Data Processing Agreement
DATA PROCESSING AGREEMENT
Effective starting: 26.05.2022
We are Omnisend and we act as a group of private limited liability companies (“Omnisend”). The group consists of these companies:
|Name of the Company||UAB Omnisend||Omnisend, LLC.||Omnisend, Ltd.|
|Legal entity code:||302530363||6567194||EIN 301200039|
|Address:||Verkių g. 25C-1, LT-08223 Vilnius, Republic of Lithuania.||Address – Unit A3, Gateway Tower, 32 Western Gateway, London, E16 1YL|
|1401 Sam Rittenberg Blvd Suite 2, Charleston, SC 29407, United States|
|Contact details||E-mail: [email protected]|
This Data Processing Agreement (the “DPA”) reflects the Parties’ agreement with respect to the terms governing the Processing of Customer Personal Data subject to Data Protection Laws (each, as defined below) in connection with Omnisend’s provision of the Services, and is subject to the terms and conditions set forth in the agreement, by and between Omnisend and Customer, that, by its terms, expressly governs Customer’s use of the Services (collectively, the “Agreement(s)”). In the event of a conflict between the DPA and the Personal Data processing provisions of the Agreements, the provisions of this DPA shall prevail solely with respect to the Processing of Customer Personal Data. Parties exchange their contact details when the Customer registers and subscribes to the Services.
Since the Customer transfers Customer Personal Data (as defined below) to Omnisend, which has Affiliates located outside the EEA (as defined below), This DPA integrates the European Commission (decision C(2021)3972) Standard Contractual Clauses (the “Standard Contractual Clauses”), which set out appropriate safeguards, including enforceable Data Subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”). This DPA is without prejudice to obligations to which the Data Exporter (as defined below) is subject by virtue of the GDPR.
According to this DPA Omnisend acts as a “Data Importer”, which receives Customer Personal Data from the Customer, which acts as a “Data Exporter”.
For the purposes of this DPA, the following definitions apply:
1.1. “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, EU Data Protection Laws and Non-EU Data Protection Laws
1.2. “Customer Personal Data” means any Target Data or Customer Confidential Information other than Target Data that identifies (or can be used to identify) a particular natural person and that is considered “personal data”, “personal information”, or a like characterization under Data Protection Laws.
1.3. “Data Subject” means a particular identified or identifiable natural person.
1.4. “EEA” means the European Economic Area.
1.5. “EU Data Protection Laws” means all Data Protection Laws and regulations applicable to Europe, including (i) the GDPR; (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (the “UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
1.6. “Non-EU Data Protection Laws” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (the “CCPA”) and Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, ch. 5 (the “PIPEDA”) and any provincial legislation deemed substantially similar to PIPEDA pursuant to the procedures set forth therein, and all amendments to the CCPA, PIPEDA and similar legislation, as they may be enacted, from time to time.
1.7.“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
1.8 “Process”, “Processes”, “Processed” and “Processing” means any operation or set of operations which is performed on Customer’s Personal Data, whether or not by automated means.
1.9 “Sub-Processor” means any Processor appointed by Omnisend to assist with Omnisend’s Processing of Customer Personal Data.
1.10. “Supervisory Authority” means a government agency responsible for enforcement of the Data Protection Laws, with competent jurisdiction over the Parties.
1.11. In this DPA Omnisend and the Customer are collectively referred to as the “Parties”, and individually as a “Party”.
1.13. This DPA shall be read and interpreted in the light of the provisions of the Data Protection Laws.
2. Third-Party Beneficiaries
2.1. Data Subjects may invoke and enforce this DPA, as third-Party beneficiaries, against the Customer and/or Omnisend, with the following exceptions:
2.1.1Sections 1, 2, 3;
2.1.2. subsections 4.2.2., 4.9.1., 4.9.3. to 4.9.5., 12.1., 12.3. to 12.4., 16.3., 16.4., 16.5., 18.1., 18.4., 18.6., 19.1., 19.5., 20.7.
3. Details of the Processing and the Transfer of Customer Personal Data
3.1. The details of the Processing of Customer Personal Data and the transfer, and in particular the categories of Personal Data, the purpose(s) for which Customer Personal Data are transferred and processed:
3.1.1. Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may relate to, but is not limited to, the following categories of Data Subjects: Customer’s end users, employees, contractors, customers, prospective customers, suppliers and subcontractors;
3.1.2. The categories of Customer Personal Data Processed by Omnisend pursuant to the Agreements consists of: contact information (name, surname, company, email, phone, and physical address), navigational data, purchase data, bank details, email data, and Services usage data (to the extent such data is considered “personal data”, “personal information”, or a like characterization under the applicable Data Protection Laws). Special Categories Data will not be processed by and transferred to Omnisend by the Customer;
3.1.3. Customer Personal Data may be transferred and Processed by Omnisend in connection with the provision of the Services in accordance with the Agreements, to communicate with Customer, and/or to otherwise fulfill Omnisend’s obligations under the Agreements;
3.1.4. The frequency of the transfer(s) of the Customer Personal Data will be: periodically as provided and updated by the Customer;
3.1.5. Customer Personal Data will be Processed for the duration of the term set forth in the Agreements, unless otherwise provided by law;
3.1.6. The Customer Personal Data shall be retained for no longer than is necessary to fulfill its obligations under the Agreement, unless otherwise required by law;
3.1.7 Omnisend will transfer Customer Personal Data to Sub-Processors specified in the Annex III for these purposes:
18.104.22.168 to ensure collaboration/ communication functionalities;
22.214.171.124 to ensure marketing/ eCommerce solutions;
126.96.36.199 to essure accounting ant payment solutions;
188.8.131.52 analytics and data assessment.
