RIVA DATA PROCESSING AND GDPR ADDENDUM
THIS DATA PROCESSING ADDENDUM (the “Addendum”) is made by and between Riva International, Inc.
(“Licensor”) and (“Licensee”) and is incorporated into the TERMS AND
CONDITIONS OF USE Agreement (“Agreement”) between the Licensor and Licensee.
By signing this Addendum, Licensee enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement
This Addendum applies in respect of the Processing of Licensee Personal Data (as defined below) by the Licensor on behalf of the Licensee in connection with the provision of the Web Services or Licensed Software to the Licensee as set out in the Agreement. This Addendum shall be effective for the term of the Agreement.
This Addendum shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Licensee and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this Addendum
“Licensee Personal Data” means the Personal Data described under Section 2 of this Appendix, in respect of which the Licensee is the Controller;
“Controller” has the meaning given in the GDPR;
“Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
“Data Subject” has the meaning given in the GDPR;
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Personal Data”, “Personal Data Breach”, “Process”, “Processing,” “Processor” each have the meaning given in the GDPR.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. DETAILS OF THE PROCESSING
- Categories of Data Subjects. This Appendix applies to the Processing by the Licensor of Licensee Personal Data (described under Section 2.2) relating to the following Data Subjects: prospects, clients, customers, business contacts and other contacts included within the Licensee’s Exchange email system and Processed by the Software.
- 2.2 Types of Personal Data. Licensee Personal Data includes contact information and data included within the Licensee’s email and CRM systems and Processed by the Software, including names, e-mail addresses, business or account information, tasks, appointments and related information, as designated by Licensee.
- Subject-Matter, Purpose and Nature of The Processing. Licensee Personal Data will be processed and synchronized by the Software as set out into the Agreement.
- Duration of the processing. Licensee Personal Data will be processed for the duration of the Agreement until return or deletion of Licensee Personal Data as instructed by the Licensee under the Agreement and this Appendix.
3. PROCESSING OF LICENSEE PERSONAL DATA
- The parties acknowledge and agree that Licensee is the Controller of Licensee Personal Data and the Licensor is the Processor of that data. Furthermore, Licensee controls the location of target system end-points as defined by the location of the email server and CRM systems with which Software communicate. Licensee agrees that Licensor shall process data as per the Licensee configured end-point locations, irrespective of the end-points geographic location. Licensee further agrees that it has sole control over the end-user consumption of processed data whether said data is processed through an email client or web browser. Licensor shall only Process Licensee Personal Data on behalf of and in accordance with the Licensee’s prior written instructions (including as set out in this Appendix and the Agreement) and for no other purpose. Licensor is hereby instructed to Process Licensee Personal Data to the extent necessary to enable the Licensor to provide the Software in accordance with the Agreement. In case the Processing is required by the Data Protection Legislation to which the Licensor is subject, the Licensor shall promptly (i) notify the Licensee of that legal requirement and/or of the inability to comply with any instructions before the relevant Processing, to the extent permitted by the Data Protection Legislation; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Licensee Personal Data) until such time as the Licensee issues new instructions.
- Licensor shall not transfer Licensee Personal Data outside the specified region, except as defined in 3.1 above.
- The Licensor shall ensure that any person authorized to Process Licensee Personal Data is subject to confidentiality obligations in respect of that Licensee Personal Data.
5. SECURITY MEASURES
- Licensor shall implement and maintain throughout the term of the Appendix at all times in accordance with then current good industry practice, technical and organizational measures to protect against unauthorized or unlawful Processing of, or accidental loss, destruction, or damage to, Licensee Personal Data. On request, Licensor shall provide the Licensee with a detailed written description of the security measures being taken.
- Licensor shall provide the Licensee with assistance necessary for the fulfilment of the Licensee’s obligation to keep Licensee Personal Data secure.
- Licensor shall only engage a sub-contractor in accordance with prior notification being sent to Licensee. Prior to allowing a sub-contractor authorized in accordance with this Section to Process any Licensee Personal Data, Licensor shall enter into a binding written agreement with the sub-contractor that imposes on the sub- contractor the same obligations that apply to the Licensor under this Appendix. Licensor remains fully liable to the Licensee for any acts or omissions of any sub-contractors as if such acts and omissions were conducted by Licensor.
- Licensor shall immediately notify the Licensee of any request or complaint that Licensor receives from Data Subjects or from applicable data protection or similar authorities regarding Licensee Personal Data. Licensor shall ensure that Licensor does not respond to any such requests except on the written instructions of the Licensee.
- Licensor shall provide all assistance required by Licensee in order for Licensee to ensure compliance with Licensee’s obligations under the Data Protection Legislation, including to:
- enable Licensee to respond to (i) any request from Data Subjects to exercise any of their rights under the Data Protection Legislation, (ii) address any other requests or complaints received by Licensee from Data Subjects or from data protection or other competent authorities;
- facilitate the Licensee to conduct (i) a Data Protection Impact Assessment if the Licensee is required to do so under the Data Protection Legislation and (ii) consultation with Data Protection Authorities, if the Licensee is required to engage in consultation under the Data Protection Legislation in relation to Processing of Licensee Personal Data.
