Data Processing Addendum
Between: IntelePeer LLC, hereafter “Data Processor”;
And: __________________________, hereafter “Data Controller”.
This Data Processing Addendum, including its Schedules and Appendices, (“DPA”) is incorporated by reference into the Terms of Service (“Terms”) between Data Processor and Data Controller (collectively “Parties”) for the purchase of services (the “Services”) and reflects the terms governing the Processing of Personal Data pursuant to the Applicable Data Protection Laws. By clicking [I ACCEPT] provided, you acknowledge that you have the authority to bind your company (“Data Controller”) to this DPA with IntelePeer, LLC (“Data Processor”), and agree to review and accept this DPA on behalf of your company with regard to use of the IntelePeer Communications Platform as a Service (“CPaaS” and “Services”). PLEASE REVIEW THIS DPA CAREFULLY. YOUR ACCEPTANCE OF THIS DPA BECOME A BINDING LEGAL CONTRACT BETWEEN YOUR COMPANY AND INTELEPEER. IF YOU DO NOT AGREE FOR YOUR COMPANY TO BE BOUND BY THIS DPA, YOU SHOULD NOT CLICK THE [I ACCEPT] OR USE THE INTELEPEER SERVICES.
- Data Controller is a Controller or Processor of certain Personal Data and wishes to appoint Data Processor as a Processor or Sub-Processor to Process this Personal Data on behalf of the Data Controller.
- In the course of providing the Services to Data Controller pursuant to the Terms, Data Processor may Process Personal Data on behalf of Data Controller. The Parties entered into this DPA to ensure that Data Processor conducts such data Processing in accordance with the following provisions, the Data Controller’s instructions and Applicable Data Protection Laws, each acting reasonably and in good faith, with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.
- By signing the Terms, the Parties enter into this DPA on behalf of itself and any Affiliate performing under the Terms, therefore for the purposes of this DPA, the terms “Data Controller” and “Data Processor” will apply to any such Affiliates who provide or receive Personal Data.
In this DPA, the following terms will have the following meanings. Other capitalized terms used in this DPA will have the meanings given such terms in the Terms.
“Applicable Data Protection Law” will mean the Regulation 2016/679 (“GDPR”) of the European Union (“EU”), along with any amendments or successor legislation, or any other applicable data protection law.
“Privacy Shield” means the EU-US Privacy Shield and Swiss-US Privacy Shield self-certification programs operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016) 4176 of July 12, 2016.
“Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing“, and “Supervisory Authority” will have the meanings given in Applicable Data Protection Law.
- Data Controller Instructions. Data Controller appoints Data Processor as such to Process the Personal Data, and transfer Personal Data to any country or territory, as reasonably necessary for the provision of Services pursuant to the Terms. Accordingly, the Parties acknowledge and agree that with regard to the Processing of Personal Data, Data Controller is the Controller and Data Processor is the Processor. Each Party will comply with the obligations that apply under Applicable Data Protection Law and these Terms. Except as mutually agreed otherwise by Data Processor and Data Controller in writing, the terms of any other applicable data processing terms between the Parties will be read to be consistent with this DPA for any Personal Data, and in the event of conflict the DPA will govern with regard to Personal Data. Data Controller also agrees to properly configure the Services and associated features and functionality to maintain the appropriate security. In the event of a change in control, either Party’s successor to whom the Terms transfers will automatically assume all rights and obligations set forth in this Addendum. All requests, questions or complaints for IntelePeer or our appointed officer related to this DPA must be submitted to firstname.lastname@example.org.
- Purpose Limitation. Data Controller hereby instructs Data Processor to Process Personal Data and to transfer Personal Data to any country or territory as necessary for the provision of the Services and consistent with the instructions set forth in these Terms, as well as the use and configuration of the Services and their features by Data Controller and its authorized users. As between the Parties, Data Controller will have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which Data Controller acquires the Personal Data. Data Processor will Process the Personal Data as a Processor only as necessary to perform its obligations under the Terms and in accordance with the documented instructions of Data Controller (the “Permitted Purpose“) contained in Annex 1, except where otherwise required by any EU (or any EU Member State) law applicable to Data Processor, in which case Data Processor will to the extent permitted by Applicable Data Protection Law inform Data Controller of that legal requirement before the relevant Processing of that Personal Data. In no event will Data Processor Process the Personal Data for its own purposes, for those of any third party, or for any other purpose than as set forth in the Terms.
- Details of the Processing. Annex 1 to this DPA sets out the documented instructions for the Data Processor’s Processing of the Personal Data as required by Article 28(3) of the GDPR, as updated by the Parties from time to time. Any Processing unrelated to the provision of Service as set forth in Annex 1 may require additional consents. Either Party may make reasonable modifications to Annex 1 by written notice to the other Party from time to time as such Party reasonably considers necessary to meet those requirements; provided that nothing in Annex 1 (including as amended pursuant to this Section 3) confers any additional rights or imposes any additional obligations on any Party beyond those set forth in this For avoidance of doubt, if there are other data controllers for the Personal Data, Data Controller will inform Data Processor prior to providing any of their Personal Data.