3.2 The above details may be altered or specified in the separate written agreement between the Parties.
4. Data Protection Safeguards
4.1. The Customer warrants that it has used reasonable efforts to determine that Omnisend is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under this DPA.
4.2.1. Omnisend shall process the Customer Personal Data only on documented instructions from the Customer. The Customer may give such instructions throughout the duration of the Agreement;
4.2.2. Omnisend shall immediately inform the Customer if it is unable to follow those instructions.
4.3 Purpose limitation:
4.3.1 Omnisend shall process Customer Personal Data only for the specific purpose(s), as set out in Section 3 of the DPA, unless the Customer provides further instructions.
4.4.1 On request, the Customer shall make a copy of this DPA, including the Annexes as completed by the Parties, available to the Data Subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex I and Customer Personal Data in Section 3, the Customer may redact part of the text prior to sharing a copy, but shall provide a meaningful summary where the Data Subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the Data Subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This subsection is without prejudice to the obligations of the Customer under Articles 13 and 14 of the GDPR.
4.5.1 If Omnisend becomes aware that the Customer Personal Data is inaccurate, or has become outdated, it shall inform the Customer without undue delay. In this case, Omnisend will cooperate with the Customer to erase or rectify the Customer Personal Data.
4.6 Duration of Processing and Erasure or Return of Customer’s Personal Data:
4.6.1. Processing by Omnisend shall only take place for the duration specified in the subsections 3.1.5. and 3.1.6. After the end of the provision of the Services, Omnisend shall, at the choice of the Customer, delete all Customer Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or return to the Customer all Personal Data processed on its behalf and delete existing copies. Until the Customer Personal Data is deleted or returned, Omnisend shall continue to ensure compliance with this DPA. In case of local laws applicable to Omnisend that prohibit return or deletion of the Customer’s Personal Data, Omnisend warrants that it will continue to ensure compliance with this DPA and will only process it to the extent and for as long as required under that local law. This is without prejudice to Section 14, the requirement for Omnisend under subsection 14.3. to notify the Customer throughout the duration of the Agreement if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under subsection 14.1.
4.7 Security of Processing
4.7.1. Customer acknowledges that the Security Measures are subject to technical progress and development and that Omnisend may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.
4.7.2. Omnisend and, during transmission, also the Customer will implement appropriate technical and organizational measures to ensure the security of the Personal Data, including protection against a Personal Data Breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to that data. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of Processing of Customer Personal Data and the risks involved in the processing for the Data Subjects. The Parties shall consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the Personal Data to a specific Data Subject shall, where possible, remain under the exclusive control of the Customer. In complying with its obligations under this paragraph, Omnisend shall at least implement the technical and organizational measures specified in Annex I. Omnisend shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
4.7.3. Omnisend shall grant access to the Customer Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the Agreement. It shall ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.7.4. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to the Services.
4.8. Onward transfers
4.8.1 Omnisend undertakes only to disclose the Customer Personal Data to a third-party on documented instructions from the Customer. In addition, the Customer Personal Data may only be disclosed to a third party located outside the European Union (in the same country as Omnisend or in another third country (the “onward transfer”) if the third party is or agrees to be bound by this DPA, or if:
184.108.40.206. the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of the GDPR that covers the onward transfer;
220.127.116.11. the third Party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 the GDPR with respect to the processing in question;
18.104.22.168. the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
22.214.171.124. the onward transfer is necessary to protect the vital interests of the Data Subject or of another natural person.
4.9 Documentation and Compliance
4.9.1. Omnisend will promptly and adequately deal with enquiries from the Customer that relate to the processing under this DPA;
The Parties shall be able to demonstrate compliance with this DPA. In particular, Omnisend will keep appropriate documentation on the processing activities carried out on behalf of the Customer;
4.9.2. Omnisend shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and at the Customer’s request, allow for and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the Customer may consider relevant certifications held by Omnisend;
4.9.3. The Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of Omnisend and shall, where appropriate, be carried out with reasonable notice;
4.9.4. The Parties shall make the information referred to in subsections 4.9.2. and 4.9.3., including the results of any audits, available to the competent Supervisory Authority on request.
