Data Processing Addendum

Last Updated: September 27, 2021

If you are a business customer and need to request an executable copy of this Data Processing Addendum or the Standard Contractual Clauses, please email compliance@kustomer.com and include the name of your company, the name and title of the authorized representative who will execute this Addendum on your company’s behalf and his or her email address. We will then follow up directly with that individual, after confirming your account, with a copy of this Addendum or Standard Contractual Clauses in PDF format for execution.

THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) APPLIES TO THE EXTENT KUSTOMER, INC. (“KUSTOMER”) IS A “PROCESSOR” (DEFINED BELOW) OF PERSONAL DATA (DEFINED BELOW) THAT IS SUBJECT TO APPLICABLE DATA PROTECTION LAWS (DEFINED BELOW) IN CONNECTION WITH ITS PROVISION OF SERVICES TO THE ENTITY YOU REPRESENT (“CLIENT”). YOU AGREE THAT YOU HAVE READ AND ACCEPT THE TERMS IN THIS ADDENDUM, WHICH SUPPLEMENT KUSTOMER’S MASTER OR PASS THROUGH SUBSCRIPTION AGREEMENT AVAILABLE AT HTTPS://WWW.KUSTOMER.COM/LEGAL/ OR, IF APPLICABLE, THE SUBSCRIPTION AGREEMENT EXECUTED BY CLIENT AND KUSTOMER FOR THE PROVISION OF SERVICES (“AGREEMENT”) TO WHICH THIS ADDENDUM IS ATTACHED OR INCORPORATED BY REFERENCE. IF YOU ARE ACCESSING THE SERVICES ON BEHALF OF YOUR EMPLOYER, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO AGREE TO THESE TERMS ON ITS BEHALF AND THE RIGHT TO BIND YOUR EMPLOYER THERETO. FOR THE AVOIDANCE OF DOUBT, THIS ADDENDUM IS NOT VALID OR LEGALLY BINDING IF THERE IS NO AGREEMENT IN PLACE BETWEEN CLIENT AND KUSTOMER.

 

  1. Definitions

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 “Anonymous Data” means (i) for the purpose of EU & UK Data Protection Law, Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person; or (ii) “Aggregate consumer information” or “Deidentified personal information” as those terms are defined in § 1798.140 of the Cal. Civ. Code.

1.3 “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement. With respect to Personal Data from Europe, “Applicable Data Protections Laws” shall include, but not be limited to, the EU & UK Data Protection Law. With respect to Personal Data from California residents, “Applicable Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §§ 1798.100-1798.199).

1.4 “Authorized Employee” means an employee of Kustomer who has a need to know or otherwise access Personal Data to enable Kustomer to perform their obligations under this Addendum or the Agreement.

1.5 “Authorized Individual” means an Authorized Employee or Authorized Subprocessor.

1.6 “Authorized Subprocessor” means Kustomer’s Affiliates and a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Kustomer to perform its obligations under this Addendum or the Agreement.

1.7 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. With respect to Personal Data from California residents, Controller shall include the term “Business” according to the meaning given to that term in § 1798.140 of the Cal. Civ. Code.

1.8 “Data Subject” means (i) an identified or identifiable natural person to whom Personal Data relates. and who is in the EEA, UK or Switzerland or whose rights are protected by the EU & UK Data Protection Law; or (ii) a “Consumer” as the term is defined in the § 1798.140 of the Cal. Civ. Code.

1.9 “EEA” means the European Economic Area.

1.10“EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the United Kingdom’s Data Protection Act 2018 (“UK DPA”); the UK General Data Protection Regulation as defined by the UK DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the UK DPA, the “UK GDPR”); and the Privacy and Electronic Communications Regulations 2003; and any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

1.11 “EU Transfer Clauses” means the Standard Contractual Clauses approved by EC Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) and Module 3 (Processor to Processor), as may be amended, updated or replaced from time to time, for the transfer of personal data from the European Economic Area (“EEA”) to a third country;

1.12 “Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Client to Kustomer and directing Kustomer to Process Personal Data.

1.13 “Personal Data” or “Personal Information” means any information made available to Kustomer in connection with the Services that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by Applicable Data Protection Laws and shall have the meaning assigned to such terms, as applicable, under the Applicable Data Protection Laws, including such information relating to Data Subject which Kustomer Processes on behalf of Client other than Anonymous Data.

