THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) APPLIES TO THE EXTENT KUSTOMER, INC. (“KUSTOMER”) IS A “PROCESSOR” (DEFINED BELOW) OF PERSONAL DATA (DEFINED BELOW) THAT IS SUBJECT TO APPLICABLE DATA PROTECTION LAWS (DEFINED BELOW) IN CONNECTION WITH ITS PROVISION OF SERVICES TO THE ENTITY YOU REPRESENT (“CLIENT”). YOU AGREE THAT YOU HAVE READ AND ACCEPT THE TERMS IN THIS ADDENDUM, WHICH SUPPLEMENT KUSTOMER’S TERMS OF SERVICE AVAILABLE AT HTTPS://WWW.KUSTOMER.COM/TERMS/ OR, IF APPLICABLE, THE MASTER SUBSCRIPTION AGREEMENT EXECUTED BY CLIENT AND KUSTOMER FOR THE PROVISION OF SERVICES (“AGREEMENT”) TO WHICH THIS ADDENDUM IS ATTACHED OR INCORPORATED BY REFERENCE. IF YOU ARE ACCESSING THE SERVICES ON BEHALF OF YOUR EMPLOYER, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO AGREE TO THESE TERMS ON ITS BEHALF AND THE RIGHT TO BIND YOUR EMPLOYER THERETO. FOR THE AVOIDANCE OF DOUBT, THIS ADDENDUM IS NOT VALID OR LEGALLY BINDING IF THERE IS NO AGREEMENT IN PLACE BETWEEN CLIENT AND KUSTOMER.
“Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person without additional information unavailable to any third party other than Authorized Subprocessors.
“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, that may include the laws and regulations of the EEA, Switzerland, the United Kingdom and the United States and its states.
“Authorized Employee” means an employee of Kustomer who has a need to know or otherwise access Personal Data to enable Kustomer to perform their obligations under this Addendum or the Agreement.
“Authorized Individual” means an Authorized Employee or Authorized Subprocessor.
“Authorized Subprocessor” means a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Kustomer to perform its obligations under this Addendum or the Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified or identifiable person to whom Personal Data relates.
“EEA” means the European Economic Area.
“Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Client to Kustomer and directing Kustomer to Process Personal Data.
“Personal Data” means any information made available to Kustomer in connection with the Services that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by Applicable Data Protection Laws, including such information relating to Data Subject which Kustomer Processes on behalf of Client other than Anonymous Data, and includes Sensitive Personal Information.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Kustomer’s possession, custody or control.
“Privacy Shield Framework” means the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce any equivalent legal framework that may apply between the United Kingdom and the United States.
“Privacy Shield Principles” means the Privacy Shield Framework principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework and any equivalent legal principles that may apply between the United Kingdom and the United States.
“Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security and Privacy Documentation” means the Security and Privacy Documentation applicable to the specific Services purchased by Client, as updated from time to time, and accessible via https://www.kustomer.com/security/.
“Sensitive Personal Information” means a Data Subject’s (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number) or email address; (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) genetic and biometric data or data concerning health; or (iv) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed), or trade union membership.
“Services” shall have the meaning set forth in the Agreement.
“Standard Contractual Clauses” means the Standard Contractual clauses for data controller to data processor transfers approved by the European Commission in decision (C(2010)593), provided that Appendices 1 and 2 of the Standard Contractual Clauses are set forth in Schedule 2 to this Addendum.
“Supervisory Authority” means an independent public authority which is established by a member state of the EEA, Switzerland, United Kingdom, or any other governmental authority or body which has jurisdiction over the compliance and enforcement of Applicable Data Protection Laws.
“Third-Party Services” means connections and/or links to third party websites and/or services that Kustomer enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks, and for which Client has entered into an agreement(s) directly with such third party websites and/or services with respect to the Processing of Personal Data.
- Processing of Data
2.1 The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller, Kustomer is the Processor and that Kustomer will engage Authorized Subprocessors pursuant to the requirements set forth in Section 4 below. Client understands that to the extent Third-Party Services are accessed, Client serves as the Controller and the Third-Party Services are Processors, and the Third-Party Services are not Authorized Subprocessors of Kustomer.
