Data Processing Addendum
Background
This Data Processing Addendum (the "DPA") is between Echobox and the Customer and is supplemental to, and forms part of the agreement between the parties on the terms set out at echobox.com/terms (the "Agreement").
In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
Definitions
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following words and expressions shall have the following meanings unless the context otherwise requires:
- "Customer Personal Data" means any personal data contained within the Customer Data, including: (a) with respect to Users, their name, email address, IP address, activity log; (b) if the Customer has purchased any Campaigns, with respect to end users of the Customer's service, subscribers to the Customer's newsletters and individuals interacting with the Customer's Properties, Facebook Pages, Instagram Pages, LinkedIn Pages, Twitter Pages and Campaigns: their email address and information about how they interact with those Properties, Facebook Pages, Instagram Pages, LinkedIn Pages, Twitter Pages and Campaigns, including content they have read, liked or to which they have subscribed;
- "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
- "Subprocessor" means any Processor engaged by Echobox who agrees to receive from Echobox Customer Personal Data.
The terms "personal data", "controller", "processor", "data subject", "process", "personal data breach" and "supervisory authority" shall have the same meaning as set out in the GDPR.
Data Processing
Echobox will only process Customer Personal Data in accordance with the Customer's written instructions unless processing is required by European Union law, Member State law, or law applicable in the UK to which Echobox is subject, in which case Echobox shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before processing that Customer Personal Data.
The Parties agree that the Agreement (subject to any changes to the Echobox Service agreed between the parties) and this DPA shall be the Customer's instructions to Echobox in relation to the processing of Customer Personal Data.
To the extent that any of the Customer's instructions require processing of Customer Personal Data in a manner that falls outside the scope and functionalities of the Echobox Service, Echobox may:
- make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by Echobox or such additional charges as Echobox may reasonably determine; or
- terminate the Agreement and the Customer's access to the Echobox Service.
Echobox shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
Subprocessors
The Customer grants Echobox general authorisation to appoint Subprocessors from the list of service providers in ANNEX 1.
Echobox shall enter into a written agreement with each Subprocessor which imposes the same obligations on the Subprocessor with regard to their processing of Customer Personal Data, as are imposed on Echobox under this DPA.
Echobox shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Echobox.
Echobox shall provide the Customer with reasonable notice of any proposed changes to the Subprocessors it uses to process Customer Personal Data (including any addition or replacement of any Subprocessors).
If the Customer objects to Echobox's use of a new Subprocessor, it shall provide Echobox with:
- written notice of the objection within seven (7) days after Echobox has provided notice to the Customer as described in paragraph 4.4; and
- documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA, (an "Objection").
In the event of an Objection, Echobox will use reasonable endeavours to make available to the Customer a change in the Echobox Service to prevent the applicable Subprocessor from processing the Customer Personal Data.
If Echobox is unable to make available such a change in accordance with paragraph 4.6 within a reasonable period of time, which shall not exceed forty-give (45) days, either party may terminate the Agreement by providing not less than thirty (30) days' written notice to the other party, and Echobox shall refund the Customer any Service Fees pre-paid by the Customer relating to the unexpired period of the Initial Term or Renewal Term (as applicable).
International Transfers of Personal Data
Echobox shall not transfer any Customer Personal Data to a recipient in a country or territory outside the UK unless:
- the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Customer Personal Data as set out in the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the Data Protection Act 2018; or
- the transfer is based on: (i) the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593; (ii) or the appropriate module of the Standard Contractual Clauses annexed to the Commission Implementing Decision C/2021/3972. In each case as amended and approved by the ICO for use in respect of transfers subject to the UK GDPR; or
- the transfer is: (i) based on any other transfer mechanism approved by the ICO; (ii) or otherwise lawful under the GDPR.
Data Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Echobox shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures set out in Article 32(1) of the GDPR.
