This Data Processing Addendum (“Addendum”) applies to the agreement between CrowdRiff Inc. (“CrowdRiff”), and Customer (“Subscriber”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with services to be rendered by CrowdRiff to Subscriber pursuant to the agreement entered into between the Parties (the “Master Agreement”).
1. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Applicable Law” means all applicable European Union (“EU”) or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), with effect from 25 May 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications.
“Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
“Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
“Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.
“Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
“EEA” means the European Economic Area.
“Ex-EEA Sub-processor” means a natural or legal person subcontracted to provide any part of the Services that involves the Processing of Personal Data from a location outside the EEA.
“Instructions” means this Addendum and any further written agreement or documentation through which the Subscriber instructs CrowdRiff to perform specific Processing of Personal Data.
“Personal Data” means any information relating to an identified or identifiable natural person provided by Subscriber to the Services and Processed by CrowdRiff in accordance with Subscriber’s Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services” means the services offered by CrowdRiff and subscribed for by Subscriber under the Master Agreement.
“Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.
2. Roles and Responsibilities of the Parties
The Parties acknowledge and agree that, as between the parties, Subscriber is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and CrowdRiff is acting as a Data Processor on behalf and under the Instructions of Subscriber. Where Subscriber is processing Personal Data for a third party Data Controller, it is acknowledged that Subscriber is acting as Data Processor and CrowdRiff is acting as a Sub-Processor of Subscriber.
3. Obligations of Subscriber
The Subscriber is responsible for ensuring that the processing of Personal Data takes place in compliance with the Applicable Laws, and this Addendum.
The Subscriber has the right and obligation to make decisions about the purposes and means of the processing of Personal Data.
The Subscriber shall be responsible for ensuring that the processing of Personal Data, which the Data Processor is instructed to perform, has a legal basis and, if such legal basis is consent, the Subscriber shall retain copies of all relevant consents.
4. Obligations of CrowdRiff
CrowdRiff agrees and warrants to:
(A) Process Personal Data disclosed to it by Subscriber only on behalf of and in accordance with the Instructions of Subscriber and Annex 1 of this Addendum, unless CrowdRiff is otherwise required by Applicable Law, in which case CrowdRiff shall inform Subscriber of that legal requirement before Processing the Personal Data, unless informing the Subscriber is prohibited by Applicable Law on important grounds of public interest. CrowdRiff shall immediately inform Subscriber if, in CrowdRiff opinion, an Instruction provided infringes Applicable Law.
(B) Ensure that any person authorised by CrowdRiff to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.
(C) CrowdRiff stores and Processes all data, including Personal Data, in a European Union member-state, the US and/or Canada (as identified in Annex 2) . CrowdRiff has and shall continue to enter into any written agreements as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from CrowdRiff.
(D) Notify Subscriber immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Subscriber shall have the right to defend such action in lieu of and on behalf of CrowdRiff. Subscriber may, if it so chooses, seek a protective order. CrowdRiff shall reasonably cooperate with Subscriber in such defense.
(E) Provide assistance to Subscriber in complying with Subscriber’s obligations relating to the security of Personal Data, data protection impact assessments and prior consultations with supervisory taking into account the nature of processing and the information available to CrowdRiff.
(F) Maintain internal record(s) of Processing activities, copies of which shall be provided to Subscriber by CrowdRiff or to supervisory authorities upon request.
(G) Inform Subscriber about any actions of a data protection authority against CrowdRiff that could affect Subscriber’s Personal Data unless such notification is prohibited by Applicable Law.
5. Sub-Processing
(A). Subscriber acknowledges and agrees that (a) CrowdRiff Affiliates may be retained as Sub- processors; and (b) CrowdRiff and CrowdRiff Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. CrowdRiff or an CrowdRiff Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Subscriber Data to the extent applicable to the nature of the Services provided by such Sub-processor.
(B) CrowdRiff current list of Sub-processors for the Services identified is set out in Annex 2 attached hereto. Such Sub-processor lists shall include the identities of those Sub-processors and their country of location. CrowdRiff shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services by written notice to Subscriber.
