Data Processing Addendum
Last Updated: April, 2023
This Data Processing Agreement, including its Appendix, (this “DPA”) forms part of the Terms and Conditions or other written or electronic contracts between Engage and the Client for the purchase of services from Engage (the “Agreement”), which reflects the parties’ agreement regarding the Processing of Personal Data.
For exercising the rights and fulfilling the obligations under the Agreement, the Exporter will disclose and transfer Personal Data to the Importer. Under this DPA, the Importer will Process the transferred Personal Data on behalf of the Exporter, in accordance with the Exporter’s requirements provided by this DPA.
Under this DPA, the Exporter acts as a Data Controller, determining the purposes and means of the Personal Data Processing, in accordance with the Applicable Data Protection Legislation and the Importer acts as a Data Processor, Processing the transferred Personal Data on behalf of the Controller.
Both Parties have the responsibility to respect the provisions of this DPA.
- “Agreement” means the Terms and Conditions, or other written or electronic agreement concluded between Engage and the Client for the purchase of services from Engage.
- “Applicable Data Protection Legislation” means the laws applicable to the specific Personal Data Processing in accordance with its personal, material, and territorial scope; the Applicable Data Protection Legislation usually is determined by reference to the Data Subject’s location.
- “Client” means the legal entity Engage provides services to, in accordance with the Agreement. The term “Client” shall include Client and authorized affiliates.
- “Data Breach” means any loss or unauthorized use, copying, modification, disclosure, or destruction of, or access to, Personal Data transferred under this DPA.
- “Data Controller” or “Controller” means the Party which determines the purposes and means of the Processing of Personal Data.
- “Data Exporter” or “Exporter” means the Client who transfers Personal Data to the Data Importer under this DPA.
- “Data Importer” or “Importer” means Engage which receives Personal Data from the Data Exporter for Processing under this DPA.
- “Data Processor” or “Processor” means the Party which Processes Personal Data on behalf of the Controller, also referred to as the data intermediary/entrusted person.
- “Data Subject” means the natural person to whom the Personal Data refers.
- “Data Sub-Processor” means any person or legal entity which may be engaged by the Data Importer to assist in the Processing of Personal Data under this DPA.
- “DPA” means this Data Processing Addendum.
- “Enforcement Authority(ies)” means the Supervisory Authority(ies) or any other Authority(ies) that is in charge to enforce the Applicable Data Protection Legislation.
- “Engage” means Engage Technologies Group Inc legal entity incorporated by U.S. laws, headquartered at 3540 E Longwing Lane, Suite 300, Meridian, Idaho, 83646, United States.
- “Personal Data” means any information relating to a Data Subject.
- “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including, for example, collection, use and disclosure of Personal Data; and
- “Services” ” mean the services provided by the Data Importer to the Data Exporter in accordance with the Agreement.
- RESPONSIBILITIES OF THE PARTIES
- Each Party has the responsibility to comply with the clauses of this DPA, in accordance with the Applicable Data Protection Legislation
- Both Parties have the responsibility to ensure Personal Data protection and security, in accordance with their roles and obligations under the Applicable Data Protection Legislation.
- Both Parties have the responsibility to respect the Data Subject’s rights and to provide the means for their exercise, in accordance with their roles and obligations under the Applicable Data Protection Legislation.
- Each Party shall be liable to the other Party(ies) for any damages it causes the other Party(ies) by any breach of this DPA.
- Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this DPA, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party(ies) that part of the compensation corresponding to its / their responsibility for the damage.
- The Data Exporter warrants, represents, and undertakes that:
- The Personal Data has been collected, used, disclosed, and transferred to the Data Importer under this DPA in accordance with Applicable Data Protection Legislation.
- The Personal Data transferred to the Data Importer under this DPA is accurate, complete, and relevant for the purposes of processing by the Data Importer.
- The Data Exporter shall implement adequate technical and operational measures to ensure the security of the Personal Data during transmission to the Data Importer.
- The Data Exporter shall respond to enquiries from Data Subjects or Enforcement Authorities regarding the Processing of Personal Data by the Data Importer as required by the Applicable Data Protection Legislation. Responses to such enquiries and requests shall be made within a reasonable time frame or within the time frame and in the manner, if any, required under the Applicable Data Protection Legislation.