5. Obligations of the Customer
5.1. Customer agrees: (i) to comply with its obligations under the Data Protection Laws in the performance of its obligations under the Agreements and this DPA, including with respect to any Processing instructions it issues to Omnisend; (ii) to obtain all consents and rights necessary under the Data Protection Laws for Omnisend to Process Customer Personal Data in the manner contemplated by the DPA and the Agreement; and (iii) that it does not sell Customer Personal Data to Omnisend in connection with the Agreements or this DPA. Customer warrants to Omnisend that Customer’s instructions and actions with respect to the Customer Personal Data, including its appointment of Omnisend as a Processor, have been or will be authorized by the relevant Data Subject to the extent required under applicable law.
5.2. Customer warrants it is the sole Controller of Customer Personal Data, or (without limiting subsection 5.1(ii) above) has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Omnisend as set out in this DPA. If there are other Controllers, Customer will identify and inform Omnisend of any such other Controllers prior to providing their Personal Data.
5.3. Omnisend shall process Customer Personal Data only as permitted under the Agreements, upon the express documented instructions of Customer (including as documented in this DPA, the Agreements, or through use of the Services), or to comply with applicable law. Customer shall ensure its instructions are lawful and Omnisend’s processing of Customer Personal Data in accordance with such instructions will not cause Omnisend to violate any applicable law, regulation, or rule, including the Data Protection Laws.
5.4. From time to time, Customer may provide additional instructions in writing to Omnisend about Processing of Customer Personal Data in accordance with the Data Protection Laws (such instructions, “Additional Instructions”). Any Additional Instructions must relate to Omnisend’s performance of the Services and both Parties must agree to it in writing. Subject to such mutual agreement, Omnisend shall comply with such Additional Instructions to the extent necessary for it to: (i) comply with its obligations as Processor of Customer Personal Data under the applicable Data Protection Laws; and (ii) reasonably assist Customer in complying with Customer’s obligations under the applicable Data Protection Laws.
6. Obligations of Omnisend
6.1. The Parties acknowledge and agree that Omnisend is the Processor of Customer Personal Data. If Omnisend believes an Additional Instruction infringes any of the applicable Data Protection Laws, it shall inform Customer without undue delay and may suspend Customer’s access to and use of the Services until Customer modifies or confirms the lawfulness of such additional instruction in writing. If Omnisend cannot process Customer Personal Data in accordance with the instructions due to applicable legal requirement, Omnisend will: (i) promptly notify Customer of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Omnisend is able to comply. If this provision is invoked, Omnisend will not be liable to Customer under the Agreements for any failure to perform the Services until such time as Customer issues new instructions regarding the Processing of Customer Personal Data.
6.2. Omnisend shall take appropriate technical and organizational measures designed to adequately protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure and/or access. Such measures are designed to:
6.2.1. prevent unauthorized persons from gaining access to Processing systems;
6.2.2. prevent Processing systems from being used without authorization;
6.2.3. ensure persons entitled to use a Processing system gain access only to such Customer Personal Data as they are entitled to access in accordance with their access rights;
6.2.4. ensure Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Customer Personal Data by means of data transmission facilities can be established and verified;
6.2.5. establish an audit trail to document whether and by whom Customer Personal Data has been accessed,
6.2.6. ensure Customer Personal Data is Processed solely in accordance with Customer’s instructions, and/or;
6.2.7 ensure Customer Personal Data is protected against accidental destruction or loss.
6.3. Omnisend shall ensure any personnel whom Omnisend authorizes to process Customer Personal Data is subject to confidentiality obligations with respect to that Customer Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities. Omnisend will not disclose Customer Personal Data to any third party, unless authorized by Customer, required by law, or otherwise permitted under the Agreements. If a disclosure of Customer Personal Data is required by law, Omnisend will notify Customer prior to such disclosure, unless prohibited by law.
6.4. To the extent the required information is actually available to Omnisend and Customer does not otherwise have access to such information, Omnisend will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by the Data Protection Laws, in each case solely in relation to Omnisend’s processing of Customer Personal Data.
7. Personal Data Breaches
7.1. If Omnisend becomes aware of a Persona Data Breach, Omnisend will, without undue delay: (i) notify Customer of the Personal Data Breach; and (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.
7.2. In the event of a Personal Data Breach, Omnisend shall provide Customer with all reasonable assistance in dealing with the Personal Data Breach, in relation to making any notification to a Supervisory Authority or any communication to a Data Subject. To provide such assistance, and considering the nature of the Services and the information available to Omnisend, the notification of the Personal Data Breach shall include, at a minimum, the following:
7.2.1. A description of the nature of the Personal Data Breach including the categories and approximate number of data records concerned;
7.2.2.The likely consequences of the Personal Data Breach;
7.2.3. The measures taken or to be taken by Omnisend to address the Personal Data Breach, including measures to mitigate any possible adverse consequences; and
7.2.4.Where, and insofar as, it is not possible for Omnisend to provide such information at the time of the notice, then such notice shall nevertheless be made, in as complete a form as possible, and the remaining required information may be provided by Omnisend, in phases and as it shall become available, without undue delay.
