THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) APPLIES TO THE EXTENT KUSTOMER, INC. (“KUSTOMER”) IS A “PROCESSOR” (DEFINED BELOW) OF PERSONAL DATA (DEFINED BELOW) THAT IS SUBJECT TO APPLICABLE DATA PROTECTION LAWS (DEFINED BELOW) IN CONNECTION WITH ITS PROVISION OF SERVICES TO THE ENTITY YOU REPRESENT (“CLIENT”). YOU AGREE THAT YOU HAVE READ AND ACCEPT THE TERMS IN THIS ADDENDUM, WHICH SUPPLEMENT KUSTOMER’S TERMS OF SERVICE AVAILABLE AT HTTPS://WWW.KUSTOMER.COM/TERMS/ OR, IF APPLICABLE, THE MASTER SUBSCRIPTION AGREEMENT EXECUTED BY CLIENT AND KUSTOMER FOR THE PROVISION OF SERVICES (“AGREEMENT”). IF YOU ARE ACCESSING THE SERVICES ON BEHALF OF YOUR EMPLOYER, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO AGREE TO THESE TERMS ON ITS BEHALF AND THE RIGHT TO BIND YOUR EMPLOYER THERETO. FOR THE AVOIDANCE OF DOUBT, THIS ADDENDUM IS NOT VALID OR LEGALLY BINDING IF THERE IS NO AGREEMENT IN PLACE BETWEEN CLIENT AND KUSTOMER.
“Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person without additional information unavailable to any third party other than Authorized Subprocessors.
“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, that may include the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.
“Authorized Employee” means an employee of Kustomer who has a need to know or otherwise access Personal Data to enable Kustomer to perform their obligations under this Addendum or the Agreement.
“Authorized Individual” means an Authorized Employee or Authorized Subprocessor.
“Authorized Subprocessor” means a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Kustomer to perform its obligations under this Addendum or the Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified or identifiable person to whom Personal Data relates.
“Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Client to Kustomer and directing Kustomer to Process Personal Data.
“Personal Data” means any information made available to Kustomer in connection with the Services that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by Applicable Data Protection Laws, including such information relating to Data Subject which Kustomer Processes on behalf of Client other than Anonymous Data, and includes Sensitive Personal Information.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Kustomer’s possession, custody or control.
“Privacy Shield Principles” means the Swiss-U.S. and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework and any equivalent legal framework that may apply between the United Kingdom and the United States.
“Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security and Privacy Documentation” means the Security and Privacy Documentation applicable to the specific Services purchased by Client, as updated from time to time, and accessible via https://www.kustomer.com/security/.
“Sensitive Personal Information” means a Data Subject’s (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number) or email address; (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) genetic and biometric data or data concerning health; or (iv) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed), or trade union membership.
“Services” shall have the meaning set forth in the Agreement.
“Standard Contractual Clauses” means the agreement that may be executed by and between Client and Kustomer pursuant to the European Commission’s decision (C(2010)593) of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection (or any alternative or successor decision that approves new standard contractual clauses for transfers to data processors in third countries).
“Supervisory Authority” means an independent public authority which is established by a member state of the European Union, United Kingdom, Iceland, Liechtenstein, or Norway or any other governmental authority or body which has jurisdiction over the compliance and enforcement of Applicable Data Protection Laws.
“Third-Party Services” means connections and/or links to third party websites and/or services that Kustomer enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks, and for which Client has entered into an agreement(s) directly with such third party websites and/or services with respect to the Processing of Personal Data.
2. Processing of Data
2.1 The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller, Kustomer is the Processor and that Kustomer will engage Authorized Subprocessors pursuant to the requirements set forth in Section 4 below. Client understands that to the extent Third-Party Services are accessed, Client serves as the Controller and the Third-Party Services are Processors, and the Third-Party Services are not Authorized Subprocessors of Kustomer.