1.14 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Kustomer’s possession, custody or control.

1.15 “Privacy Shield Framework” means the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce, or any equivalent legal framework that may apply between the United Kingdom and the United States.

1.16 “Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.17 “Processor” means the entity which Processes Personal Data on behalf of the Controller. With respect to Personal Data from California residents, Processor shall include the term “Service provider” according to the meaning given to that term in Section 1798.140 of the Cal. Civ. Code.

1.18 “Security and Privacy Documentation” means the Security and Privacy Documentation applicable to the specific Services purchased by Client, as updated from time to time, and accessible via https://www.kustomer.com/security/.

1.19 “Services” shall have the meaning set forth in the Agreement.

1.20 “Standard Contractual Clauses” means EU Transfer Clauses and the UK Transfer Clauses, provided that their Appendices and Annexes are set forth in Schedule 2 to this Addendum.

1.21 “Supervisory Authority” means an independent public authority which is established by a member state of the EEA, Switzerland, United Kingdom, or any other governmental authority or body which has jurisdiction over the compliance and enforcement of Applicable Data Protection Laws.

1.22 “Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.

1.23 “Third-Party Services” means connections and/or links to third party websites and/or services that Kustomer enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks, and for which Client has entered into an agreement(s) directly with such third party websites and/or services with respect to the Processing of Personal Data.

1.24 “UK Transfer Clauses” means the Standard Contractual Clauses approved by EC Commission Decision of 5 February 2010, or any equivalent clauses issued by the relevant competent authority of the UK, as may be amended from time to time, for the transfer of personal data from the UK to a third country;

  1. Processing of Data

2.1 The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller, Kustomer is the Processor and that Kustomer will engage Authorized Subprocessors pursuant to the requirements set forth in Section 4 below. Client understands that to the extent Third-Party Services are accessed, Client serves as the Controller and the Third-Party Services are Processors, and the Third-Party Services are not Authorized Subprocessors of Kustomer.

2.2 The rights and obligations of the Client with respect to this Processing are described herein. Client shall, in its use of the Services, at all times Process Personal Data, and provide Instructions for the Processing of Personal Data, in compliance with Applicable Data Protection Laws. Client shall ensure that its Instructions comply with all Applicable Data Protection Laws in relation to the Personal Data, and that the Processing of Personal Data in accordance with Client’s Instructions will not cause Kustomer to be in breach of Applicable Data Protection Laws. Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Kustomer by or on behalf of Client, (ii) the means by which Client acquired any such Personal Data, and (iii) the Instructions it provides to Kustomer regarding the Processing of such Personal Data. Client shall not provide or make available to Kustomer any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Kustomer from all claims and losses in connection therewith.

2.3 Kustomer shall Process Personal Data only (i) for the purposes set forth in the Agreement and applicable Order (as defined in the Agreement), (ii) in accordance with the terms and conditions set forth in this Addendum and any other Instructions provided by Client, and (iii) in compliance with Applicable Data Protection Laws. Client hereby instructs Kustomer to Process Personal Data in accordance with the foregoing purposes and as part of any Processing initiated by Client in its use of the Services and documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement. Client also instructs Kustomer to use, and to process Personal Data for the purpose of using, its artificial intelligence (AI) and machine learning (ML) powered features to provide the Services, including to better understand the nature of communications received by the Client in order to more accurately and efficiently allow Client to respond to its customers, and further instructs Kustomer, where necessary, to deidentify or anonymize Personal Data to train the AI and ML features of the Services as part of the Processing.

2.4 The subject matter, nature, purpose, and duration of Kustomer’s Processing of Personal Data under the Agreement and this Addendum, including the types of Personal Data collected and categories of Data Subjects, are described in Schedule 1 to this Addendum.

2.5 Following completion of the Services, at Client’s choice, Kustomer shall return or delete the Personal Data as soon as reasonably practicable, except as required to be retained by Applicable Data Protection Laws.

  1. Authorized Employees

3.1 Kustomer shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.

3.2 Kustomer shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Kustomer, any Personal Data except in accordance with their obligations in connection with the Services.