2.2 The rights and obligations of the Client with respect to this Processing are described herein. Client shall, in its use of the Services, at all times Process Personal Data, and provide Instructions for the Processing of Personal Data, in compliance with Applicable Data Protection Laws. Client shall ensure that its Instructions comply with all Applicable Data Protection Laws in relation to the Personal Data, and that the Processing of Personal Data in accordance with Client’s Instructions will not cause Kustomer to be in breach of Applicable Data Protection Laws. Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Kustomer by or on behalf of Client, (ii) the means by which Client acquired any such Personal Data, and (iii) the Instructions it provides to Kustomer regarding the Processing of such Personal Data. Client shall not provide or make available to Kustomer any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Kustomer from all claims and losses in connection therewith.
2.3 Kustomer shall Process Personal Data only (i) for the purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this Addendum and any other Instructions provided by Client, and (iii) in compliance with Applicable Data Protection Laws. Client hereby instructs Kustomer to Process Personal Data in accordance with the foregoing purposes and as part of any Processing initiated by Client in its use of the Services.
2.4 The subject matter, nature, purpose, and duration of Kustomer’s Processing of Personal Data under the Agreement and this Addendum, including the types of Personal Data collected and categories of Data Subjects, are described in Schedule 1 to this Addendum.
2.5 Following completion of the Services, at Client’s choice, Kustomer shall return or delete the Personal Data as soon as reasonably practicable, except as required to be retained by Applicable Data Protection Laws.
- Authorized Employees
3.1 Kustomer shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
3.2 Kustomer shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Kustomer, any Personal Data except in accordance with their obligations in connection with the Services.
3.3 Kustomer shall take commercially reasonable steps to limit access to Personal Data to only Authorized Individuals.
- Authorized Subprocessors
4.1 Client acknowledges and agrees that Kustomer may (1) engage the Authorized Subprocessors listed on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ to access and Process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
4.2 Kustomer shall notify Client before engaging any third party other than Authorized Subprocessors to access or participate in the Processing of Personal Data by updating the current list of Authorized Subprocessors available on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ as well as providing a mechanism to subscribe by email to notifications of new Authorized Subprocessors, and if Client subscribes, Kustomer shall provide email notification to Client of a new Authorized Subprocessor before authorizing any new Authorized Subprocessor to Process Personal Data in connection with the provision of the Services.
4.3 Kustomer shall, by way of contract or other legal act under applicable law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subprocessor is subject to data protection obligations regarding the Processing of Personal Data that are no less protective than those in this Addendum to the extent applicable to the nature of the services provided by such Authorized Subprocessor. Kustomer conducts appropriate due diligence on its Authorized Subprocessors.
4.4 Client may object to Kustomer’s use of a new subprocessor by emailing email@example.com within fifteen (15) days after receipt of Kustomer’s notice in accordance with the mechanism set out in Section 4.2, provided such objection is based on reasonable grounds that the new subprocessor does not or cannot comply with the requirements set forth in this Addendum (each, an “Objection”). In such event, the parties agree to discuss commercial reasonable alternative solutions in good faith to address the Objection, which may include finding a reasonable work around or the parties mutually agreeing to terminate the Agreement and affected Orders without further liability to either party.
4.5 Kustomer shall be liable to Client for the acts and omissions of Authorized Subprocessors to the same extent that Kustomer would itself be liable under this Addendum had it conducted such acts or omissions.
- Security of Personal Data
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kustomer shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), as set forth in the Security and Privacy Documentation. Kustomer regularly monitors compliance with these measures.
- Transfers of Personal Data
6.1 Any transfer of Personal Data made subject to this Addendum from member states of the EEA, Switzerland or the United Kingdom to the United States or any other country which does not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws of the foregoing countries (collectively, “Transferred Personal Data”) shall, to the extent such Transferred Person Data is subject to such Applicable Data Protection Laws, be undertaken by Kustomer in accordance with (a) the Standard Contractual Clauses, (b) the Privacy Shield Framework (where and to the extent such framework provides for a lawful transfer mechanism under such laws and regulations), or (c) an alternative recognised compliance standard, including any new version of, or successor to, the Standard Contractual Clauses or Privacy Shield Framework adopted pursuant to Applicable Data Protection Laws (where Kustomer has adopted such alternative recognised compliance standard) (“Alternative Transfer Solution”).
