Allbound Logo - Partner Programs

EU Data Protection Addendum 

 

Last Modified 10/11/21

 

This EU Data Protection Addendum (the “Addendum”) is entered into between Allbound, Inc., a Delaware corporation with offices located at 3411 Pierce Dr, Chamblee, GA 30341 as the “Service Provider” on this Addendum and [                               ] located [                                                                                                                                      ]  (Customer”).  This Addendum is incorporated by reference into and shall form an integral part of the Terms of Service executed between Service Provider and Customer governing the services provided by Service Provider (the “Agreement”). This Addendum applies to personal data from individuals located in the European Union processed by Service Provider in connection with the services provided by Service Provider to Customer (“EU Personal Data”) and “California Consumer Privacy Act of 2018” or “CCPAmeans Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018.

1. Adequate Country. means a country or territory recognized as providing an adequate level of protection for personal data under an adequacy decision made, from time to time, by the European Commission under the GDPR.

2. Adequacy Mechanism.  Service Provider agrees that the standard contractual clauses under Commission Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the approved version of which is available at http://data.europa.eu/eli/dec_impl/2021/914/oj), including the applicable modules along with the corresponding appendices included at Exhibit A to this Addendum with Customer as data controller and Service Provider as data processor (the “SCCs”).

3. EU Data Protection.  The parties will comply with their respective obligations under the EU General Data Protection Regulation 2019/679 (the “GDPR”) and any subordinate legislation and regulation implementing the GDPR that may apply (“Local Data Protection Laws”).  “Data controller”, “data processor”, “personal data”, “personal data breach” and “supervisory authority” have the meaning given in the GDPR and/or Local Data Protection Laws.  For the purpose of the Services, Customer is the data controller and Service Provider is the data processor.  In furtherance of each party’s compliance with the GDPR, including but not limited to the requirements of Article 28, Service Provider agrees:

a. to process the EU Personal Data as described at Annex 1 (B) at Exhibit A of this Addendum; 

b. Service Provider will only process the EU Personal Data on documented instructions from Customer and will take steps to ensure that any natural person acting under Service Provider’s authority does not process EU Personal Data except on instructions from Customer;

c. Service Provider shall ensure that persons it authorizes to process EU Personal Data have committed themselves to confidentiality and/or treat the EU Personal Data as Confidential Information;

d. Service Provider shall implement appropriate technical and organizational measures to protect EU Personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and ensure a level of security appropriate to the risk of its processing of the EU Personal Data processing consistent with its obligations under Art 32 of the GDPR;

e. Customer provides general authorization for Service Provider to engage additional processors to process EU Personal Data to provide the services under the Agreement provided that Service Provider contractually obligates such subprocessor(s) to the same data protection obligations here and imposes obligations providing sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR. Service Provider’s current list of subprocessors is listed below in Annex A and Service Provider will provide email notice to Customer of any changes to the list of subprocessors, whereby Customer will have 15 business days to object to any new subprocessors, after which Customer will be deemed to have consented to such additional subprocessors. 

f. Service Provider shall, taking into account the nature of the processing, assist Customer in fulfilling its responsibilities to respond to data subject requests to exercise rights under the GDPR, to the extent Customer cannot otherwise do so by accessing the relevant information through the Customer account and the self-service functionality;

g. Service Provider shall, taking into account the nature of the processing and information available to the processor, assist Customer in ensuring compliance with the obligations in Art 32 – 36 of the GDPR;

h. Service Provider shall notify Customer without undue delay, and in no event later than 72 hours, after becoming aware of a personal data breach  and where available, provide a description of the nature of the personal data breach, the name and contact information of the data protection officer or point of contact, likely consequences of the personal data breach, and description of any measures taken or proposed to address the personal data breach and/or mitigate its possible adverse effects.  Service Provider shall use reasonable efforts to assist Customer with any communications required as a result of such a personal data breach;

i. Service Provider shall also provide reasonable assistance to Customer in any applicable data protection impact assessment and/or prior consultations and communications with supervisory authorities;

j. Service Provider will only process EU Personal Data (a) within the European Economic Area; or (b) in the United States subject to SCCs incorporated herein (or other adequacy mechanism ensuring compliance with the GDPR);

k. The parties agree that the following terms shall apply to the SCCs: 

i) Clause 7 (Docking Clause) of section 1 shall apply;

ii) The second paragraph of clause 11(a) (Redress) of Section II (related to an independent resolution body) shall not apply;

iii) Option 2 of Clause 9 (a) (general authorization of subprocessors) and Service Provider shall notify Customer of any changes through addition or replacement of subprocessors in accordance with clause 3 [e] of the Addendum; and 

iv) the applicable paragraph of Clause 13(a) of the SCCs shall apply based on whether, in Customer’s sole opinion and as notified to Service Provider by Customer, the Customer is or is not established in an EU Member State, and whether the Customer has had to appoint an EU representative; and

l. To the extent that Service Provider transfers any EU Personal Data to a subprocessor that processes EU Personal Data outside EEA (except if in an Adequate Country), the parties agree that Service Provider shall ensure that such transfer complies with EU Data Protection. For these purposes, Customer mandates Service Provider to sign the appropriate SCCs on Customer’s behalf with any relevant subprocessor.