8. PERSONAL DATA BREACHES
- Licensor shall promptly notify the Licensee and in any event no later than two business days after it becomes aware of any Personal Data Breach affecting any Licensee Personal Data. Licensor shall (i) provide Licensee with a detailed description of the Personal Data Breach and the type of Licensee Personal Data concerned,
(ii) take such actions as may be necessary or required by Licensee to minimize the effects of the Personal Data Breach, (iii) provide all such timely information and cooperation as Licensee may require in order for Licensee to meet any obligations to report or inform Data Subjects or the relevant Data Protection Authorities of the Personal Data Breach under the Data Protection Legislation.
9. RETURN OR DELETION OF LICENSEE PERSONAL DATA
- Licensor shall, at the Licensee’s choice, delete or return Licensee Personal Data to the Licensee after the end of the provision of Services, and delete existing copies unless European Union or Member State law requires storage of the data.
- Licensor shall make available to the Licensee all information necessary to demonstrate compliance with the obligations laid down in this Appendix and allow for and contribute to audits, including inspections, conducted by the Licensee or an auditor mandated by the Licensee. Licensor shall immediately inform the Licensee if, in its opinion, an instruction infringes the Data Protection Legislation
11. LICENSEE DATA
- Use of the Software may depend on Licensee’s transmission of certain data (“Data”). Licensee retains all rights and ownership in Data. Licensor does not claim any ownership rights to Licensee’s Data. Licensee represents and warrants that Licensee has the necessary rights and licenses required to provide Licensee Data to Licensor in connection with Licensee’s use of the Software and that by providing Licensee Data in this manner, Licensee will not violate any intellectual property rights of third parties, confidential relationships, contractual obligations or laws. Without limiting the generality of the foregoing, Licensee shall provide all notices to, and obtain any consents from, any data subject as required by any applicable law, rule or regulation in connection with the processing of any personally identifiable information of such data subjects via the internet or any other network by Licensor and/or Licensee. Licensee shall be solely responsible for ensuring that any processing of Licensee Data by Licensor and/or Licensee via the internet or other communication service does not violate any applicable laws. Licensee shall not process or submit to the Software any Licensee Data that includes any: (i) “personal health information,” as defined under the Health Insurance Portability and Accountability Act, unless it enters into a separate agreement with Licensor relating to the processing of such data; (ii) government issued identification numbers, including Social Security and Social Insurance numbers, driver’s license numbers and other government-issued identification numbers; (iii)
financial account information, including bank account numbers; (iv) payment card data, including credit card or debit card numbers; or (iv) “sensitive” personal data, as defined under Directive 95/46/EC of the European Parliament (“EU Directive”) and any national laws adopted pursuant to the EU Directive, about residents of Switzerland and any member country of the European Union, including racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, or the commission or alleged commission any crime or offense.
- User Option to Encrypt. Licensor provides Licensee with the option to encrypt the transmission of Licensee Data. Licensee acknowledges that it is Licensee’s responsibility to encrypt the transmission of Licensee Data should Licensee wish to protect it. In the event Licensee decides not to utilize encryption and transmit Licensee Data unencrypted over a network, Licensee assumes all related risks for doing so. Licensor will not be liable for any liabilities arising from Licensee’s use of the Web Services (including Licensee’s transmission of Licensee Data) over the internet or other network.
- For non-EMEA clients, Licensor processes Licensee Data and provides Services from the United States and Canada. By using and accessing the Service, Licensee understands and agrees to the storage and processing in this region of Licensee Data and any other information Licensee chooses to provide. Licensor reserves the right to store and process Licensee Data and any other information Licensee chooses to provide outside of the United States and will endeavor to give Licensee 30 days’ notice in the event of such a change.
- In the event of a data privacy breach, as stipulated in Section 8, Licensor shall provide notices to Licensee’s specified Data Privacy Officer (“DPO”). Contact information for Licensee’s DPO is as follows:
- Notices, inquiries or requests from Licensee to Licensor can be initiated by e-mailing firstname.lastname@example.org
13. CONFLICTING PROVISIONS AND ORDER OF PRECENDENCE.
- The provisions of the Addendum shall take precedence over any previous agreements or conflicting provision in any pre-printed terms and conditions contained on the reverse of any Purchase Order issued by Licensee, on web sites or elsewhere in connection with the licensing of the Web Services or Licensed Software. The provisions of the Addendum shall take precedence over any shrink-wrap, click-wrap, browse-wrap or similar license which is made applicable by acceptance on the internet or by incorporation in the Web Services or Licensed Software, Licensor’s proposal, or other similar means.