(C) Subscriber may object to CrowdRiff use of a new Sub-processor by notifying CrowdRiff promptly in writing within thirty (30) days after receipt of CrowdRiff notice in accordance with the mechanism set out above. In the event Subscriber objects to a new Sub-processor, as permitted in the preceding sentence, CrowdRiff will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub- processor without unreasonably burdening Subscriber. If CrowdRiff is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Subscriber may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by CrowdRiff without the use of the objected-to new Sub-processor by providing written notice to CrowdRiff. CrowdRiff will refund Subscriber any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Subscriber.
(D) CrowdRiff shall be liable for the acts and omissions of its Sub-processors to the same extent CrowdRiff would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6. EUROPEAN SPECIFIC PROVISIONS
(A) CrowdRiff will Process Personal Data in accordance with the GDPR requirements directly applicable to CrowdRiff provision of its Services.
(B) CrowdRiff shall provide reasonable assistance to Subscriber in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this DPA, to the extent required under the GDPR.
(C) CrowdRiff makes available the transfer mechanisms listed below which shall apply, as determined by CrowdRiff acting reasonably, to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations:
- CrowdRiff is based in Canada and avails of the European Commission decision approving data transfers to Canada pursuant to the 2002/2/EC Commission Decision of 20 December 2001. CrowdRiff may transfer and process Personal Data received from or on behalf of the Subscriber to third parties (which shall include without limitation any affiliates of CrowdRiff) with the authorization of the Subscriber. A list of such third parties is included at Annex 2. The Subscriber hereby authorises transfers to these third parties. Where such third party is located outside the European Economic Area, CrowdRiff shall, in advance of any such transfer, ensure that ensure that the transfer is permitted under the Applicable Law, which may include the use of the following transfer mechanisms:
- The requirement for CrowdRiff to execute or procure that the third party sub processor executes Standard Contractual Clauses for transfers from Data Controllers to Data Processors approved by the Commission 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council . CrowdRiff will make the executed Standard Contractual Clauses available to the Subscriber on request.
- The requirement for the third party to be certified under a framework approved by the European Commission to facilitate such transfers; or
- The existence of any other specifically approved safeguard for data transfers (as recognized under the GDPR) and/or a European Commission finding of adequacy.
(C) CrowdRiff shall promptly notify the Subscriber of any planned permanent or temporary transfers of Personal Data to a third country and shall only perform such a transfer after obtaining authorisation from the Subscriber which may be refused at its own discretion.
(D) To the extent that the parties are relying on a specific statutory mechanism to allow for data transfer to third countries and that mechanism is subsequently modified, revoked or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
7. Compliance with Applicable Laws
(A) Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.
(B) Without limiting the above, (i) Subscriber – unless Subscriber is a Data Processor itself, in which case it shall require the Data Controller assume such responsibility – is responsible for ensuring that it has a lawful basis for the processing of Personal Information in the manner contemplated by this Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) CrowdRiff is not responsible for determining the requirements of laws applicable to Subscriber’s business or that CrowdRiff provision of the Services meet the requirements of such laws. As between the parties, Subscriber is responsible for the lawfulness of the Processing of the Subscriber Personal Data. Subscriber will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.
(C) If a Data Subject brings a claim directly against CrowdRiff for a violation of their Data Subject rights in breach of Applicable Laws and such claim does not arise from a breach by CrowdRiff of the terms of this Addendum, Subscriber will indemnify CrowdRiff for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that CrowdRiff has notified Subscriber about the claim and given Subscriber the opportunity to cooperate with CrowdRiff in the defense and settlement of the claim. Subject to the terms of the Addendum, Subscriber may claim from CrowdRiff amounts paid to a Data Subject for a violation of their Data Subject rights caused by CrowdRiff breach of its obligations under GDPR.
8. Data Security
(A) CrowdRiff shall develop, maintain and implement a comprehensive written information security policy that complies with Applicable Law and good industry practice. CrowdRiff information security program shall include appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
- The pseudonymisation and encryption of the Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of the Processing.
(B) CrowdRiff shall supervise CrowdRiff personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. CrowdRiff shall provide training, as appropriate, to all CrowdRiff personnel who have access to Personal Data.
