Capitalised terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalised terms used in this DPA shall be defined as follows:
means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement;
means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the Effective Date of this DPA;
“Customer Personal Data”
means the Personal Data processed by REVIEWS.io on behalf of Customer or Customer Affiliate in connection with the provision of the Services;
means the European Economic Area;
means Regulation (EU) 2016/679 (the “EU GDPR”
) or, where applicable, the “UK GDPR”
as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law;
means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;
“Personal Data” means any information relating to an identified or identifiable individual or device, or is otherwise “personal data,” “personal information,” “personally identifiable information” and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws;
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to (including unauthorised internal access to), Customer Personal Data;
“Standard Contractual Clauses”
means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914; and
means REVIEWS.io Affiliates and third-party processors appointed by REVIEWS.io to process Customer Personal Data.
The terms “controller”, “processor”, “data subject”, “process”, and “supervisory authority” shall have the same meaning as set out in the GDPR.
The terms “sell” and “service provider” shall have the same meaning as set out in the CCPA.
2. INTERACTION WITH THE AGREEMENT
This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Customer Personal Data.
With respect to Customer Affiliates, by entering into the Agreement Customer warrants it is duly authorised to enter into this DPA for and on behalf of any such Customer Affiliates and, subject to clause 2.3, each Customer Affiliate shall be bound by the terms of this DPA as if they were the Customer.
Customer warrants that it is duly mandated by any Customer Affiliates on whose behalf REVIEWS.io processes Customer Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Customer Affiliates, and to act on behalf of the Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer Affiliates.
The Parties agree that any notice or communication sent by REVIEWS.io to Customer shall satisfy any obligation to send such notice or communication to a Customer Affiliate.
3. ROLE OF THE PARTIES
The Parties acknowledge and agree that:
(a) for the purposes of the GDPR, REVIEWS.io acts as “processor” or “sub-processor.” REVIEWS.io’s function as processor or sub-processor will be determined by the function of Customer:
(I) In general, Customer functions as a controller, whereas REVIEWS.io functions as a processor.
(II) In certain cases, Customer functions as a processor on behalf of Customer’s customers where Customer and Customer’s customer have concluded a data processing agreement in relation to the processing of Personal Data of Customer’s customers; and
(b) for the purposes of the CCPA, REVIEWS.io will act as a “service provider” in its performance of its obligations pursuant to the Agreement.
4. DETAILS OF DATA PROCESSING
The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Schedule 1.
Customer Personal Data will only be processed on behalf of and under the instructions of Customer and in accordance with applicable law. The Agreement and this DPA shall be Customer’s instructions for the processing of Customer Personal Data.
If Customer’s instructions will cause REVIEWS.io to process Customer Personal Data in violation of applicable law or outside the scope of the Agreement or the DPA, REVIEWS.io shall promptly inform Customer thereof, unless prohibited by applicable law (without prejudice to the SCCs).
REVIEWS.io is permitted to anonymise Customer Personal Data through a reliable state of the art anonymisation procedure and use such anonymised data for its own business purposes, including for research, development of new products and services, and security purposes.
REVIEWS.io may store and process Customer Personal Data anywhere REVIEWS.io or its Sub-processors maintain facilities, subject to clause 5 of this DPA.
Customer grants REVIEWS.io general authorisation to engage Sub-processors, subject to clause 5.2, from an agreed list, as well as REVIEWS.io’s current Sub-processors listed at https://www.reviews.io/front/third-party-processors
as of the Effective Date.
REVIEWS.io shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than REVIEWS.io’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
REVIEWS.io shall provide Customer with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to process Customer Personal Data (including any addition or replacement of any Sub-processors). Customer may object to REVIEWS.io’s use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs) by providing REVIEWS.io with written notice of the objection within ten (10) days after REVIEWS.io has provided notice to Customer of such proposed change (an “Objection”). In the event Customer objects to REVIEWS.io’s use of a new Sub-processor, Customer and REVIEWS.io will work together in good faith to find a mutually acceptable resolution to address such Objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, REVIEWS.io may suspend the affected portion of the Services.
6. DATA SUBJECT RIGHTS REQUESTS
As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data (“Data Subject Request”).
REVIEWS.io will forward to Customer without undue delay any Data Subject Request received by REVIEWS.io or any Sub-processor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer.
REVIEWS.io will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfil its obligation under applicable law to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests for exercising the rights set out in the GDPR or CCPA. REVIEWS.io may charge Customer, and Customer shall reimburse REVIEWS.io, for any such assistance beyond providing self-service features included as part of the Services.