7.3. Customer agrees that:
7.3.1. Any Unsuccessful Data Breach shall not be subject to the obligations imposed on Omnisend under this Section. An “Unsuccessful Data Breach” occurs where there has been no unauthorized access to Customer’s Personal Data or to any Omnisend controlled systems used to Process Customer’s Personal Data, which may include, without limitation, pings and other broadcast attacks on firewalls or edge server, port scans, unsuccessful login attempts, denial of service attack, packet sniffing or similar incidents; and
7.3.2. Omnisend’s obligation to report or respond to a Personal Data Breach under this Section is not and will not be construed as an acknowledgement by Omnisend of any fault or liability of Omnisend with respect to the Personal Data Breach.
8. Assistance with Data Subject Requests
8.1. To the extent Customer does not have the ability to address a Data Subject request, then upon Customer’s written request Omnisend shall provide reasonable assistance to Customer designed to facilitate such Data Subject request to the extent able and only as required by the applicable Data Protection Laws. Omnisend shall comply with the instructions from the Customer and shall assist the Customer in fulfilling its obligations to respond to Data Subjects’ requests for the exercise of their rights under the Data Protection Laws.
8.2. If a request from a Data Subject exercising their Data Subject rights is made directly to Omnisend, Omnisend will, to the extent permitted by applicable law, inform Customer thereof and will advise Data Subjects to submit their request to Customer. Customer shall be solely responsible for responding to any such Data Subject requests.
8.3. If a Data Subject brings a claim directly against Omnisend for a violation of its Data Subject rights, Customer will indemnify Omnisend for any cost, charge, damages, expenses, or loss arising from such a claim to the extent Omnisend has notified Customer about the claim and given Customer the opportunity to cooperate with Omnisend in the defense and settlement of the claim.
9.1. Omnisend shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a Data Subject.
9.2. In case of a dispute between a Data Subject and one of the Parties as regards compliance with this DPA, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
9.3. Where the Data Subject invokes a third-Party beneficiary right pursuant to this DPA, Omnisend shall accept the decision of the Data Subject to:
lodge a complaint with the Supervisory Authority in the Member State of his/her habitual residence or place of work, or the competent Supervisory Authority pursuant this DPA;
refer the dispute to the competent courts within the meaning of this DPA.
9.4. The Parties accept that the Data Subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of the GDPR;
9.5. Omnisend shall abide by a decision that is binding under the applicable EU or Member State law.
9.6. Omnisend agrees that the choice made by the Data Subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
10.1. Omnisend will maintain all appropriate records of Processing carried out in respect of Customer Personal Data in accordance with this DPA as well as with the applicable Data Protection Laws (the “Records”). Omnisend shall, in accordance with the Data Protection Laws and in response to a reasonable, lawful written request by Customer, make available to Customer information in Omnisend’s possession or control related to Omnisend’s compliance with the Data Protection Laws in relation to its Processing of Customer Personal Data.
10.2. To the extent required pursuant to GDPR, Customer may, upon 30 days’ prior written request and no more than once per calendar year unless otherwise required by applicable law, during regular business hours, without interrupting Omnisend’s business operations, and subject to Omnisend’s onsite confidentiality and security procedures and policies, conduct an inspection of the relevant portions of the Records for the sole purposes of assessing Customer’s compliance with GDPR and assessing Omnisend’s compliance with its obligations under this DPA. Subject to Processor’s approval, which shall not be unreasonably withheld, the foregoing right may be exercised on Customer’s behalf by a qualified third-Party auditor. Access by any third-Party auditor shall be subject to such auditor’s agreement to confidentiality obligations no less restrictive than those set forth in the Agreements with respect to Confidential Information, provided that all such Records and information may be disclosed to Customer.
11.1. Customer acknowledge and agrees that Omnisend may engage Sub-Processors. Omnisend has Customer’s general authorisation for the engagement of Sub-Processor(s) from Annex III. Customer agrees Omnisend may continue to use those Sub-Processors already engaged by Omnisend as of the date this DPA applies to Customer.
11.2. Omnisend shall maintain an up-to-date list of its Sub-Processors, which is provided to Customer in Annex III. To the extent necessary to protect business secrets or other confidential information, including Personal Data, Omnisend may redact the text of the agreement prior to sharing a copy. Omnisend shall notify Customer if it adds or removes Sub-Processors at least 10 days prior to any such changes if Customer opts in to receive such notifications by subscribing here. Within such 10-day period, Customer can object to the addition of a proposed Sub-Processor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer’s objection shall be in writing and include Customer’s specific reasons for its objection and options to mitigate, if any. If Customer does not object within such 10-day period, the proposed Sub-Processor may be commissioned to Process Customer Personal Data. If Customer objects to the addition of a Sub-Processor in accordance with this subsection and Omnisend cannot reasonably accommodate Customer’s objection, Omnisend will notify Customer. Customer may terminate the affected Services by providing Omnisend with a written notice within one (1) month of Omnisend’s notice, which termination will not affect Customer’s obligation to pay amounts accrued to Omnisend prior to, and including, the effective termination date.