3.3 Kustomer shall take commercially reasonable steps to limit access to Personal Data to only Authorized Individuals.

  1. Authorized Subprocessors

4.1 Client acknowledges and agrees that Kustomer may (1) engage the Authorized Subprocessors listed on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ to access and Process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.

4.2 Kustomer shall notify Client before engaging any third party other than Authorized Subprocessors to access or participate in the Processing of Personal Data by updating the current list of Authorized Subprocessors available on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ as well as providing a mechanism to subscribe by email to notifications of new Authorized Subprocessors, and if Client subscribes, Kustomer shall provide email notification to Client of a new Authorized Subprocessor before authorizing any new Authorized Subprocessor to Process Personal Data in connection with the provision of the Services.

4.3 Kustomer shall, by way of contract or other legal act under applicable law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subprocessor is subject to data protection obligations regarding the Processing of Personal Data that are no less protective than those in this Addendum to the extent applicable to the nature of the services provided by such Authorized Subprocessor. Kustomer conducts appropriate due diligence on its Authorized Subprocessors.

4.4 Client may object to Kustomer’s use of a new subprocessor by emailing compliance@kustomer.com within fifteen (15) days after receipt of Kustomer’s notice in accordance with the mechanism set out in Section 4.2, provided such objection is based on reasonable grounds that the new subprocessor does not or cannot comply with the requirements set forth in this Addendum (each, an “Objection”). In such event, the parties agree to discuss commercial reasonable alternative solutions in good faith to address the Objection, which may include finding a reasonable work around or the parties mutually agreeing to terminate the Agreement and affected Orders without further liability to either party.

4.5 Kustomer shall be liable to Client for the acts and omissions of Authorized Subprocessors to the same extent that Kustomer would itself be liable under this Addendum had it conducted such acts or omissions.

  1. Security of Personal Data

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kustomer shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), as set forth in the Security and Privacy Documentation. Kustomer regularly monitors compliance with these measures.

  1. Transfers of Personal Data

6.1 Any transfer of Personal Data made subject to this Addendum from member states of the EEA, Switzerland or the United Kingdom to the United States or any other country which does not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws of the foregoing countries (collectively, “Transferred Personal Data”) shall, to the extent such Transferred Personal Data is subject to such Applicable Data Protection Laws, be undertaken by Kustomer in accordance with (a) the Standard Contractual Clauses, or (b) an alternative recognised compliance standard, including any new version of, or successor to, the Standard Contractual Clauses or Privacy Shield Framework adopted pursuant to Applicable Data Protection Laws (where Kustomer has adopted such alternative recognised compliance standard) (“Alternative Transfer Solution”).

6.2 This Addendum hereby incorporates by reference the EU Transfer Clauses and the UK Transfer Clauses. For the avoidance of doubt, Client’s signature to this Addendum or the Agreement shall be deemed to constitute signature and acceptance of both sets of Standard Contractual Clauses incorporated herein, including their appendices and annexes set forth on Schedule 2 hereto. The parties agree that (i) purely for the purposes of the descriptions in the EU Transfer Clauses and the UK Transfer Clauses, Kustomer shall comply with the “data importer” obligations and Client shall comply with the “data exporter” obligations in the Standard Contractual Clauses (notwithstanding that Client may be located outside Europe and/or Client may be acting as a processor on behalf of third party controllers); (ii) with respect to subprocessing, Kustomer may commission Authorized Subprocessors, in accordance with Section 4 of this Addendum, to process the Client’s Personal Data in a Third Country, in which case Kustomer shall execute the Processor to Processor Clauses, if applicable and available, with any relevant subcontractor (including affiliates) it appoints on behalf of the Client, and if the Processor to Processor Clauses are not applicable and available, the Client grants Kustomer a mandate to execute the relevant Controller to Processor Clauses (with the processing details set out in Schedule 1 of this Addendum (Details of Processing) and the technical and organisational security measures set out in the subcontractor’s relevant information security documentation from time to time applying for the purposes of Appendix 1 and Appendix 2, respectively) with any relevant subcontractor (including affiliates) it appoints on behalf of the Data Controller; and (iii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum), the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties may also agree to separately execute a copy of the Standard Contractual Clauses, in which case, such signed Standard Contractual Clauses shall govern.

