This Data Processing Addendum and its annexes ("Addendum") amends the terms and forms part of the Underlying Agreement (defined below) by and between Customer (defined below) and ServiceRocket (defined below) (each a "Party", together the "Parties") and will be the effective on the date of the Underlying Agreement ("Effective Date").
1. Preliminary Statements.
(a). In performing its obligations under the Underlying Agreement, ServiceRocket may Process Customer Personal Data on behalf of the Customer where such Processing falls within the scope of Data Protection Laws.
(b). The parties acknowledge that this Addendum forms part of and is supplemental to the Underlying Agreement to add the necessary terms and safeguards required by Data Protection Laws. This Addendum shall replace any comparable or additional rights or terms relating to the Processing of Customer Personal Data contained in the Underlying Agreement (including any existing data processing addendum to the Underlying Agreement).
(c). This Addendum shall only apply to the extent that ServiceRocket's Processing of Customer Personal Data falls within the scope of Data Protection Laws.
(d). All capitalized terms used in this Addendum have the meaning given to them in Section 8 (Definitions) of this Addendum.
(a). Roles of the parties. ServiceRocket shall Process Customer Personal Data under the Underlying Agreement only as a Processor acting on behalf of Customer (whether as Controller itself or as a Processor acting on behalf of a third party Controller).
(b). Documented instructions. Customer hereby acknowledges and agrees that by using ServiceRocket's services, Customer is giving ServiceRocket instructions to Process and use Customer Personal Data. ServiceRocket will only process the type(s) of Customer Personal Data, and only in respect of the categories of Data Subjects and types of Processing, set out in Annex 1 of this Addendum or as otherwise provided or instructed in writing by the Customer from time to time (the "Business Purposes"). ServiceRocket will, unless legally prohibited from doing so on important grounds of public interest, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law.
(c). Customer responsibilities. For the avoidance of doubt, Customer's instructions to ServiceRocket for the Processing of Customer Personal Data must comply with Data Protection Laws. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data provided to ServiceRocket and the means by which Customer acquired such Customer Personal Data, including providing any required notices to, and obtaining any necessary consent from, its employees, agents, or third parties to whom it extends the benefits of the ServiceRocket's services.
(d). Compliance with Data Protection Laws. The parties shall comply with the provisions and obligations imposed on them by Data Protection Laws at all times when Processing Customer Personal Data in connection with the Underlying Agreement. Each party shall maintain records of all categories of processing activities under its responsibility that contain at least the minimum information required by Data Protection Laws and shall make such information available to any DP Regulator on request.
(e). Sale or sharing of Customer Personal Data prohibited. For the purposes of the CCPA (to the extent the CCPA is applicable), ServiceRocket shall not (a) sell Customer Personal Data, as the term "sell" is defined by the CCPA, (b) share Customer Personal Data, as the term "share" is defined by the CPRA, (c) disclose or transfer Customer Personal Data to a Subprocessor or any other parties that would constitute “selling” or "sharing" as the term is defined by the CCPA/ CPRA, (d) retain, use, disclose, or otherwise Process the Customer Personal Data for any purposes other than the Business Purposes, and (e) use Customer Personal Data outside the direct relationship between Customer and ServiceRocket or combine Customer Personal Data received with Personal Data that ServiceRocket receives from other sources, except as otherwise permitted under the Underlying Agreement or by Data Protection Laws.
(f). Aggregate Data. Notwithstanding the foregoing or anything to the contrary in the Underlying Agreement, Customer acknowledges that ServiceRocket and its Affiliates shall have a right to collect and create anonymized, aggregate and/or de-identified information (as defined by Data Protection Laws) for its own legitimate business purposes.
(a). Authorization. Customer provides a general written authorization to ServiceRocket to engage the Approved Subprocessors provided that ServiceRocket and the Approved Subprocessor enter into a written agreement which sets out equivalent data protection obligations to those set out in this Addendum. ServiceRocket will be liable for any breach of these obligations by any Approved Subprocessor.
(b). Notice. Following the Effective Date, ServiceRocket shall notify the Customer of its intention to appoint or use a new subprocessor that will Process Customer Personal Data. ServiceRocket will notify Customer via email and allow Customer ten (10) working days to object via email on reasonable grounds relating to the parties' obligations under Data Protection Laws.
(c). Right to object. Where the Customer has a reasonable basis to object, , the Customer shall notify ServiceRocket promptly in writing within five (5) working days after receipt of ServiceRocket's notice. The Parties shall discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, ServiceRocket will, at its sole discretion, either (i) not appoint the subprocessor; or (ii) permit Customer to suspend or terminate the affected services in accordance with the termination provisions in the Underlying Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). If the Customer does not exercise its right to object in relation to any new subprocessor, such subprocessor shall be deemed to be an "Approved SubProcessor".