6.2 This Addendum hereby incorporates by reference the Standard Contractual clauses. For the avoidance of doubt, Client’s signature to this Addendum or the Agreement shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their appendices set forth on Schedule 2 hereto. The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Kustomer is the “data importer” and Client is the “data exporter” (notwithstanding that Client may be located outside Europe and/or Client may be acting as a processor on behalf of third party controllers); (ii) with respect to subprocessing, Kustomer may commission Authorized Subprocessors, in accordance with Section 4 of this Addendum, and (iii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum), the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties may also agree to separately execute a copy of the Standard Contractual Clauses, in which case, such signed Standard Contractual Clauses shall govern.
6.3 For so long as Kustomer is self-certified to the Privacy Shield Framework, Kustomer shall Process Transferred Personal Data in compliance with the Privacy Shield Principles, as administered by the U.S. Department of Commerce.
6.4 In the event that the Services are covered by more than one recognised compliance standard as an adequate and lawful transfer mechanism with respect to Transferred Personal Data, then such Transferred Person Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) an Alternative Transfer Solution (where Kustomer has adopted such alternative recognised compliance standard and only to the extent such Alternative Transfer Solution complies with Applicable Data Protection Laws with respect to such Transferred Personal Data); (b) Kustomer’s EU-US and Swiss-US Privacy Shield Framework self-certifications (but only to the extent such framework is recognized by the European Commission, Switzerland, the UK or other applicable local privacy authorities as an adequate and lawful transfer mechanism with respect to Transferred Personal Data); and (c) the Standard Contractual Clauses. If requested by Kustomer, Client agrees that it shall promptly take any action (including, without limitation, electronic acknowledgement or execution of documents) reasonably required to give full effect to an Alternative Transfer Solution.
6.5 If and to the extent the applicable Privacy Shield Framework and the Standard Contractual Clauses are no longer recognized by the European Commission, Switzerland, the UK or other applicable local privacy authorities as an adequate and lawful transfer mechanism with respect to Transferred Personal Data, then Kustomer will adopt and abide by an Alternative Transfer Solution; provided, however, that if, after commercially reasonable efforts, Kustomer is unable to comply with an Alternative Transfer Solution, Client or Kustomer may, upon thirty (30) days advance written notice to the other party terminate the Agreement and affected Orders and Client shall be entitled a refund from Kustomer or the reseller, as applicable, of the pro-rata amount of any subscription fees actually pre-paid to Kustomer covering the remainder of the Subscription Term after the effective date of termination.
- Rights of Data Subjects
7.1 Kustomer shall, to the extent permitted by law, promptly, and in no event later than ten (10) business days of Kustomer’s receipt thereof, notify Client upon receipt of a request by a Data Subject to exercise the Data Subject’s individual’s rights under Applicable Data Protection Laws, including where applicable rights of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, objection to being subject to Processing that constitutes automated decision-making and/or any other individual’s rights under Applicable Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”).
7.2 Kustomer shall, at the request of the Client, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Client in complying with Client’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Client is itself unable to respond without Kustomer’s assistance and (ii) Kustomer is able to do so in accordance with all Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
- Actions and Access Requests; Security Incident Management
8.1 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance where necessary for Client to comply with its obligations under Applicable Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, if any such obligations exist, provided that Client does not otherwise have access to the relevant information. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8.2 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance with respect to Client’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8.3 Kustomer shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Client shall, with reasonable notice to Kustomer, have the right to review, audit and copy such records at Kustomer’s offices during regular business hours.
8.4 Upon Client’s request and at Client’s choice, Kustomer shall, no more than once per calendar year, make available for Client’s review copies of certifications or reports demonstrating Kustomer’s compliance with prevailing data security standards applicable to the Processing of Client’s Personal Data.
8.5 In the event of a Personal Data Breach, Kustomer shall, without undue delay, but no later than seventy-two (72) hours from Kustomer’s actual knowledge of such Personal Data breach, inform Client of the Personal Data Breach and the categories of Personal Data implicated and take such steps as Kustomer in its sole discretion deems necessary and reasonable to identify the cause of such Personal Data Breach and remediate such violation (to the extent that remediation is within Kustomer’s reasonable control) and to the extent possible, include such information in the notification of the Personal Data Breach to Client.
