Data Processing Addendum

Last Updated: 21 May 2018

Background

This Data Processing Addendum (the "DPA") is between Echobox and the Customer and is supplemental to the Agreement on www.echobox.com/terms.

In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

Definitions

Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following words and expressions shall have the following meanings unless the context otherwise requires:

  1. "Customer Personal Data" means the personal data described in ANNEX 1 and any other personal data that Echobox processes on behalf of Customer in connection with Echobox's provision of the Echobox Service;
  2. "Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;
  3. "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
  4. "Party" means each of the Customer and Echobox;
  5. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data; and
  6. "Subprocessor" means any Processor engaged by Echobox who agrees to receive from Echobox Customer Personal Data.

The terms "personal data", "Controller", "Processor", "Data Subject", "Process" and "Supervisory Authority" shall have the same meaning as set out in the GDPR.

Data Processing

Instructions for Data Processing. Echobox will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Echobox Service to the Customer, and (b) the Customer's written instructions, unless Processing is required by European Union or Member State law to which Echobox is subject, in which case Echobox shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.

The Agreement (subject to any changes to the Echobox Service agreed between the Parties) and this DPA shall be the Customer's complete and final instructions to Echobox in relation to the processing of Customer Personal Data.

Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Echobox on additional instructions for Processing.

Transfer of Personal Data

Authorised Subprocessors. The Customer agrees that Echobox may use the service providers listed in ANNEX 3 as Subprocessors to Process Customer Personal Data.

The Customer agrees that Echobox may use subcontractors to fulfil its contractual obligations under the Agreement. Echobox shall notify the Customer from time to time of the identity of any Subprocessors it engages. If the Customer (acting reasonably) does not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, the Customer may request that Echobox moves the Customer Personal Data to another Subprocessor and Echobox shall, within a reasonable time following receipt of such request, use all reasonable endeavours to ensure that the Subprocessor does not Process any of the Customer Personal Data.

Save as set out in paragraphs 4.1 and 4.2, Echobox shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without the prior written consent of Customer and unless Echobox enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on Echobox under this DPA.

Liability of Subprocessors. Echobox shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Echobox.

Prohibition on Transfers of Personal Data. To the extent that the Processing of Customer Personal Data by Echobox involves the export of such Personal Data to a country or territory outside the EEA, Echobox shall ensure that:

  1. the recipient, or the country or territory in which it Processes or accesses the Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Customer Personal Data as determined by the European Commission; or
  2. the transfer is based on the Standard Contractual Clauses or (where relevant) the U.S. – EU Privacy Shield, or another legally recognised transfer method. If there is any inconsistency between any of the provisions of the Standard Contractual Clauses and the provisions of the Agreement, the provisions of the Standard Contractual Clauses shall prevail.

Data Security, Audits and Security Notifications

Echobox Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Echobox shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in ANNEX 2 and any other measures reasonably required by the Customer from time to time to comply with applicable Data Protection Laws.

Upon request by the Customer, Echobox shall make available all information reasonably necessary to demonstrate compliance with this DPA.

Security Incident Notification. If Echobox or any Subprocessor becomes aware of a Security Incident Echobox will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take reasonable steps to remedy any non-compliance with this DPA.

Echobox Employees and Personnel. Echobox shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.

Access Requests and Data Subject Rights

Data Subject Requests. Save as required (or where prohibited) under applicable law, Echobox shall notify Customer of any request received by Echobox or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.

Echobox shall provide Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Echobox Service.

Government Disclosure. Echobox shall notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

Assistance

Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Echobox shall provide the Customer with any information or assistance reasonably requested by the Customer for the purpose of complying with any of the Customer's obligations under applicable Data Protection Laws, including:

  1. using all reasonable endeavours to assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR; and
  2. providing reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the information available to Echobox.

Warranties, Indemnity, Liability

The Customer warrants to Echobox that it will collect and Process the Customer Personal Data in compliance with all applicable Data Protection Laws, and that it has obtained all necessary permissions from the data subjects to whom the Customer Personal Data relates to allow Echobox to lawfully Process the Customer Personal Data in accordance with the Agreement.

The Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Echobox against all costs, claims, damages and expenses incurred by Echobox or for which Echobox may become liable due to any failure by the Customer or the Users to comply with paragraph 8.1.

Clause 10 of the Agreement shall apply to Echobox's liability to the Customer under this DPA.

Duration and Termination

Deletion of data. If notified by the Customer in writing within 30 (thirty) days of the date of termination of the Agreement, and subject to paragraphs 9.2 and 9.3 below, Echobox shall, within 90 (ninety) days of the date of termination of the Agreement:

  1. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by Customer to Echobox; and
  2. delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Echobox or any Subprocessors.

Subject to paragraph 9.3 below, Customer may in its absolute discretion notify Echobox in writing within 30 (thirty) days of the date of termination of the Agreement to require Echobox to delete and procure the deletion of all copies of Customer Personal Data Processed by Echobox. Echobox shall, within 90 (ninety) days of the date of termination of the Agreement:

  1. comply with any such written request; and
  2. use all reasonable endeavours to procure that its Subprocessors delete all Customer Personal Data Processed by such Subprocessors,

and, where this paragraph 9.2 applies, Echobox shall not be required to provide a copy of the Customer Personal Data to Customer.

Echobox and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Echobox shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.



Annex 1: Details of the Processing of Customer Personal Data

This ANNEX 1 includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter of the Processing is the provision of the Echobox Service.

The duration of the Processing is the Term, subject to paragraph 9 above.

The nature and purpose of the Processing of Customer Personal Data

The Processing of Customer Personal Data in connection with Echobox's access to the Customer Personal Data in connection with the provision of the Echobox Service to the Customer.

The types of Customer Personal Data to be processed

Users' name, profile photo, email address, IP address, activity log, password and contact information.

The categories of data subject to whom the Customer Personal Data relates

Users and any other Data Subjects whose Personal Data the Customer collects and gives Echobox access to in connection with the receipt of the Echobox Service.

The obligations and rights of the Customer

The obligations and rights of the Customer are as set out in this DPA.



Annex 2: Technical and Organisational Security Measures

1. The Processor Party maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:

  1. secure any Personal Data Processed by the Processor Party against accidental or unlawful loss, access or disclosure;
  2. identify reasonably foreseeable and internal risks to security and unauthorised access to the Personal Data Processed by the Processor Party;
  3. minimise security risks, including through risk assessment and regular testing.

2. The Processor Party will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.

3. The Processor Party will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.



Annex 3: Approved Subprocessors

- Amazon Web Services, Inc

- Loggly, Inc

- Mixpanel, Inc

- Salesforce.com, Inc

- Elastic, Inc (trading as Close.io)

- Hotjar Ltd

- Facebook Ireland Ltd

- Facebook, Inc

- Wootric, Inc

- Atlassian Pty Ltd (trading as "statuspage.io")

- Xero Limited

- Stripe Payments Europe, Ltd

- Twitter, Inc.

- LinkedIn Corp.

- Alphabet Inc.

- New Relic, Inc.

- Invoiced, Inc.