6.3 In the event that the Services are covered by more than one recognised compliance standard as an adequate and lawful transfer mechanism with respect to Transferred Personal Data, then such Transferred Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) an Alternative Transfer Solution (where Kustomer has adopted such alternative recognised compliance standard and only to the extent such Alternative Transfer Solution complies with Applicable Data Protection Laws with respect to such Transferred Personal Data); and (b) the Standard Contractual Clauses. If requested by Kustomer, Client agrees that it shall promptly take any action (including, without limitation, electronic acknowledgement or execution of documents) reasonably required to give full effect to an Alternative Transfer Solution.

6.4 If and to the extent the Standard Contractual Clauses are no longer recognized by the European Commission, Switzerland, the UK or other applicable local privacy authorities as an adequate and lawful transfer mechanism with respect to Transferred Personal Data, then Kustomer will adopt and abide by an Alternative Transfer Solution; provided, however, that if, after commercially reasonable efforts, Kustomer is unable to comply with an Alternative Transfer Solution, the parties shall discuss in good faith mutually agreeable additional supplementary, technical, contractual and/or policy measures for Kustomer to undertake to ensure the Transferred Personal Data is protected to a standard equivalent to that afforded by Applicable Data Protection Laws or, if the parties are unable to mutually agree on such additional measures, Client or Kustomer may, upon thirty (30) days advance written notice to the other party terminate the Agreement and affected Orders and Client shall be entitled a refund from Kustomer or the reseller, as applicable, of the pro-rata amount of any subscription fees actually pre-paid to Kustomer covering the remainder of the Subscription Term after the effective date of termination.

  1. Rights of Data Subjects

7.1 Kustomer shall, to the extent permitted by law, promptly, and in no event later than ten (10) business days of Kustomer’s receipt thereof, notify Client upon receipt of a request by a Data Subject to exercise the Data Subject’s individual’s rights under Applicable Data Protection Laws, including where applicable rights of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, objection to being subject to Processing that constitutes automated decision-making and/or any other individual’s rights under Applicable Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”).

7.2 Kustomer shall, at the request of the Client, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Client in complying with Client’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Client is itself unable to respond without Kustomer’s assistance and (ii) Kustomer is able to do so in accordance with all Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.

  1. Actions and Access Requests; Security Incident Management

8.1 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance where necessary for Client to comply with its obligations under Applicable Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, if any such obligations exist, provided that Client does not otherwise have access to the relevant information. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.

8.2 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance with respect to Client’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.

8.3 Kustomer shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum and prevailing data security standards applicable to the Processing of Client’s Personal Data in the form of the third-party certifications, reports and audits set forth in the Security and Privacy Documentation to the extent Kustomer makes them generally available to its business customers. Kustomer shall retain such records for a period of three (3) years after the termination of the Agreement. Client (or Client’s independent, third-party auditor) shall, with reasonable notice to Kustomer and no more than once per year, have the right to review, audit and copy such records at Kustomer’s offices during regular business hours, subject to the Confidentiality obligations set forth in the Agreement.

8.4 In the event of a Personal Data Breach, Kustomer shall, without undue delay, but no later than seventy-two (72) hours from Kustomer’s actual knowledge of such Personal Data breach, inform Client of the Personal Data Breach and the categories of Personal Data implicated.

8.5 Promptly following such Personal Data Breach, Kustomer shall take such steps as Kustomer in its sole discretion deems necessary and reasonable to identify the cause of such Personal Data Breach and remediate such violation (to the extent that remediation is within Kustomer’s reasonable control) and to the extent possible, include such information in the notification of the Personal Data Breach to Client.

8.6 In the event of a Personal Data Breach, Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance necessary for Client to comply with its obligations under Applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Client.

  1. Limitation of Liability

9.1 The total liability of each of Client and Kustomer (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.

  1. Jurisdiction Specific Terms.

10.1 To the extent Kustomer Processes Personal Data of Data Subjects residing in and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Schedule 4, then the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence. In case of conflict or ambiguity between the Jurisdiction Specific Terms and the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence.

Schedule 1

Details of Processing

1. Nature and Purpose of Processing:

Kustomer will process personal data as necessary to provide the Services as described in Agreement and Documentation and as further instructed by Client in its use of the Services.

2. Duration of Processing:

Term of the Services as described in Agreement.