Audit
The Customer may audit (by itself or using independent third-party auditors) Echobox's compliance with the security measures set out in this DPA, including by conducting audits of Echobox's (and Subprocessors') data processing facilities in accordance with this paragraph 7.
Echobox shall assist with, and contribute to, any audits conducted in accordance with this paragraph 7.1, provided that:
- the parties shall, prior to any audit, agree on the scope of the audit and any reasonable limitations or conditions applicable to such audit in addition to those set out in this paragraph 7.2;
- all such audits shall be conducted: (i) on reasonable written notice to Echobox; (ii) only during Echobox's normal business hours; (iii) in a manner that does not disrupt Echobox's business; (iv) by a third-party independent auditor agreed by the parties in advance;
- the auditor appointed in accordance with paragraph 7.2(b)(iv) shall: (i) enter into a confidentiality agreement with Echobox prior to conducting the audit in such form as Echobox may request; and (ii) ensure that its personnel comply with Echobox's and any Subprocessor's policies and procedures when attending Echobox's or Subprocessors' premises, as notified to the Customer by Echobox or the Subprocessor.
Security Incidents
If Echobox or any Subprocessor becomes aware of a personal data breach Echobox will:
- notify the Customer of the personal data breach without undue delay;
- investigate the personal data breach and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the personal data breach; and
- take reasonable steps to remedy any non-compliance with this DPA.
Access Requests and Data Subject Rights
Save as required (or where prohibited) under applicable law, Echobox shall notify the Customer of any request received by Echobox or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
Echobox shall, where possible, and taking into account the nature of the processing:
- provide the Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Echobox Service; or
- promptly correct, delete, block or provide a copy of the Customer Personal Data processed by Echobox at the Customer's request.
Echobox shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
Information and Assistance
Upon request by the Customer, Echobox shall make available all information reasonably necessary to demonstrate compliance with this DPA.
Where applicable by virtue of Article 28(3)(h) of the GDPR, Echobox shall immediately inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Echobox shall:
- use all reasonable endeavours to assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising data subject rights laid down in the GDPR; and
- provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any supervisory authority of the Customer, in each case solely in relation to processing of Customer Personal Data and taking into account the information available to Echobox.
Costs
The Customer shall pay to Echobox on demand all costs and expenses incurred by Echobox in connection with:
- implementing any changes to the Echobox Service in accordance with paragraph 4.6;
- facilitating and contributing to any audits under paragraph 7.2;
- complying with any requests from the Customer received under paragraph 9.2(b); and
- providing any assistance and information to the Customer in accordance with paragraph 10.
Liability
Any exclusions or limitations of liability set out in the Agreement shall apply to any losses suffered by Echobox (whether in contract, tort (including negligence) or for restitution, or for breach of statutory duty or misrepresentation or otherwise) under this DPA.
Duration and Termination
Subject to the paragraph below, Echobox shall, within ninety (90) days of the date of termination of the Agreement and if requested to do so by the Customer:
- return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by Customer to Echobox; and
- delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Echobox or any Subprocessors.
Echobox and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Echobox shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Annex 1: Approved Subprocessors
- Alphabet Inc.
- Amazon Web Services, Inc.
- Atlassian Pty Ltd
- Cloudflare, Inc.
- Elastic, Inc. (trading as Close.io)
- DocuSign, Inc.
- Facebook, Inc.
- Facebook Ireland Ltd
- Functional Software, Inc. (trading as Sentry)
- G2 Crowd, Inc.
- Hotjar Ltd
- HubSpot, Inc.
- Invoiced, Inc.
- LinkedIn Corp.
- Loggly, Inc.
- Meta Platforms, Inc
- Mixpanel, Inc.
- New Relic, Inc.
- Salesforce.com, Inc.
- Salesloft, Inc.
- Stripe Payments Europe, Ltd
- Twitter, Inc.
- Xero Limited
- Wootric, Inc.
- Zapier, Inc.
- Zoom Video Communications