- Where applicable, the Exporter is responsible for collecting the consent of the data subjects so that the Importer may process, use, or disclose personal data on behalf of the Exporter.
- The Data Importer warrants, represents, and undertakes that:
- The Data Importer Processes Personal Data only in compliance with the Data Exporter’s instructions and for the purposes described in the Appendix to this DPA.
- The Data Importer shall not further disclose or transfer the Personal Data it receives from the Data Exporter to another person, Enforcement Authority, or legal entity, including to Data Sub-Processors, unless it has notified the Data Exporter of such further disclosure or transfer in writing, and provided a reasonable opportunity for the Data Exporter to object.
- The Data Importer agrees that prior to any disclosure or transfer of Personal Data to third parties, including to Data Sub-Processors, the Data Importer shall ensure that the third party shall be subject to and bound by the obligations of the Data Importer to the Data Exporter.
- The Data Importer agrees to take reasonable steps to implement measures on the storage and Processing of Personal Data that comply with adequate security standards according to the Applicable Data Protection Legislation.
- The Data Importer shall, without undue delay, communicate and refer to the Data Exporter any enquiries and requests from Data Subjects relating to the Personal Data transferred by the Data Exporter, including requests to access or correct the Personal Data.
- The Data Importer shall correct any error or omission in the Personal Data reasonably requested by the Data Exporter within 30 days of receipt of the request or such other time frame required by the Applicable Data Protection Legislation.
- Upon the termination of the Agreement or completion of Processing required under this DPA, the Data Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession pursuant to this DPA or cease to retain such Personal Data in a manner approved of by the Data Exporter.
- The Data Importer shall have in place reasonable and appropriate technical, administrative, operational, and physical measures, consistent with the Applicable Data Protection Legislation to protect the confidentiality, integrity, and availability of Personal Data, in particular against risks of Data Breaches.
- If the Data Importer becomes aware that a Data Breach has occurred affecting Personal Data in its possession or under its control, or in the possession or under the control of an importer of an onward disclosure or transfer of the Personal Data, it shall notify the Data Exporter without undue delay.
- The Data Importer shall promptly notify and consult with the Data Exporter regarding any investigation regarding the collection, use, transfer, disclosure, security, or disposal of the Personal Data transferred under this DPA unless otherwise prohibited under law.
- The Importer shall comply with all its obligations under the Applicable Data Protection Legislation at its own cost.
- Where the Exporter provides Personal Data to the Importer, the Exporter shall make a reasonable effort to ensure that the Personal Data is accurate and complete before providing the same to the Importer. In any case, the Importer shall take steps to correct any errors in the Personal Data, as soon as practicable upon the Exporter’s written request.
- The Importer is only responsible under this DPA for the processing of the Personal Data when transferred by the Exporter, as provided by the Exporter.
- DATA PROTECTION SAFEGUARDS
- The Exporter warrants that it has used reasonable efforts to determine that the Importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under this DPA.
- The Importer shall process the personal data received from the Importer or processed on behalf of the Exporter only on documented instructions from the Exporter. The Exporter may give such instructions throughout the duration of the Agreement.
- The Importer shall immediately inform the Exporter if it is unable to follow those instructions.
- The Importer shall process the Personal Data received from the Importer or processed on behalf of the Exporter only for the specific purpose(s) of the transfer, as set out in this DPA, unless on further instructions from the Exporter.
- The Importer shall only disclose the Personal Data received from the Importer or processed on behalf of the Exporter to a third party in accordance with the requirements of the Applicable Data Protection Legislation
- SECURITY OF PROCESSING
- The Importer and the Exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to that data. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing of the data subjects. The Parties shall consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the Data Exporter.
- The Importer shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the Agreement. It shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a Personal Data Breach concerning Personal Data Processed by the Importer under this DPA, the Importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects and notify the Exporter without undue delay after having become aware of the breach.
- The Importer shall protect the Personal Data in the Importer’s control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent: (i) unauthorized or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of the Personal Data, or other similar risks; and (ii) the loss of any storage medium or device on which Personal Data is stored. For the purposes of this Agreement, “reasonable security arrangements” include arrangements set out in Annex II to the Agreement.