3. Categories of Data Subjects:

  • Client’s employees, consultants and contractors who are authorized to access the Services as described in the Agreements (who are natural persons)
  • Client’s customers (who are natural persons)

4. Type of Personal Data:

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Contact details (customer first and last name, customer email address, phone number, physical address, gender, etc.)
  • Technical data (IP address, browser information, device ID, etc.)
  • User data (order history, support conversations history, etc.)

Schedule 2

APPENDIX 1 TO THE UK TRANSFER CLAUSES

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is the Client set forth on the signature page to the Data Processing Addendum and the user of the Services pursuant to the Agreements.

Data importer

Kustomer, Inc. is a provider of enterprise cloud computing solutions which processes personal data upon the instruction of the data exporter in accordance with the terms of the Master Subscription Agreement and Data Processing Agreement (the “Agreements”) entered into by the data exporter and data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The categories of data subjects are described in Schedule 1, Section 3.

Categories of data

The personal data transferred concern the following categories of data (please specify):

The categories of data are described in Schedule 1, Section 4.

Special categories of data (if appropriate)

Kustomer does not intentionally collect or process any special categories of data in the provision of the Services. However, special categories of data may from time to time be processed through the Services where the data exporter or its end users choose to include this type of data within the communications it transmits using the Services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The nature and purpose of the processing is described in Schedule 1, Section 1.

ANNEX I TO THE EU TRANSFER CLAUSES

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s), including any contact person with responsibility for data protection]

1. Name: The Client set forth on the signature page to the Agreement and the user of the Services pursuant to the Agreement.
Address: As per the Agreement
Contact person’s name, position and contact details: As per the Agreement
Activities relevant to the data transferred under these Clauses: receipt of the Services pursuant to the Agreement
Signature and date: As per the Agreement
Role (controller/processor): Controller or Processor, as applicable to the activities of Client

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

2. Name: Kustomer, Inc
Address: 5 Penn Plaza, 19th Floor New York, NY 10001
Contact person’s name, position and contact details: Director of Security; compliance@kustomer.com
Activities relevant to the data transferred under these Clauses: performance of the Services pursuant to the Agreement
Signature and date: As per the Agreement
Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The categories of data subjects are described in Schedule 1, Section 3.

Categories of personal data transferred

The categories of data are described in Schedule 1, Section 4.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Kustomer does not intentionally collect or process any special categories of data in the provision of the Services. However, special categories of data may from time to time be processed through the Services where the data exporter or its end users choose to include this type of data within the communications it transmits using the Services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
The frequency of the transfer is a continuous basis for the duration of the Agreement.
Nature of the processing

The nature of the processing is described in Schedule 1, Section 1.

Purpose(s) of the data transfer and further processing

The purpose of the processing is described in Schedule 1, Section 1.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As per Client’s instructions and otherwise pursuant to the retention policy set forth within Kustomer’s Privacy Statement at https://www.kustomer.com/privacy/statement/.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As specified at https://www.kustomer.com/compliance/subprocessors/.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The Irish Data Protection Commission

Schedule 3

APPENDIX 2 TO THE UK TRANSFER CLAUSES and ANNEX II TO THE EU TRANSFER CLAUSES

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the Standard Contractual Clauses (or document/legislation attached).

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security and Privacy Documentation applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://www.kustomer.com/security/. Data importer will not materially decrease the overall security of the Services during a subscription term.

Schedule 4

Jurisdiction Specific Terms

1. Additional Terms for Clients for which the EU Transfer Clauses apply

1.1 The Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) terms of the EU Transfer Clauses shall apply where relevant.

1.2 In Clause 7, the optional docking clause shall not apply and shall be deleted.

1.3 The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 shall be provided by Kustomer to Client only upon Client’s written request.

1.4 In Clause 8.9, the parties agree Client shall reimburse Kustomer for any time expended for any such on-site audit at Kustomer’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such on-site audit, Client and Kustomer shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Kustomer. Client shall promptly notify Kustomer with information regarding any noncompliance discovered during the course of an audit.

1.5 Clause 9, Option 2 shall apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Authorized Subprocessing) of this Addendum. More specifically, Client acknowledges and expressly agrees that (a) Kustomer’s Affiliates may be retained as subprocessors; and (b) Kustomer may engage third party subprocessors in connection with the Processing operations covered by the EU Transfer Clauses. Kustomer shall make available to Client the current list of subprocessors in accordance with Section 4.1 of the Addendum. Pursuant to Clause 9 of the EU Transfer Clauses, Client acknowledges and expressly agrees that Kustomer may engage new subprocessors as described in Sections 4.2 and 4.3 of the Addendum.