2.2 The rights and obligations of the Client with respect to this Processing are described herein. Client shall, in its use of the Services, at all times Process Personal Data, and provide Instructions for the Processing of Personal Data, in compliance with Applicable Data Protection Laws. Client shall ensure that its Instructions comply with all Applicable Data Protection Laws in relation to the Personal Data, and that the Processing of Personal Data in accordance with Client’s Instructions will not cause Kustomer to be in breach of Applicable Data Protection Laws. Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Kustomer by or on behalf of Client, (ii) the means by which Client acquired any such Personal Data, and (iii) the Instructions it provides to Kustomer regarding the Processing of such Personal Data. Client shall not provide or make available to Kustomer any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Kustomer from all claims and losses in connection therewith.
2.3 Kustomer shall Process Personal Data only (i) for the purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this Addendum and any other Instructions provided by Client, and (iii) in compliance with Applicable Data Protection Laws. Client hereby instructs Kustomer to Process Personal Data in accordance with the foregoing purposes and as part of any Processing initiated by Client in its use of the Services.
2.4 The subject matter, nature, purpose, and duration of Kustomer’s Processing of Personal Data under the Agreement and this Addendum, including the types of Personal Data collected and categories of Data Subjects, are described in Schedule 1 to this Addendum.
2.5 Following completion of the Services, at Client’s choice, Kustomer shall return or delete the Personal Data as soon as reasonably practicable, except as required to be retained by Applicable Data Protection Laws.
3. Authorized Employees
3.1 Kustomer shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
3.2 Kustomer shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Kustomer, any Personal Data except in accordance with their obligations in connection with the Services.
3.3 Kustomer shall take commercially reasonable steps to limit access to Personal Data to only Authorized Individuals.
4. Authorized Subprocessors
4.1 Client acknowledges and agrees that Kustomer may (1) engage the Authorized Subprocessors listed on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ to access and Process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
4.2 Kustomer shall notify Client before engaging any third party other than Authorized Subprocessors to access or participate in the Processing of Personal Data. Kustomer may update the list of Authorized Subprocessors during the term of the Agreement and the current list of Authorized Subprocessors shall be available on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ as well as a mechanism to subscribe by email to notifications of new Authorized Subprocessors, and if Client subscribes, Kustomer shall provide email notification to Client of a new Authorized Subprocessor before authorizing any new Authorized Subprocessor to Process Personal Data in connection with the provision of the Services.
4.3 Kustomer shall, by way of contract or other legal act under applicable law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subprocessor is subject to data protection obligations regarding the Processing of Personal Data that are no less protective than those in this Addendum to the extent applicable to the nature of the services provided by such Authorized Subprocessor. Kustomer conducts appropriate due diligence on its Authorized Subprocessors.
4.4 Client may object to Kustomer’s use of a new subprocessor, provided such objection is based on reasonable grounds relating to data protection and made in writing within fifteen (15) days after receipt of Kustomer’s notice in accordance with the mechanism set out in Section 4.2. In such event, the parties agree to discuss commercial reasonable alternative solutions in good faith.
4.5 Kustomer shall be liable to Client for the acts and omissions of Authorized Subprocessors to the same extent that Kustomer would itself be liable under this Addendum had it conducted such acts or omissions.
5. Security of Personal Data
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kustomer shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), as set forth in the Security and Privacy Documentation. Kustomer regularly monitors compliance with these measures.
6. Transfers of Personal Data
6.1 Any transfer of Personal Data made subject to this Addendum from member states of the European Union, Iceland, Liechtenstein, Norway, Switzerland or the United Kingdom to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by Kustomer in accordance with the Swiss-U.S. and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (the “Privacy Shield Principles”), or (b) the Standard Contractual Clauses.
6.2 Kustomer self-certifies to, and complies with, the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks, as administered by the U.S. Department of Commerce, and shall maintain such self-certification and compliance with respect to the Processing of Personal Data transferred from member states of the European Union, Iceland, Lichtenstein, Norway, Switzerland or the United Kingdom to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of the foregoing countries for the duration of the Agreement.
6.3 In the event that the Services are covered by more than one transfer mechanism, the transfer of personal data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) Kustomer’s EU-US and Swiss-US Privacy Shield Framework self-certifications; and (b) the Standard Contractual Clauses.