- Rights of the Data Subjects. Data Controller acknowledges that Data Processor has no direct relationship with its users whose Personal Data may be Processed by Data Processor in connection with Data Controller’s use of the Services, and agrees to be solely responsible for providing its users adequate notices and ensuring that appropriate legal grounds are relied on pursuant to the Applicable Data Protection Law. To the extent self-service features are not available to sufficiently enable Data Controller to comply with a request, Data Processor will implement appropriate technical and organizational measures, in a reasonable and timely manner to Data Controller, to enable Data Controller to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Data Processor, Data Processor will promptly inform Data Controller. As allowed by law, Data Controller will be responsible for any reasonable costs arising from provision of the assistance by Data Processor or its Sub-Processors described in this
- Confidentiality of Processing. The Parties agree that Personal Data will be treated as Confidential Information under the Terms. Data Processor will ensure that any person that it authorizes to Process the Personal Data (including Data Processor’s staff, agents and subcontractors) (an “Authorized Person“): (i) will be appropriately informed and trained on the requirements of the Processing per this DPA; (ii) will be subject to confidentiality obligations no less stringent than those set forth herein; (iii) will have access to the Personal Data and Process the Personal Data only as necessary for the Permitted Purpose; and (iii) will not permit any person to Process the Personal Data who does not meet the aforementioned criteria.
- Sub-processing. Data Controller hereby specifically authorizes the engagement of Data Processor’s affiliates and underlying providers as “Sub-Processors”, pursuant to the terms of this Section. Any third parties who processes Personal Information of EU residents that constitutes Personal Data as defined in the GDPR, along with any amendments or successor legislation, is a “Sub-Processor”. By using our Services, you specifically consent to our engagement of the Sub-Processors set forth at www.intelepeer.com/privacy/subprocessor-list (“Sub-Processor List”) to process the Personal Data you provided, as long as we: (i) ensure that Sub-Processors are capable of providing the level of protections set forth herein; (ii) impose data protection terms on any Sub-Processor it appoints that protect the Personal Data to a standard no less stringent than provided for by this Addendum to the extent applicable to the nature of the services provided by such Sub-Processor; (iii) maintain its Sub-Processors List; and (iv) remain fully liable for any breach of this Addendum caused by an act, error or omission of its Sub-Processor. You may object to our appointment or replacement of a third party Sub-Processor, provided such objection is submitted within thirty (30) days of such Sub-Processor being added to the Sub-Processor List on reasonable grounds relating to the protection of the Personal Data. In such event, we will either not appoint or replace the Sub-Processor or, if this is not possible, you may suspend or terminate the impacted Services without liability. If you have not objected to a Sub-Processor on the Sub-Processor List within this timeframe, you will be deemed to have consented to the Sub-Processor and to have waived any right to dispute the use of such Sub-Processor. Under no circumstances will you directly communicate with our Sub-Processors about the Services, unless agreed to by IntelePeer in writing.
You also acknowledge that, in order to send your communications using the Services, IntelePeer may need to transmit your communications through existing telecommunications networks, operated by companies bound to comply with applicable telecommunications and privacy laws, but who may not have any direct contracts with either Party. You hereby instruct IntelePeer to transmit the communications through existing telecommunications networks as necessary to provide the Services and acknowledge and agree that such telecommunications networks are not considered Sub-Processors under this Addendum.
- Data Protection Impact Assessment. If Data Processor believes or becomes aware that its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it will promptly inform Data Controller and provide Data Controller with all such reasonable and timely assistance as Data Controller may require in order to conduct its data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Security Incidents. Upon becoming aware of a Security Incident including any personal data breach as defined in Article 4(12) of the GDPR, Data Processor will inform Data Controller without undue delay. If Data Controller determines that a Security Incident requires notification to a Supervisory Authority or Data Subjects pursuant to the Applicable Data Protection Law, before any notification is made, Data Controller will notify Data Processor, supply written documentation of any such notification that directly or indirectly references Data Processor, and reflect any clarifications or corrections Data Processor requests which are consistent with the Applicable Data Protection Law.
- Audit. Upon written request from Data Controller, Data Processor will provide the summary report for any audit Data Processor has conducted in prior twelve (12) month period, will permit a mutually agreed-upon third party auditor (“Auditor”) to audit Data Processor’s compliance with this DPA, and will make available to such Auditor all information, systems and staff necessary for the Auditor to conduct such audit. Data Processor acknowledges that the Auditor may enter its premises for the purposes of conducting this audit, provided that Data Controller provides reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Data Processor’s operations. Except in the event of a Security Incident, all costs associated with any such audit will be borne by Data Controller. Data Controller will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Data Controller reasonably believes a further audit is necessary due to a Security Incident suffered by Data Processor.
- Sub-Processor Audits. Data Controller agrees that its requests to audit Sub-Processors may be satisfied by up-to-date attestations, reports or extracts from Data Processor, Sub-Processor(s), and their independent bodies, including without limitation external or internal auditors, data protection officers, the IT security department, data protection or quality auditors, or other mutually agreed to third parties, or other certification from an IT security or data protection audit. Onsite audits at Sub-Processors premises may be performed by Data Processor or a mutually agreed to auditor under a confidentiality agreement acting on behalf of Data Controller.