1.6 In Clause 11, the optional language shall not apply and shall be deleted.

1.7 In Clause 17, Option 1 shall apply and the EU Transfer Clauses shall be governed by Irish law.

1.8 In Clause 18(b), disputes shall be resolved before the courts of Ireland.

2. Additional Terms for Clients for which the UK Transfer Clauses apply

2.1 Appointment of new Sub-processors and List of current Sub-processors. Pursuant to Clause 5(h) of the UK Transfer Clauses, Client acknowledges and expressly agrees that (a) Kustomer’s Affiliates may be retained as subprocessors; and (b) Kustomer may engage third party subprocessors in connection with the Processing operations covered by the UK Transfer Clauses. Kustomer shall make available to Client the current list of subprocessors in accordance with Section 4.1 of this Addendum. Pursuant to Clause 5(h) of the UK Transfer Clauses, Client acknowledges and expressly agrees that Kustomer may engage new subprocessors as described in Sections 4.2 and 4.3 of the Addendum.

2.2 Copies of Sub-processor Agreements. For copies of the subprocessor agreements that must be provided by Kustomer to Client pursuant to Clause 5(j) of the UK Transfer Clauses, Client agrees that Kustomer may redact commercial terms and other clauses unrelated to the processing activities performed by Kustomer pursuant to the UK Transfer Clauses from all such subprocessor agreements prior to providing them to Client, and that such copies shall be provided by Kustomer only upon Client’s written request.

2.3 Audits and Certifications. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the UK Transfer Clauses shall be carried out in accordance with Section 8.3 of the Addendum; provided that, to the extent such certifications, reports and/or audits are reasonably deemed insufficient to demonstrate Kustomer’s compliance with its obligations under the UK Transfer Clauses, Client may request an on-site audit of the procedures relevant to the protection of Personal Data, to be performed during regular business hours by Client or Client’s independent, third-party auditor. Client shall reimburse Kustomer for any time expended for any such on-site audit at Kustomer’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such on-site audit, Client and Kustomer shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Kustomer. Client shall promptly notify Kustomer with information regarding any noncompliance discovered during the course of an audit.

2.4 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the UK Transfer Clauses shall be provided by Kustomer to Client only upon Client’s written request.

3. Additional Terms for Clients for which the CCPA applies

3.1 Kustomer represents and warrants that (a) it is a “service provider,” for the purposes of the Services it provides to Client pursuant to the Agreement, according to the meaning given to that term in Section 1798.140 of the Cal. Civ. Code; (b) it is a corporation, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners; and (c) to the extent that Client discloses a Consumer’s Personal Information to Kustomer, Kustomer will Process that Personal Information only on behalf of Client and pursuant to this Addendum.

3.2 Kustomer shall not (a) “sell” (as defined in § 1798.140 of the Cal. Civ. Code) Personal Data; (b) disclose or transfer Personal Data to a “third party” (as defined in § 1798.140 of the Cal. Civ. Code) or other parties that would constitute selling; or (c) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Personal Data for a commercial purpose (as defined in CCPA) other than providing the Services and for reasons permitted under the CCPA. The foregoing restrictions will not apply to “aggregate consumer information” or “deidentified personal information” as each term is defined in § 1798.140 of the Cal. Civ. Code.

3.3 For the avoidance of doubt, the foregoing prohibits Kustomer from retaining, using or disclosing Personal Data outside of the direct business relationship between Kustomer and Client. Kustomer and Client acknowledge and agree that (a) Client does not “sell” Personal Data to Kustomer in connection with the Agreement; (b) that Kustomer’s access to Personal Data is not part of the consideration exchanged by the parties in respect of the Agreement; and (c) that to the extent Kustomer uses Authorized Subprocessors as set forth in this Addendum, that Kustomer is not “selling” Personal Data to those Authorized Subprocessors in connection with provision of the Services. Kustomer hereby represents that it understands its obligations under the CCPA as a “Service Provider” and shall comply with them.

Deliver personalized, effortless customer service.

Request Live DemoWatch Video Demos