11.3. Omnisend shall: (i) enter into a written agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor; and (ii) remain fully responsible for such Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Omnisend to breach any of its obligations under this DPA. Omnisend shall notify the Customer of any failure by the Sub-Processor to fulfil its obligations under the DPA. Moreover, Omnisend shall provide, at the Customer’s request, a copy of such an agreement. To the extent necessary to protect business secrets or other confidential information, including Personal Data, Omnisend may redact the text of the agreement prior to sharing a copy.
11.4. Omnisend shall agree a third-party beneficiary clause with the Sub-Processor whereby – in the event Omnisend has factually disappeared, ceased to exist in law or has become insolvent – the Customer shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the Customer Personal Data.
12. Data Transfers
12.1. Where the performance of the Services involves a transfer of Customer Personal Data outside the EEA, Omnisend will take such steps as may be required to ensure there is adequate protection for such Customer Personal Data in accordance with the applicable Data Protection Laws, which may include entering the Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR). The Standard Contractual Clauses will not apply to Customer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA (in this case Sections 2, 9, 13, 14, 15 and subsections of this DPA shall not apply). By agreeing to this DPA, Customer is entering into the Standard Contractual Clauses with Omnisend. In addition, by agreeing to this DPA, Customer is entering into the Standard Contractual Clauses with Omnisend’s Sub-Processors which are established outside the EEA or in countries that are not considered by the European Commission as ensuring adequate protection of Personal Data.
12.2. If Customer notifies Omnisend in writing about another Controller and Omnisend does not object within thirty (30) days after Customer’s notification, Customer agrees on behalf of such other Controller(s), or if unable to agree, will procure agreement of such Controller(s), to be additional Data Exporter(s) of the Standard Contractual Clauses concluded between Omnisend and Customer. Customer agrees and, if applicable, procures the agreement of other Controllers that the Standard Contractual Clauses, including any claims arising from them, are subject to the terms set forth in the Agreements, including the exclusions and limitations of liability.
12.3.To the extent Customer and Omnisend are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, Customer and Omnisend agree to cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.
13. Local Laws and Practices Affecting Compliance with the DPA
13.1. The Parties warrant that they have no reason to believe that the laws and practices in the country of destination applicable to the processing of the Personal Data by Omnisend, including any requirements to disclose Personal Data or measures authorizing access by public authorities, prevent Omnisend from fulfilling its obligations under this DPA. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Data Protection Laws, are not in contradiction with this DPA.
13.2. The Parties declare that in providing the warranty in subsection 13.1., they have taken due account of the following elements:
13.2.1. the specific circumstances of the processing and transfer, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred Customer Personal Data; the economic sector in which the transfer occurs; the storage location of the data transferred;
13.2.2. the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
13.2.3. any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under this DPA, including measures applied during transmission and to the processing of the Customer Personal Data in the country of destination.
13.3. Omnisend warrants that, in carrying out the assessment under subsection 13.2., it has made its best efforts to provide the Customer with relevant information and agrees that it will continue to cooperate with the Customer in ensuring compliance with this DPA.
13.4. The Parties agree to document the assessment under subsection 13.2. and make it available to the competent Supervisory Authority on request.
13.5. Omnisend agrees to notify the Customer promptly if, after having agreed to this DPA and for the duration of the Agreement, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under subsection 13.1., including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in subsection 13.1.
13.6. Following a notification pursuant to subsection 13.5., or if the Customer otherwise has reason to believe that Omnisend can no longer fulfil its obligations under the DPA, the Customer shall promptly identify appropriate measures (e. g. technical or organizational measures to ensure security and confidentiality) to be adopted by the Customer and/or Omnisend to address the situation. The Customer shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent Supervisory Authority to do so. In this case, the Customer shall be entitled to terminate the Agreement, insofar as it concerns the processing of Personal Data under this DPA. When the Agreement is terminated pursuant to subsection, subsection 19.6. and 19.7. shall apply.
14.Obligations in Case of Access by Public Authorities
14.1. Omnisend agrees to notify the Customer and, where possible, the Data Subject promptly (if necessary, with the help of the Customer) if it:
14.1.1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of Personal Data transferred pursuant to this DPA; such notification shall include information about the Customer Personal Data requested, the requesting authority, the legal basis for the request and the response provided; or
14.1.2. becomes aware of any direct access by public authorities to Customer Personal Data transferred pursuant to this DPA in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
14.2. If Omnisend is prohibited from notifying the Customer and/or the Data Subject under the laws of the country of destination, Omnisend agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Omnisend agrees to document its best efforts to be able to demonstrate them on request of the Customer.
14.3. Where permissible under the laws of the country of destination, Omnisend agrees to provide the Customer, at regular intervals for the duration of the Agreement, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
14.4. Omnisend agrees to preserve the information pursuant to subsections 14.1. to 14.3. for the duration of the contract and make it available to the competent Supervisory Authority on request.
14.5. Subsections 14.1. to 14.3. are without prejudice to the obligation of Omnisend pursuant to subsection 13.5. and Section 18 to inform the Customer promptly where it is unable to comply with this DPA.
