Convoso Services Agreement
Data Processing Addendum
This Data Processing Addendum (together with its Exhibits, “DPA”) is incorporated into the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Convoso may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and implementing regulations.
“Controller” or “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. Customer is a Controller.
“Convoso Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Customer Data Incident” means the accidental or unlawful destruction, loss, alteration, unlawful disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Convoso or its Sub-processors of which Convoso becomes aware.
“Data Protection Laws and Regulations” or “DPLR” means all laws and regulations of the United States and its states, applicable to the Processing of Personal Data pursuant to the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates and that such Personal Data has been provided to Convoso by Customer.
“Data Subject Request” or “DSAR” means a request: (i) from a Data Subject to Customer, which is then sent by Customer to Convoso; (ii) is compliant in form and delivery method with DPLR; (iii) contains information sufficient for Customer to verify that the Data Subject is entitled to such rights and Customer has so verified; and (iv) for the purpose of exercising the Data Subject’s rights specified in the relevant DPLR.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), where for each (i) or (ii), such data is Customer Data.
“Processing” or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” or “Data Processor” means the entity that Processes Personal Data on behalf of the Controller, Processing according to the Agreement and Data Processing Laws. Convoso is the Processor for Personal Data provided by Customer for Convoso to Process.
“Security Measures” means the security measures applicable to the specific Convoso Services used by Customer.
“Services” means the performance by Convoso of its obligations and use of its rights, as each are specified in the Agreement.
“Sub-processor” means any Processor engaged by Convoso or by Customer.
- Processing Personal Data
(a) Role of Customer as Controller and Convoso as Processor. The Parties agree and acknowledge that (i) Customer is the Controller, and Convoso is the Processor as to Personal Data provided by or on behalf of Customer that Convoso Processes and (ii) Convoso, as Processor, might engage Sub-processors.
(b) Processing of Personal Data. Customer shall provide notice to Data Subjects as to the use of Convoso as Processor when required by DPLR. Customer’s instructions for the Processing of Personal Data shall comply with DPLR and the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges that its use of the Convoso Services will not violate the rights of any Data Subject that has exercised its rights under Data Processing Laws.
(c) Convoso Processing of Personal Data. Convoso shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions only for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented lawful and reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Customer confirms that the Processing that Customer, as Controller, directs Convoso, as Processor, to Process are for limited and specified business purposes under DPLR. In particular, Convoso does not and shall not retain, use, disclose or otherwise Process Personal Data for any purpose other than for business purposes under the Agreement or as otherwise permitted under the CCPA.
(d) Details of the Processing. The subject-matter of Processing of Personal Data by Convoso is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit 1 to this DPA. Convoso does not sell or share, as those terms are defined in the DPLR, the Personal Data and Convoso’s agreements with Sub-processors shall include a similar provision.
(e) Certification. Convoso certifies that it understands these contractual restrictions and will comply with them.
- Rights of Data Subjects. It is Customer’s responsibility to: (i) verify that the Data Subject possesses the rights claimed in each DSAR; (ii) if the Data Subject possesses such rights, inform Convoso of such facts; (iii) respond to each DSAR and take the actions that Customer determines are to be taken in the response, including, without limitation, altering, copying or removing the Personal Data from databases it controls and that are used by Customer’s Users and from its own databases not used with the Convoso Services. If Convoso receives a DSAR with the verification specified above, then it shall follow the instructions of the Customer as to any further actions Convoso must take to the extent that Convoso possesses any such Personal Data and to direct its Sub-processors to do the same. Convoso shall, to the extent legally required, promptly notify Customer if Convoso receives a DSAR by reasonably convenient means provided by the Customer. Convoso can, but is not obligated to, respond to a Data Subject Request itself, except that Convoso has the right to inform the sender of the DSAR as to Convoso’s actions and that Customer authorizes Convoso to redirect the DSAR as necessary. To the extent legally permitted, Customer shall be responsible for any costs arising from Convoso’s provision of such assistance.
- Convoso Personnel
(a) Training and Personnel. Convoso shall ensure that its personnel engaged in the Processing of Personal Data have received appropriate training on their responsibilities. Convoso shall take commercially reasonable steps to ensure the reliability of any Convoso personnel engaged in the Processing of Personal Data. Convoso shall ensure that Convoso’s access to Personal Data is limited to those trained and reliable personnel developing, marketing or selling and maintaining the Convoso Services. Convoso has appointed a data protection officer. The appointed person may be reached at privacy@Convoso.com.