- USE OF SUB-PROCESSORS
- GENERAL WRITTEN AUTHORISATION: The Data Importer has the Data Exporter’s general authorization for the engagement of sub-processor(s).
- Where the Data Importer engages a sub-processor to carry out specific processing activities (on behalf of the Data Exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the Data Importer under this DPA.
- The Data Importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the Data Importer has factually disappeared, ceased to exist in law or has become insolvent – the Data Exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the Personal Data.
- At the Data Exporter’s request, the Data Importer shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
- DATA SUBJECTS’ RIGHTS
- The Importer shall with undue delay notify the Exporter of any request it has received from a Data Subject. It shall not respond to that request itself unless it has been authorized to do so by the Exporter.
- The Importer shall assist the Exporter in fulfilling its obligations to respond to Data Subjects’ requests for the exercise of their rights.
- In case of a dispute between a Data Subject and one of the Parties as regards compliance with this DPA, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- RETENTION OF PERSONAL DATA
- The Importer shall not retain the Personal Data subject to this DPA (or any documents or records containing this Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this DPA.
The Importer shall, upon the request of the Exporter:
return to the Exporter, all Personal Data; or
delete all Personal Data in its possession, and, where applicable, the Importer shall also instruct all third parties to whom it has disclosed the Personal Data for the purposes of this DPA to return to the Processor or delete, such Personal Data.
- The clauses provided by paragraphs (a) and (b) above shall not apply to specific situations when the Importer is subject to a legal obligation concerning the retention of personal data for a longer period of time.
- DISPUTE RESOLUTION AND THE APPLICABLE LAW
- Any dispute under this DPA shall be resolved by amicable settlement.
- If an amicable settlement is not possible, any dispute shall be settled in accordance with the State laws from the Data Importer premises.
- If there is any conflict or inconsistency between clauses in this DPA and Applicable Data Protection Legislation, then the provisions of the Applicable Data Protection Legislation shall prevail.
- CONSEQUENCES FOR NON-COMPLIANCE
- In case any of the Parties fails to comply with the responsibilities under this DPA, the affected Party shall notify the Party at fault to remediate the non-conformity within a reasonable period of time.
- Depending on the gravity of the non-conformity, the affected Party may suspend the transfer or the Processing of the Personal Data under this DPA for the period of time necessary to remediate the non-conformity.
In the event that:
the transfer or the Processing of Personal Data to or by the Data Importer has been temporarily suspended for longer than 6 months pursuant to paragraph (b); or
compliance by any of the Parties with this DPA would put it in breach of its obligations under the law in the country in which it is Processing the Personal Data; or
there is a final decision from which no further appeal is possible of a competent court that there has been a breach of this DPA by any of the Parties; or
any of the Parties ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the harmed Party, without prejudice to any other rights which it may have against the Party in fault shall be entitled to terminate this DPA.
- The Parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations of this DPA regarding the return or deletion of the Personal Data transferred.
- The Exporter shall be accountable for compliance with its own legal obligations and shall indemnify the Importer for any and all damages caused to the Importer as a result of the Exporter’s failure to comply with its own legal obligations.
- GENERAL UNDERTAKINGS
- Each Party warrants, represents, and undertakes to the other Party that it has full capacity and authority to enter into and perform its obligations under and in accordance with this DPA.
- Each Party agrees to comply with all Applicable Data Protection Legislation in connection with the performance of its obligations under this DPA.
- In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
- FINAL PROVISIONS
- The Parties may, by written agreement, adopt or modify this DPA, or as required by the Applicable Data Protection Legislation. This does not preclude the Parties from adding or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.
- Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Engage, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Engage’s and its Affiliates’ total liability for all claims from Client and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Client and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Client and/or to any Authorized Affiliate that is a contractual party to any such DPA.