15. Review of Legality and Data Minimization
15.1. Omnisend agrees to review the legality of the request for disclosure, whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Omnisend shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Omnisend shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of Omnisend under subsection 14.5.
15.2. Omnisend agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Customer. It shall also make it available to the competent Supervisory Authority on request.
15.3. Omnisend agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
16.1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of this DPA.
16.2. Omnisend shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages Omnisend or its Sub-Processor causes the Data Subject by breaching the third-party beneficiary rights under this DPA.
16.3. Notwithstanding subsection 16.2., the Customer shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages the Customer or Omnisend (or its Sub-Processor) causes the Data Subject by breaching the third-party beneficiary rights under this DPA. This is without prejudice to the liability of the Customer.
16.4. The Parties agree that if the Customer is held liable under subsection 16.3. for damages caused by Omnisend (or its Sub-Processor), it shall be entitled to claim back from Omnisend that part of the compensation corresponding to Omnisend’s responsibility for the damage.
16.5. Where more than one Party is responsible for any damage caused to the Data Subject because of a breach of this DPA, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties.
16.6. The Parties agree that if one Party is held liable under subsection 16.5., it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
16.7. Omnisend may not invoke the conduct of a Sub-Processor to avoid its own liability.
17. Governing Law, Jurisdiction, Dispute Resolution and Competent Supervisory Authority
17.1. This DPA shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Lithuania.
17.2. Any dispute arising from this DPA shall be resolved by the courts of an EU Member State and the Parties agree that those shall be the courts of the Republic of Lithuania.
17.3. A Data Subject may also bring legal proceedings against the Customer and/or Omnisend before the courts of the Member State in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.
17.4. The competent Supervisory Authority shall be the State Data Protection Inspectorate of the Republic of Lithuania.
17.5. Omnisend agrees to submit itself to the jurisdiction of and cooperate with the competent Supervisory Authority in any procedures aimed at ensuring compliance with this DPA. In particular, Omnisend agrees to respond to enquiries, submit to audits and comply with the measures adopted by the Supervisory Authority, including remedial and compensatory measures. It shall provide the Supervisory Authority with written confirmation that the necessary actions have been taken.
18. General Provisions and Termination
18.1. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
18.1. Customer will make a written request for any assistance referred to in this DPA. Omnisend will charge Customer no more than a reasonable charge to perform such assistance or Additional Instructions, such charge to be set forth in a quote and agreed in writing by the Parties.
18.1. Omnisend shall promptly inform the Customer if it is unable to comply with this DPA, for whatever reason.
18.1. If Omnisend is in breach of this DPA or unable to comply with this DPA, the Customer shall suspend the transfer of Customer Personal Data to Omnisend until compliance is again ensured or the Agreement is terminated. This is without prejudice to subsection 13.6.
18.5. The Customer shall be entitled to terminate the Agreement, insofar as it concerns the processing of Personal Data under this DPA, where:
18.5.1. the Customer has suspended the transfer of Customer Personal Data to Omnisend pursuant to subsection 18.4. and compliance with this DPA is not restored within a reasonable time and in any event within one month of suspension;
18.5.2. Omnisend is in substantial or persistent breach of this DPA; or
18.5.3. Omnisend fails to comply with a binding decision of a competent court or Supervisory Authority regarding its obligations under this DPA.
18.6. Omnisend shall certify the deletion of the data to the Customer. Until the data is deleted or returned, Omnisend shall continue to ensure compliance with this DPA. In case of local laws applicable to Omnisend that prohibit the return or deletion of the transferred Customer Personal Data, Omnisend warrants that it will continue to ensure compliance with this DPA and will only process the data to the extent and for as long as required under that local law. If Omnisend is unable to delete Customer Personal Data for technical or other reasons, Omnisend will apply measures to ensure such Customer Personal Data is blocked from any further Processing. Customer may delete certain Customer Personal Data using built-in functionalities of the Services.
19.1. Annex I – “Security Measures”. This annex is available, as amended from time to time, upon request.
19.2. Annex II – “Jurisdiction-Specific Terms”. To the extent Omnisend Processes Customer Personal Data originating from and protected by the Data Protection Laws in one of the jurisdictions listed in Annex II, which may be updated from time to time, then the terms specified in Annex II with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to the data in question.
19.3. Annex III – “List Of Sub-Processors”. This annex is available, as amended from time to time, upon request.
ANNEX I TO THE DPA
This document constitutes the Security Measures annex (the “Security Annex”) of the DPA. The Security Annex is stated at a relatively high level and Customer recognizes that the Security Annex may be revised by Omnisend from time to time. All terms used and not otherwise defined herein, shall have the meanings ascribed to them in the DPA.
1. HUMAN RESOURCES SECURITY
Omnisend has implemented and maintains appropriate measures to ensure that authorized employees involved in the processing of Customer Personal Data are authorized with a need to access the data, are bound by appropriate confidentiality obligations, and have undergone appropriate training in the protection and handling of Customer Personal Data. Omnisend employees operate primarily “in the cloud” and treat local storage on computing devices as ephemeral.