8.6 In the event of a Personal Data Breach, Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance necessary for Client to comply with its obligations under Applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Client.
- Limitation of Liability
9.1 The total liability of each of Client and Kustomer (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
- Jurisdiction Specific Terms.
10.1 To the extent Kustomer Processes Personal Data of Data Subjects residing in and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Schedule 3, then the terms specified in Schedule 3 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.
Details of Processing
Nature and Purpose of Processing:
Kustomer will process personal data as necessary to provide the services as described in Agreement and Documentation and as further instructed by Client in its use of the Services.
Duration of Processing:
Term of the Services as described in Agreement.
Categories of Data Subjects:·
- Client’s employees, consultants and contractors who are authorized to access the Services as described in the Agreements (who are natural persons)
- Client’s customers (who are natural persons)
Type of Personal Data:
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Contact details (customer first and last name, customer email address, phone number, physical address, gender, etc.)
- Technical data (IP address, browser information, device ID, etc.)
- User data (order history, support conversations history, etc.)
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the Client set forth on the signature page to the Data Processing Addendum and the user of the Services pursuant to the Agreements.
Kustomer, Inc. is a provider of enterprise cloud computing solutions which processes personal data upon the instruction of the data exporter in accordance with the terms of the Master Subscription Agreement and Data Processing Agreement (the “Agreements”) entered into by the data exporter and data importer.
The personal data transferred concern the following categories of data subjects (please specify):
- Data exporter’s employees, consultants and contractors who are authorized to access the Services as described in the Agreements (who are natural persons)
- Data exporter’s customers (who are natural persons)
Categories of data
The personal data transferred concern the following categories of data (please specify):
Data exporter may submit personal data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion but subject to data importer’s acceptable use policy, and which may include, but is not limited to the following categories of personal data:
- Contact details (customer first and last name, customer email address, phone number, physical address, gender, etc.)
- Technical data (IP address, browser information, device ID, etc.)
- User data (order history, support conversations history, etc.)
Special categories of data (if appropriate)
Kustomer does not intentionally collect or process any special categories of data in the provision of the Services. However, special categories of data may from time to time be processed through the Services where the data exporter or its end users choose to include this type of data within the communications it transmits using the Services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreements.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the Standard Contractual Clauses (or document/legislation attached).
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security and Privacy Documentation applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://www.kustomer.com/security/. Data importer will not materially decrease the overall security of the Services during a subscription term.
Jurisdiction Specific Terms
European Union and EEA Countries
- “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.
- The definition of “Applicable Data Protection Laws” includes the EU GDPR and UK GDPR.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- The definition of “Applicable Data Protection Laws” includes the California Consumer Privacy Act (CCPA).
- The definition of “Personal Data” includes “Personal Information” as defined under the CCPA.
- The definition of “Data Subject” includes “Consumer” as defined under the CCPA. Any Data Subject Rights, as described in Section 7 of the Addendum, apply to Consumer rights. In regards to Data Subject Requests, Kustomer can only verify a request from Client and not from Client’s end user or any third party.
- The definition of “Controller” includes “Business” as defined under the CCPA.
- The definition of “Processor” includes “Service Provider” as defined under the CCPA.
- Kustomer shall not (a) “sell” (as defined in the CCPA) Personal Data; or (b) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Personal Data for a commercial purpose (as defined in CCPA) other than providing the Services and for reasons permitted under the CCPA. For the avoidance of doubt, the foregoing prohibits Kustomer from retaining, using or disclosing Personal Data outside of the direct business relationship between Kustomer and Client. Kustomer and Client acknowledge and agree that Client does not “sell” Personal Data to Kustomer in connection with the Agreement and that to the extent Kustomer uses Authorized Subprocessors as set forth in this Addendum, that Kustomer is not “selling” Personal Data to those Authorized Subprocessors in connection with provision of the Services. Kustomer hereby represents that it understands the obligations under the CCPA and shall comply with them.
- Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Kustomer’s access to Personal Data is not part of the consideration exchanged by the parties in respect of the Agreement.