7. SECURITY AND AUDITS
REVIEWS.io will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Customer Personal Data, including, without limitation, protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of Customer Personal Data) and against accidental loss, destruction, or damage of or to it.
REVIEWS.io will implement and maintain as a minimum standard the measures set out in Schedule 2. REVIEWS.io may update or modify the security measures set out in Schedule 2 from time to time, including (where applicable) following any review by REVIEWS.io of such measures in accordance with clause 8.6 of the SCCs, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Customer Personal Data by REVIEWS.io under this DPA.
Customer or its independent third-party auditor reasonably acceptable to REVIEWS.io (which shall not include any auditors who are not suitably qualified or independent or are a competitor of REVIEWS.io) may audit REVIEWS.io’s compliance with its obligations under this DPA up to once per year, or more frequently in the event a Security Incident has occurred or to the extent required by applicable data protection laws, including where mandated by Customer’s regulatory or governmental authority.
To request an audit, Customer must submit a detailed proposed audit plan to REVIEWS.io at least two weeks in advance of the proposed audit date. REVIEWS.io will review the proposed audit plan and work cooperatively with Customer to agree on a final audit plan. All such audits must be conducted during regular business hours, subject to the agreed final audit plan and REVIEWS.io’s health and safety or other relevant policies, and may not unreasonably interfere with REVIEWS.io business activities. Nothing in this clause 7.4 shall require REVIEWS.io to breach any duties of confidentiality.
If the requested audit scope is addressed in an ISO 27001 certification, SOC 2 Type 2 report or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and REVIEWS.io confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
Customer will promptly notify REVIEWS.io of any non-compliance discovered during the course of an audit and provide REVIEWS.io any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
Any audits are at Customer’s expense. Customer shall reimburse REVIEWS.io for any time expended by REVIEWS.io or its Sub-processors in connection with such audits.
REVIEWS.io shall audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with data protection law and the obligations set upon Sub-processors according to the data processing agreement concluded with them. Customer may request REVIEWS.io to conduct further audits only in the event reasonably justified, and in such cases REVIEWS.io will conduct further audits to the extent permissible.
8. SECURITY INCIDENTS
REVIEWS.io will promptly notify Customer in writing in the event of any breach of this DPA, applicable law or any instruction by Customer in connection with the processing of Customer Personal Data under this DPA. Without limiting the generality of the foregoing, REVIEWS.io shall notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in the investigation of any such Security Incident and any obligation of Customer under applicable law to make any notifications to individuals, supervisory authorities, governmental or other regulatory authority, or the public in respect of such Security Incident. REVIEWS.io shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. REVIEWS.io’s notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by REVIEWS.io of any fault or liability with respect to the Security Incident.
9. DELETION AND RETURN
REVIEWS.io shall, within 90 days of the date of termination or expiry of the Agreement, (a) if requested to do so by Customer within that period, return a copy of all Customer Personal Data or provide self-service functionality allowing Customer to do the same; and (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by REVIEWS.io or any Sub-processors.
10. CONTRACT PERIOD
This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, REVIEWS.io’s deletion of all Customer Personal Data as described in this DPA.
11. STANDARD CONTRACTUAL CLAUSES
The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to REVIEWS.io (as data importer).
12. SUPPORT FOR CROSS-BORDER DATA TRANSFERS
REVIEWS.io will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. REVIEWS.io will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA”). REVIEWS.io further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Customer’s compliance with requirements imposed on the transfer of personal data to third countries. REVIEWS.io may charge Customer, and Customer shall reimburse REVIEWS.io, for any assistance provided by REVIEWS.io with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Customer.
13. CUSTOMER PERSONAL DATA SUBJECT TO THE UK AND SWISS DATA PROTECTION LAWS
To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 5 shall apply.
14. CUSTOMER PERSONAL DATA SUBJECT TO THE CCPA
If Customer or Customer Affiliates provide REVIEWS.io any Customer Personal Data that is “personal information” under the CCPA, REVIEWS.io will:
(a) act as a service provider with regard to such personal information;
(b) retain, use, and disclose such personal information solely for the purpose of performing the Services or as otherwise permitted under the CCPA;
(c) not sell Customer Personal Data to another business or third party. Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy, or other transaction shall be permitted in accordance with the terms of the Agreement; and
(d) provide reasonable assistance to Customer in responding to requests from consumers pursuant to the CCPA with regard to their personal information, and in accordance with clause 6 of this DPA.14.2 REVIEWS.io certifies that it understands the foregoing obligations and shall comply with them for the duration of the Agreement and for as long as REVIEWS.io processes Customer Personal Data.