.com/privacy-policy
Salesforce https://www.salesforce.com/company/privacy/
Mailchimp https://mailchimp.com/legal/privacy/
Zenprospect https://www.zenprospect.com/chrome-extension-privacy/
Location Services
Google Maps API https://developers.google.com/maps/terms
Payment Processing
Stripe https://stripe.com/us/privacy
Website Development and Maintenance
Optimizely https://www.optimizely.com/privacy/
AWS https://aws.amazon.com/privacy/