Omnisend ensures that access to Customer Personal Data is revoked immediately upon termination or when access is no longer required for personnel involved in the processing of Customer Personal Data.
Policies and procedures, and supporting business processes, are in place for maintaining a safe and secure working environment in Omnisend’s offices and controlling physical access, including access provisioning.
The Services rely on the Google Cloud Platform who is responsible for implementing controls for physical security of data center facilities, backup media, and other physical systems, providing comprehensive and state-of-the-art security capabilities (available at https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf).
Omnisend has implemented and maintains access control processes and mechanisms to prevent unauthorized access to Customer Personal Data and to limit access only to authorized employees with a business need to know.
Upon termination of personnel, whether voluntary or involuntary, the security team will follow Omnisend’s personnel exit procedure, which includes revocation of the associated user account and reclamation of company-owned devices, office keys or access cards, and all other corporate equipment and property prior to the final day of employment.
EVENT LOGGING AND MONITORING
Log files and audit trails will be maintained (for as long as required under applicable law) and regularly reviewed to detect and respond to events concerning activities on the Services.
The Services rely on the Google Cloud Platform who is responsible for implementing data center network security providing comprehensive and state-of-the-art security capabilities (available at https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf).
Omnisend ensures that firewalls, network routers, switches, load balancers, domain name servers, mail servers, and other network components of the network infrastructures under its control and management responsibility are configured and secured in accordance with commercially reasonable industry standards.
Omnisend has implemented and maintains remote access policies and procedures that meet industry standards for Omnisend personnel who require remote access to a network or system that protects, processes or stores Customer Personal Data.
PROTECTION FROM DATA LOSS, CORRUPTION
All databases are kept separate and dedicated. Omnisend has implemented logic that segregates user accounts from each other.
Omnisend relies on the Google Cloud Platform for data destruction and can only perform logical deletion. Deleted Customer Personal Data is rendered unreadable or disabled by the Google Cloud Platform and the underlying storage areas on the Google Cloud Platform network that were used to store the content are wiped, prior to being reclaimed and overwritten, in accordance with the Google Cloud Platform standard policies and deletion timelines available at: https://cloud.google.com/security/deletion.
BUSINESS CONTINUITY AND DISASTER RECOVERY
Omnisend Services hosted in the Google Cloud Platform shall be configured in such a manner to withstand long-term outages to a Google Cloud Platform Availability Zone. Controls such as automated replication may be used to achieve this desired level of availability.
ANNEX II TO THE DPA
State of California (US)
1.1. As it relates to the DPA, each of the following defined terms shall be further interpreted to include certain terms as they are defined under the CCPA:
1.1.1. “Controller” shall include “Business”;
1.1.2.“Processor” shall include “Service Provider”;
1.1.3.“Data Subject” shall include “Consumer”; and
1.1.4.“Personal Data” shall include “Personal Information”.
2.1. Omnisend shall provide the Services and process Customer Personal Data in accordance with the Agreements. Omnisend certifies that it shall not Process, retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreements.
2.2. Omnisend is expressly prohibited from: (i) Selling (as defined in the CCPA) Customer Personal Data; (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services, and (iii) retaining, using, or disclosing tCustomer Personal Data outside of the direct business relationship between Omnisend and the Customer.
2.3. Notwithstanding the restrictions contained in subsection 2.2, Customer agrees that Omnisend may engage other Service Providers, to assist in providing the Services to the Customer. If Customer authorizes any subcontractor, service provider, or third Party to process Customer Personal Data made available by Customer, Omnisend shall enter contractual provisions so that such subcontractor, service provider, or third Party is a “Service Provider” (as defined under the CCPA) and not a “Third-Party” (as defined under the CCPA).
2.4. Omnisend hereby certifies that it understands and is willing to abide by the restrictions in CCPA § 1798.140(w)(2)(A).
2.5. Omnisend shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect any Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure.
3. Consumer Rights
3.1. Omnisend shall provide all reasonable assistance to Customer in facilitating compliance with Consumer rights requests.
3.2. If Omnisend, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CCPA in relation to that Consumer’s Customer Personal Data, it will promptly provide a copy of the request to Customer.
3.3. Upon duly received direction by Customer, and within a commercially reasonable amount of time, Omnisend shall delete the Personal Information.
3.4. Omnisend shall not be required to delete any Customer Personal Data to comply with a Consumer’s request directed by Customer if it is necessary to maintain such information in accordance with CCPA § 1798.105(d), in which case Omnisend shall promptly inform Customer of the exceptions relied upon under CCPA § 1798.105(d) and Omnisend shall not use the Customer Personal Data retained for any other purpose than provided for by that exception.
4. Changes in the Law
4.1. If any variation is required to this Annex because of a change in the CCPA, then either Party may provide written notice to the other Party of that change, and the same will be considered effective upon the legally effective date of such change to the CCPA. The Parties will discuss and negotiate, in good faith, any necessary variations to this Annex to address such changes.