7. Rights of Data Subjects
7.1 Kustomer shall, to the extent permitted by law, promptly, and in no event later than ten (10) business days of Kustomer’s receipt thereof, notify Client upon receipt of a request by a Data Subject to exercise the Data Subject’s individual’s rights under Applicable Data Protection Laws, including where applicable rights of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, objection to being subject to Processing that constitutes automated decision-making and/or any other individual’s rights under Applicable Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”).
7.2 Kustomer shall, at the request of the Client, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Client in complying with Client’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Client is itself unable to respond without Kustomer’s assistance and (ii) Kustomer is able to do so in accordance with all Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8. Actions and Access Requests; Security Incident Management
8.1 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance where necessary for Client to comply with its obligations under Applicable Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, if any such obligations exist, provided that Client does not otherwise have access to the relevant information. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8.2 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance with respect to Client’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8.3 Kustomer shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Client shall, with reasonable notice to Kustomer, have the right to review, audit and copy such records at Kustomer’s offices during regular business hours.
8.4 Upon Client’s request and at Client’s choice, Kustomer shall, no more than once per calendar year, make available for Client’s review copies of certifications or reports demonstrating Kustomer’s compliance with prevailing data security standards applicable to the Processing of Client’s Personal Data.
8.5 In the event of a Personal Data Breach, Kustomer shall, without undue delay, but no later than seventy-two (72) hours from Kustomer’s actual knowledge of such Personal Data breach, inform Client of the Personal Data Breach and the categories of Personal Data implicated and take such steps as Kustomer in its sole discretion deems necessary and reasonable to identify the cause of such Personal Data Breach and remediate such violation (to the extent that remediation is within Kustomer’s reasonable control) and to the extent possible, include such information in the notification of the Personal Data Breach to Client.
8.6 In the event of a Personal Data Breach, Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance necessary for Client to comply with its obligations under Applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Client.
9. Limitation of Liability
9.1 The total liability of each of Client and Kustomer (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
10. Jurisdiction Specific Terms.
10.1 To the extent Kustomer Processes Personal Data of Data Subjects residing in and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Schedule 2, then the terms specified in Schedule 2 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.
Details of Processing
Nature and Purpose of Processing: Kustomer will process personal data as necessary to provide the services as described in Agreement and Documentation and as further instructed by Client in its use of the Services.
Duration of Processing: Term of the Services as described in Agreement
Categories of Data Subjects: Client’s customers and end users
Type of Personal Data: Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical address)
- Location data
Jurisdiction Specific Terms
European Union and EEA Countries
- “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.
- The definition of “Applicable Data Protection Laws” includes the EU GDPR and UK GDPR.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- The definition of “Applicable Data Protection Laws” includes the California Consumer Privacy Act (CCPA).
- The definition of “Personal Data” includes “Personal Information” as defined under the CCPA.
- The definition of “Data Subject” includes “Consumer” as defined under the CCPA. Any Data Subject Rights, as described in Section 7 of the Addendum, apply to Consumer rights. In regards to Data Subject Requests, Kustomer can only verify a request from Client and not from Client’s end user or any third party.
- The definition of “Controller” includes “Business” as defined under the CCPA.
- The definition of “Processor” includes “Service Provider” as defined under the CCPA.
- Kustomer shall not (a) “sell” (as defined in the CCPA) Personal Data; or (b) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Personal Data for a commercial purpose (as defined in CCPA) other than providing the Services and for reasons permitted under the CCPA. For the avoidance of doubt, the foregoing prohibits Kustomer from retaining, using or disclosing Personal Data outside of the direct business relationship between Kustomer and Client. Kustomer and Client acknowledge and agree that Client does not “sell” Personal Data to Kustomer in connection with the Agreement and that to the extent Kustomer uses Authorized Subprocessors as set forth in this Addendum, that Kustomer is not “selling” Personal Data to those Authorized Subprocessors in connection with provision of the Services. Kustomer hereby represents that it understands the obligations under the CCPA and shall comply with them.
- Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Kustomer’s access to Personal Data is not part of the consideration exchanged by the parties in respect of the Agreement.