(C) Promptly: (i) on written request of Subscriber; and (ii) following the expiration or earlier termination of the Master Agreement, CrowdRiff shall return to Subscriber or its designee, if so requested during such period, or if not so requested securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in CrowdRiff, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit CrowdRiff to comply with the delivery or destruction of the Personal Data, CrowdRiff warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum. It is acknowledged that deletions during the term of the Agreement may result in CrowdRiff being unable to perform all or part of the Services, and may result in additional costs where multiple requests for deletions impact on the delivery of the Service.
9. Data subject rights
(A) CrowdRiff shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Subscriber to enable the Subscriber to comply with:
- the rights of Data Subjects under the Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
- information or assessment notices served on the Subscriber by any supervisory authority under the Data Protection Laws.
(B) CrowdRiff shall promptly inform the Subscriber in the event of receiving a data subject access request and will advise the data subject of the request having been forwarded to the Data Controller. CrowdRiff shall not provide data subjects with access to their personal data nor will it engage directly with a data subject in relation to such requests, save for advising that their request has been forwarded to the Data Controller.
(C ) CrowdRiff shall provide such co-operation and assistance as may be reasonably required to enable the Subscriber to deal with any subject access request or other data subject right in accordance with the provisions of the Data Protection Laws. In particular, CrowdRiff shall assist the Subscriber in the fulfillment of the Data Controller’s obligation to respond to requests exercising data subjects’ rights under Data Protection Laws.
(D) Data Protection Impact Assessments (DPIAs): CrowdRiff may be required to assist the Subscriber in undertaking a DPIA before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk (such as monitoring activities, systematic evaluations or processing special categories of data) to the Data Controller’s data, takes place.
10. Data Breach Notification
(A) CrowdRiff shall without undue delay inform Subscriber in writing of any potential Personal Data Breach of which CrowdRiff becomes aware. The notification to Subscriber shall include all available information regarding such Personal Data Breach, including information on:
- The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
- The likely consequences of the Personal Data Breach; and
- The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
CrowdRiff shall cooperate fully with Subscriber in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. CrowdRiff shall provide such assistance as required to enable Subscriber to satisfy Subscriber’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.
11. Information request / Audit
(A) CrowdRiff shall on written request (but not more than once per year, other than in the event of a breach) make available to Subscriber all information necessary to demonstrate compliance with the obligations set forth in this Addendum and, at the Subscriber’s expense, allow for and contribute to audits, including inspections, conducted by Subscriber or another auditor mandated by Subscriber. Upon prior written request by Subscriber (provided that it shall be not more than once per year other than in the event of a breach), CrowdRiff agrees to cooperate and, within reasonable time, provide Subscriber with: (a) audit reports (if any) and all information necessary to demonstrate CrowdRiff compliance with the obligations laid down in this Addendum; and (b) confirmation that no audit, if conducted, has revealed any material vulnerability in CrowdRiff systems, or to the extent that any such vulnerability was detected, that CrowdRiff has fully remedied such vulnerability.
(B) Where Subscriber is a Data Processor itself, the Subscriber may provide the Data Controller with respective documentation received by CrowdRiff and Data Controller is entitled to conduct audits contemplated at CrowdRiff, but only insofar as this is required by Applicable Law, a competent court or regulator, all at the Data Controller’s expense.
12. Governing Law
This Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.
ANNEX 1: SCOPE OF THE DATA PROCESSING
SCOPE OF THE DATA PROCESSING
This Annex forms part of the Data Processing Addendum between Subscriber and CrowdRiff.
The Processing of Personal Data concerns the following categories of Data Subjects:
- Your end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.
- Individuals attempting to communicate with or transfer Personal Data to your end users.
Categories and nature of Personal Data
Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Contact information (name, email, phone number)
- Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Service.
Scope and purpose of Processing
The objective of Processing of Personal Data by CrowdRiff is the performance of the Services pursuant to the Agreement.
Duration of Processing
Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
ANNEX 2 – Permitted sub-processors
Sub-processor | Purpose | DPA |
Amazon Web Services | Hosting and infrastructure | Link |
Google Cloud Platform | Hosting and infrastructure | Link |
Google Analytics | Product usage reporting | Link |
Full Story | UX Research | Link |
Sentry | Error & crash reporting | Link |
Pendo | Product announcements, user guided tours and product usage reporting | Link |
Zendesk | Product support & knowledge base integration | Link |