- International Data Transfers.
12.1 Data Controller acknowledges that, as of the execution date of this Addendum, Data Processor processes some of the Personal Data submitted in the EU, and transfers other portions to its systems in the United States pursuant to this Section. Otherwise, Data Processor will not transfer the Personal Data (nor permit the Personal Data to be transferred) outside of the European Economic Area (“EEA”) unless it (i) has first obtained additional prior written consent from Data Controller; and (ii) takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include, without limitation, transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, to a recipient in the United States that has certified its compliance with Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
12.2 The Parties further agree that the Privacy Shield framework will be the lawful transfer mechanism of Personal Data from the EEA to the United States. Data Processor hereby represents that it is self-certified to the Privacy Shield. Data Processor will provide at least the same level of protection for the Personal Data as is required under the Privacy Shield and will promptly notify Data Controller if it makes a determination that it can no longer provide this level of protection. In such event, or if Data Controller otherwise reasonably believes that Data Processor is not protecting the Personal Data to the standard required under the Privacy Shield, Data Controller may either: (i) instruct Data Processor to take reasonable and appropriate steps to remediate any unauthorized Processing, in which event Data Processor will promptly cooperate with Data Controller in good faith to identify, agree and implement such steps; or (ii) terminate this DPA and Terms without liability by giving notice to Data Processor.
12.3 Data Processor also acknowledges that Data Controller may disclose this DPA and any relevant privacy provisions in the Terms to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure will not be deemed a breach of confidentiality.
- Limitation of Liability. Any liability of the Parties related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Terms, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Terms and this DPA. For the avoidance of doubt, the total liability of the Data Processor for all claims from the Data Controller related to the Terms and this DPA will apply in the aggregate for all claims under both the Terms and this DPA, and will not be understood to apply individually and severally to the Party and any Affiliate that is a contractual Party to any such DPA.
- Change in Law. To the extent that either Party becomes aware of any changes in Applicable Data Protection Law, that Party will promptly notify the other Party. The Parties agree to commence good faith negotiations to reflect those variations as soon as reasonably practicable.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) of the GDPR.
Duration of the Processing:
Data Processor will Process Data Controller Personal Data in accordance with its data retention policy, and as necessary to perform the Services pursuant to the Terms for so long as the Terms is in place.
Nature and Purpose of the Processing:
Data Processor provides Services to Data Controller as set forth in the Terms. The scope of the Services may involve Processing of Personal Data by Data Processor to deliver, maintain, monitor and improve those Services in compliance with the terms of the Terms and this DPA. Specifically, the purposes for making Personal Data available to Data Processor may relate to: (i) the provision of Service; (ii) the detection, prevention and resolution of security, fraud and technical issues; (iii) responses to support requests; (iv) the compliance with applicable laws relating to the Services; (v) the evaluation, support and enhancements of the performance and efficiency of the Services; (vi) the protection of the rights, property and safety of Data Controller, Data Processor, their users, customers or other related third parties; and (vii) any incidental analysis of the Services for the benefit of all customer provided that there is no adverse impact on the level of protection of any Personal Data. The nature of the Processing activities includes (a) the provision of cloud communications services and software, primarily offered in the form of APIs or dedicated circuits, to and from other communications networks or storage facilities; (ii) identifying and resolving service performance issues; (iii) providing analytics and reporting; (iv) generating invoices and managing billing inquiries; and (v) managing our systems.
Types of Personal Data to be Processed:
Data Controller may provide Data Processor, or allow Data Processor access to, Personal Data associated with Data Controller’s channel partners, employees and customers, which Personal Data may include, but is not limited to, the following categories of Personal Data: names, addresses, phone numbers, email addresses, instant messaging user name, company details, titles, billing information, business information, user names, passwords, authentication data, and other Personal Data or information that Data Controller decides to provide to Data Processor by or through the Services or any other means or mechanisms. Such information may include data used to trace and identify the source and destination of a communication, the location of the device generating the communication, the date, time, duration and type of communication, and content of the communication, such as texts, message bodies, voice and video media, images, and sound, containing or creating such data.
Categories of Data Subjects:
Data Controller may provide Data Processor, or allow Data Processor access to, Personal Data, associated with the following categories of Data Subjects:
- Channel partners, customers, prospects, business partners and vendors of Data Controller who are natural persons;
- Employees, agents, advisors, subcontractors or contact persons of Data Controller’s channel partners, customers, prospects, business partners and vendors;
- Employees, agents, advisors, and subcontractors of Data Controller who are natural persons; and
- Other authorized users of the Services who are natural
Special Categories of Data:
Data Processor does not intentionally collect or process any special categories of data in the provision of its products and services. However, special categories of data may from time to time be inadvertently processed by Data Processor where the Data Controller or its users choose to include this type of data within the communications transmitted using Data Processor’s products and services. As such, the Data Controller is solely responsible for ensuring the legality of any special categories of data it or its users choose to process using Data Processor’s products and services.
Additional Data Controllers: Data Processor acknowledges that information may also be obtained from the following Additional Data Controllers (if not applicable, please so state):