m. At the choice of Customer, Service Provider will delete or return all EU Personal Data to Customer upon completion of the Services and/or termination of the Agreement and Service Provider will delete all existing copies in its possession (unless required to store such EU Personal Data under applicable law);

n. Service Provider will make available to Customer all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits. Service Provider will keep at its normal place of business records of its processing of EU Personal Data. To the extent Service Provider is required under applicable law, at Customer’s reasonable request relating to data protection obligations and with advance written notice, Service Provider will make available to Customer such records and information as is necessary to demonstrate its compliance with this Addendum with respect to its processing of EU Personal Data and allow Customer or a mutually agreed-upon independent third party to conduct an audit to verify such compliance. Any such audit will be conducted (a) on reasonable advance written notice to Service Provider; (b) no more than once per year; (c) during Service Provider’s standard business hours; and (d) in such a manner to minimize disruption to Service Provider’s operations. Any information provided by Service Provider in connection with such audit or generated as a result of such audit must be protected as Service Provider’s confidential information subject to a separate non-disclosure agreement entered into between Service Provider and the recipient of such information before such audit. To request an audit, Customer must submit a detailed audit plan at least 90 days in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit, subject to mutual agreement between the parties. Customer will bear the costs of such audit. 

o. Service Provider will inform Customer if, in Service Provider’s opinion, an instruction from Customer infringes the GDPR. 

4. California Consumer Privacy Act of 2018

a. Allbound is a “Service Provider” as defined in CCPA Section 1798.140(v).

b. Customer discloses Personal Data to Allbound solely for: (i) a valid business purpose; and (ii) Allbound to perform the Services.

c. Allbound is prohibited from: (i) selling Personal Data; (ii) retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the Personal Data outside of the Agreement between Allbound and Customer.

The parties hereby agree that this Addendum supersedes any conflicting or inconsistent provisions in the Agreement related to data protection and, in any event of ambiguity, this Addendum will prevail.  The Agreement, as amended and modified by this Addendum, otherwise remains in full force and effect. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force.  The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. 

 

Allbound, Inc.

3411 Pierce Dr Chamblee, GA 30341

Customer: ___________________

Address: __________________________

Signature: Signature:
Name: Name:
Title: Title:
Date: Date:

 

EXHIBIT A

EU STANDARD CONTRACTUAL CLAUSES (ANNEXES)

COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

________________________________

ANNEX 1 TO THE EU STANDARD CONTRACTUAL CLAUSES

1       A.   LIST OF PARTIES

2       MODULE TWO: Transfer controller to processor

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1.

Name: The data exporter is the Customer. 

Address: The Customer’s address is set out in the Agreement. 

Contact person’s name, position and contact details: As set out in the Agreement.

Activities relevant to the data transferred under these Clauses: As set out in the Addendum and the Agreement.

Signature and date: …

Role (controller/processor): Controller

 

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1.

Name: The data importer is Service Provider. 

Address:  Service Provider’s address is set out in the Agreement. 

Contact person’s name, position and contact details: As set out in the Agreement.

Activities relevant to the data transferred under these Clauses: As set out in the Addendum and the Agreement.

Signature and date: …

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor 

Categories of data subjects whose personal data is transferred

The personal data transferred concern the following categories of data subjects:

  • Prospects, customers, business partners and vendors of data exporter (who are natural persons)
  • Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of data exporter (who are natural persons)
  • Data exporter’s Users authorized by data exporter to use the SCC Services

Categories of personal data transferred

The personal data transferred concern the following categories of data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • Professional life data
  • Connection data
  • Localization data

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

None. Customer will not provide Service Provider with any special category or sensitive data and Service Provider will not process any such data within the context of the services under the Agreement.

The frequency of the transfer (e.g whether the data is transferred on a one-ff or continuous basis

[please confirm]

Nature of the processing

Personal Data may be received, processed, and stored in order to (a) provide the services in accordance with the agreement for services between the data exporter and the data importer (the “Agreement” during the term of the Agreement, (b) to communicate with the data exporter, and (c) to otherwise fulfill obligations under the Agreement.

Purpose(s) of the data transfer and further processing

[please confirm]

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

[please confirm]

 

For transfers to(sub-) processors, also specify subject matter, nature and duration of the processing

[please confirm]

C. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor 

Identify the competent supervisory authority/IES IN ACCORDANCE WITH Clause 13 of the SCCs.

The competent supervisory authority is identified pursuant to clause 5 of this Addendum. 

 

APPENDIX 2 TO THE EU STANDARD CONTRACTUAL CLAUSES

3      TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

4      MODULE TWO: Transfer controller to processor

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

 

Data Importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the SCC Service, as described in the Security, Privacy and Architecture Documentation applicable to the Service purchased by data exporter.  Data Importer will not materially decrease the overall security of the SCC Services during a subscription term.  Requests for documentation can be sent to [email protected]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ANNEX A – Sub-Processor List

This Subject to Section 2 (e) above, Customer approves of the following sub-processors:

Sub-Processor Purpose
Amazon Web Services Hosting and storage
Postmark Email sending
Looker Business insights