- Engage may amend this DPA from time to time by posting a revised version on its website, available at https://www.engagetg.com/data-processing-addendum. If Engage makes any amendments negatively and materially affecting the rights or obligations of Client in this DPA, Engage shall notify the Client electronically in writing. Upon receiving notice of material changes to this DPA, to the extent that Client is negatively and materially impacted by such changes, Client shall have five (5) days to notify Engage in writing of its intention to terminate the Agreement, after which, Client will be deemed to have accepted the revised DPA. Client’s notification of its intention to terminate the Agreement as a result of material amendments to this DPA under this section shall include a specific description of how the changes materially and negatively impact Client. Engage shall terminate the Agreement and all Services at any time within sixty (60) days from the day of such written notice to Engage.
- This DPA is part of the Agreement concluded between the Parties.
- Termination or suspension of this DPA determines the impossibility to continue Personal Data Processing under this DPA, with serious consequences on the execution of the Agreement.
Annex I – DESCRIPTION OF PROCESSING
A. LIST OF PARTIES
The Client as mentioned in the Agreement
Activities relevant to the data transferred under these Clauses: The Data Exporter transfers the Personal Data and the Data Importer stores the Personal Data in order to execute the services provision Agreement concluded between the Data Exporter and the Importer.
Role (controller/processor): Controller
Name: Engage Technologies Group, Inc
Address: 3540 E Longwing Lane, Suite 300, Meridian, Idaho, 83646, United States Data Protection Officer or Contact person: firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: The Data Importer receives the Personal Data from the Data Exporter and Processes it on behalf of the Data Exporter, in accordance with the instructions given by the last one.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The Data Subject category concerned by the transfers subject to this Agreement are Recipients (i.e., User’s recipients and other individuals about whom a User has given information or has otherwise interacted with a User via the service).
Categories of personal data transferred: Identification data (internal Engage ID); Contact information (first name, last name); Contact data (phone number); Medical information (appointment type, appointment date/time); Journey information (journey, event type, event date, event id, episode name, language, video id, video name, video length, video time watched, video time watched percentage, call to action).
Sensitive data transferred: Sensitive data is processed as part of the Service only through API Kit integration method. If the Data Exporter chooses to use this method of integration, appointment type and appointment date/time are processed by the Data Importer.
The frequency of the transfer: Data transfers take place on a continuous basis, in accordance with the nature of the service agreement.
Nature of the processing: The Processing is based on the commercial relationship according to the Agreement concluded between the Data Exporter and Data Importer and refers to collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction of personal data.
Purpose(s) of the data transfer and further processing: The main purpose for the processing of Personal Data is the execution of the service Agreement concluded between the Data Exporter and the Data Importer, whose subject matter is giving access to journey and providing statistics regarding the Data Exporter’s Recipients.
The specific purposes for the processing of Personal Data are:
- Sending text messages to the Recipients with links for the journey(ies)
- Tracking the Recipients behaviour during the journey(ies)
- Providing statistical reports on Recipients’ platform usage
The period for which the personal data will be retained: Personal Data Processed under this Agreement shall be processed by the Data Importer only during the execution of the Agreement with the Client.
Transfers to sub-processors: The Importer may transfer the Personal Data subject to this DPA or make it available for its providers only for or in accordance with the purposes of the transfer, limiting the access to what is strictly necessary for the provision of the Services and only for the period of time when the Services are provided.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be determined in accordance with the Applicable Data Protection Legislation where the Data Subjects are located.
Annex II – TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
- Measures of pseudonymization and encryption of personal data
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
- Measures for user identification and authorization
- Measures for the protection of data during transmission
- Measures for the protection of data during storage
- Measures for ensuring the physical security of locations at which personal data are processed
- Measures for ensuring event logging
- Measures for ensuring system configuration, including the default configuration
- Measures for internal IT and IT security governance and management
- Measures for certification/assurance of processes and products
- Measures for ensuring data minimization
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
- Name: Microsoft Azure
Web address: https://azure.microsoft.com
Description of processing: Hosting and infrastructure, cloud computing platforms and APIs.
- Name: Auth0
Web address: https://auth0.com
Description of processing: Authentication & authorization to the platform.
- Name: Twilio
Web address: https://www.twilio.com
Description of processing: Providing text messages with a one-time password.
- Name: Kaleyra
Web address: https://www.kaleyra.com
Description of processing: Text messaging aggregation.
- Name: Vibes
Web address: www.vibes.com
Description of processing: Text messaging aggregation.