5.1. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, (ii) if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
1. Third Parties
1.1. Omnisend takes steps to ensure that Omnisend’s Sub-Processors, as described in Section 8 of the DPA, are third Parties under PIPEDA, with whom Omnisend has entered into a written contract that includes terms substantially similar to this DPA. Omnisend conducts appropriate due diligence on its Sub-Processors.
2.1. Omnisend will implement technical and organizational measures as set forth in Section 10 of the DPA.
ANNEX III TO THE DPA
List Of Sub-Processors
Omnisend has authorized the use of the following Sub-Processors:
|Asana Inc||United States; 633 Folsom Street, Suite 100 San Francisco, CA 94107||Project management tool|
|Bandwidth Inc||United States; 900 Main Campus Drive, Suite 100, Raleigh, North Carolina 27606||Sending SMS (+MMS) in the USA and Canada market|
|Shopify Inc.||Canada; 151 O’Connor Street Ground floor, Ottawa, ON K2P 2L8||Ecommerce platform; Syncing information with connected stores|
|ChartMogul CMTDE GmbH & Co. KG||Germany; Kemperplatz 1, Berlin 10785||Tool to model and analyse our recurring revenue|
|Churn Buster LLC||United States; 237 A Street #74803 San Diego, California 92101||Automated attempts to resolve failed payments|
|Confluent, Inc.||United States; 899 West Evelyn Mountain View, CA 94041||Storage of customer data events|
|Dovetail Research Pty Ltd||Australia; Level 1, 276 Devonshire Street Surry Hills New South Wales 2010||User research qualitative data analysis tool|
|NomNom Insights Ltd t/a EnjoyHQ||United Kingdom; 9th Floor, 107 Cheapside, London, England EC2V 6DN||Collect and analyze support conversation from Intercom|
|Evernote GmbH||Switzerland; Centralis Switzerland GmbH Dufourstrasse 101 8008 Zürich||Note collaboration tool within team|
|Meta Platforms Ireland Limited||Ireland; 4 Grand Canal Square Grand Canal Harbour Dublin 2||User support channel, marketing channel|
|Fullstory Inc||United States; 1745 Peachtree St. NW Ste G, Atlanta, GA 30309||Analyze user session recordings on how they behave with our product|
|Google Cloud EMEA Limited||Ireland; Velasco Clanwilliam Place Dublin 2||Cloud, identity, corporate email, office suite and website traffic analysis provider|
|Carry Technologies, Inc. dba Hightouch||United States; 2211 Mission St. Unit B San Francisco, CA 94110||Sync information about our customers from our BI platform into other tools|
|HubSpot, Inc||United States; 25 First Street, 2nd Floor Cambridge, MA 02141||Customer relationship management software with marketing automation and sales tools|
|Hull Inc.||United States; 1449 Peachtree St NE #620 Atlanta GA, 30309||Sync information about our customers from our BI platform into other tools|
|Intercom R&D Unlimited Company||Ireland; 18-21 St. Stephen’s Green Dublin 2||Customer support chat, communication via email, and knowledge base|
|Litmus Software, Inc.||United States; 675 Massachusetts Avenue, 10th Floor Cambridge, MA 02139||Email template testing used by Tech Support team|
|Loom, Inc.||United States; 1700 Van Ness #1015 San Francisco, California 94109||Short explanatory video recording software|
|Mailgun Inc||United States; 112 E Pecan St. #1135 San Antonio, TX 78205||To send and receive email|
|MIXPANEL, INC||United States; One Front Street, 28th Floor San Francisco, CA 94111||Tool to analyse how our users engage with Omnisend app.|
|Otter.ai, Inc.||United States; 800 W El Camino Real, Suite 170, Mountain View, CA 94040||AI voice to text transcription service, to auto transcribe user research interviews|
|PartnerStack Inc||Canada; 129 Spadina Ave. #502, Toronto, ON M5V 2L3||Store partner referrals and pay out partner revenue share|
|Payoneer Europe Limited||Ireland; 6th floor, 2 Grand Canal Square Dublin 2, D02 A342||Money transfers|
|Planhat AB||Sweden; Regeringsgatan 29 111 53, Stockholm||Customer management platform|
|Intuit Inc||United States; 2700 Coast AvenueMountain View, CA||Accounting software|
|Slack Technologies Limited||Ireland; 4th Floor, One Park Place Hatch Street Upper Dublin 2||Communication tool|
|Stripe Payments Europe Limited||Ireland; 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210||Collecting payments|
|Twitter International Company||Ireland; One Cumberland Place, Fenian Street Dublin 2, D02 AX07||User support channel, marketing channel|
|TYPEFORM S.L.||Spain; Bac de Roda, 163 BARCELONA 08018||Online surveys|
|SIA VERTEX LV||Latvia; Mihoelsa street 66-10, Daugavpils, LV-5401||SMS sending provider to the most of the counties except US and CA|
|Atlassian Pty Ltd||Australia; Level 6, 341 George St, Sydney NSW 2000||Development management tool|