(a) Appointment of Sub-processors. Customer acknowledges and agrees that (i) Convoso Affiliates may be retained as Sub-processors; and (ii) Convoso and Convoso Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Convoso or a Convoso Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Schedule with respect to the protection of Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.
(b) List of Current Sub-processors and Notification of New Sub-processors. Convoso shall make available to Customer, upon request, the current list of Sub-processors for the Convoso Services used by Convoso. Such Sub-processor lists shall include the identities of those Sub-processors, a summary of their processing activities and their country or countries of operation relevant to Processing, if requested by Customer. Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Personal Data. At Customer’s request (email being acceptable) Convoso shall provide email notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the relevant Services.
(c) Objection Right for New Sub-processors. Customer may object to Convoso’s use of a new Sub-processor by notifying Convoso promptly in writing at privacy@Convoso.com within thirty (30) days after receipt of Convoso’s notice in accordance with the mechanism set out above. Customer’s objection shall be reasonable and the notice to Convoso shall provide in sufficient detail the reasons for such objection. If Customer thusly objects to a new Sub-processor, Convoso will use reasonable efforts to make available to Customer a change in the Services, recommend a commercially reasonable change to Customer’s configuration, obtain another Sub-processor or recommend use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer.
(d) Liability. Convoso shall be liable for the acts and omissions of its Sub-processors to the same extent Convoso would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
(a) Controls for the Protection of Customer Data. Convoso hereby certifies that it shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unlawful disclosure of, or access to, Personal Data) and integrity of Personal Data subject to the provisions elsewhere in this Agreement. Convoso regularly monitors compliance with these measures. Convoso will not materially decrease the overall security of the Convoso Services during a subscription term.
(b) Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to a written confidentiality agreement, Convoso shall make available to Customer that is not a competitor of Convoso (or Customer’s independent, third-party auditor that is not a competitor of Convoso) a copy of Convoso’s then most recent third-party audits or certifications, as applicable (including ISO 27001).
(c) Data Protection Impact Assessment. Upon Customer’s request, Convoso shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under DPLR to carry out a data protection impact assessment related to Customer’s use of the Convoso Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is reasonably available to Convoso.
- Personal Data Incident Management. Convoso maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of a Personal Data Incident. Convoso shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Convoso deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Convoso’s reasonable control. The obligations herein shall not apply to incidents that Convoso believes are caused, directly or indirectly, by Customer or Customer’s Users.
- Return and Deletion of Personal Data. Convoso shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data, in each case in accordance with the procedures and timeframes specified in the Agreement.
- Authorized Affiliates. Customer’s Affiliates must have their own written agreements with Convoso. To the extent that Customer shares or otherwise Processes Personal Data with its Affiliates, or one or more of its Affiliates Processes Personal Data, then Customer shall be fully responsible for all such activities and Convoso shall have no liability whatsoever.
- Limitation of Liability. Convoso’s liability, and the liability of Convoso Affiliates, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the liability limitations set forth in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to Convoso to perform the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Customer, Authorized Agents and Customer’s and Authorized Agents’ customers or persons to whom Communications are direct (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
Categories of personal data transferred
- Customer’s users authorized by Customer to use the Software Services
- Title, position, employer, contact information
- Contact information
- Order data
- Professional life data
- Personal life data
- Connection data
- Localization data
- Payment data
- Business requirements
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- Not applicable.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Nature of the processing
- Convoso will Process Personal Data as necessary to perform the Services and as further instructed by Customer in its use of the Services, provided that such instructions are consistent with the Agreement.
Purpose(s) of the data transfer and further processing
- The objective of Processing of Personal Data by data importer is the performance of Services pursuant to the Agreement.
The duration of the processing
- Subject to Section 8 of the DPA, Convoso will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Personal Data will be retained for the length of the Agreement, or in accordance with applicable Data Privacy Laws.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Sub-processors shall Process Personal Data for purposes of assisting Convoso in providing the Services to Customer under the Agreement and shall continue to process Personal Data for the length of the applicable agreement governing provision of the Services or as otherwise required under applicable Data Privacy Laws.