(a). Restricted Transfers by ServiceRocket. ServiceRocket may conduct a Restricted Transfer of Customer Personal Data as necessary to provide its services to Customer under the Underlying Agreement and as long as it complies with its obligations under Data Protection Law.
(b). Restricted Transfers by Customer to ServiceRocket. The parties agree that where Customer conducts a Restricted Transfer of Customer Personal Data to ServiceRocket, the parties agree to be subject to the Standard Contractual Clauses, which shall be incorporated by reference and form an integral part of this Addendum, as follows:
(c). Privacy Shield. Although ServiceRocket does not rely on the Privacy Shield as a legal basis for transfers of Customer Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for so long as ServiceRocket is self-certified to the Privacy Shield it shall continue to process Customer Personal Data in compliance with the Privacy Shield Principles and agrees to notify Customer if it makes a determination that it can no longer meet its obligation to provide the level of protection as is required by the Privacy Shield Principles.
(d). Alternative Transfer Arrangement. If, and to the extent ServiceRocket adopts an alternative data export solution (including adopting any new version of or successor to the Standard Contractual Clauses or Privacy Shield adopted pursuant to applicable European Data Protection Laws) for the transfer of Customer Personal Data as prescribed by applicable European Data Protection Laws ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this Addendum (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Laws and extends to the territories to which Customer Personal Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this Addendum cannot be relied on to lawfully transfer Customer Personal Data to a country that does not ensure an adequate level of protection (within the meaning of applicable European Data Protection Laws), the Parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or safeguards not described in this Addendum or alternative transfer mechanisms ("Alternative Transfer Arrangements") to enable the lawful transfer of such Customer Personal Data.
(a). Confidentiality. ServiceRocket will ensure that persons authorized by ServiceRocket to process Customer Personal Data in the course of rendering services under the Underlying Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(b). Technical and organizational measures. ServiceRocket will implement appropriate technical and organizational measures to protect Customer Personal Data from Security Incidents. Without prejudice to the foregoing, such measures shall include, those set out in Annex 3 attached hereto ("TOMs"). Customer acknowledges that technical and organizational measures are subject to technical progress and development and that ServiceRocket may update and/ or change the TOMs from time to time without notice to Customer so long as such updates and modifications do not result in the degradation of the overall security of the services purchased by Customer..
(c). Security Incidents. ServiceRocket will without undue delay after becoming aware of a Security Incident: (i) notify the Customer of the same and provide relevant details of the Security Incident in accordance withData Protection Laws.
(d). Cooperation and assistance. ServiceRocket will cooperate with the Customer, and provide such information and assistance as the Customer may reasonably require in accordance with Data Protection Laws, including in relation to (i) requests from Data Subjects to exercise their rights under Data Protection Laws; and (ii) data protection impact assessments, risk assessments, cybersecurity audits or similar under Data Protection Laws; and (iii) queries, inquiries, complaints or prior consultations with any regulatory, supervisory, governmental, state agency, Attorney General or other competent authority with jurisdiction or oversight over compliance with Data Protection Laws.
(e). Demonstrable compliance. ServiceRocket will make available all information reasonably necessary to demonstrate its compliance with the obligations under this Addendum. Upon written request, and no more than once annually and on reasonable notice, ServiceRocket will provide Customer with its CAIQ Lite document and, if Customer requires additional information, will respond (on a confidential basis) to a written information security questionnaire of reasonable scope and duration regarding its business practices and information technology environment in relation to the handling of Customer Personal Data.
(f). Return or deletion. ServiceRocket will, upon the expiry or termination of the Underlying Agreement: (i) return or delete (at the Customer's written request) all Customer Personal Data; (ii) cease all processing of Customer Personal Data; and (iii) delete all copies of Customer Personal Data from any system under its control; except to the extent ServiceRocket is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which data ServiceRocket shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices, except to the extent required by applicable law.
(a). ServiceRocket and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum (including the Standard Contractual Clauses and UK Addendum) and all data processing agreements between Customer, Permitted Affiliates and ServiceRocket, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability under the Underlying Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Underlying Agreement, this Addendum, the Standard Contractual Clauses and the UK Addendum.
(b). ServiceRocket and its Affiliates’ total liability for all claims from Customer and all Permitted Affiliates arising out of or related to the Underlying Agreement and each Addendum shall apply in the aggregate for all claims under both the Underlying Agreement and all data processing agreements established under this Addendum or the Underlying Agreement, including by Customer and all Permitted Affiliates, and shall not be understood to apply individually and severally to Customer and/or to any Permitted Affiliate that is a contractual party to any such Addendum. Each reference to the Addendum herein means this Addendum including its appendices, attachments, or terms incorporated by reference.
When a Permitted Affiliate becomes a party to the Addendum, then such Permitted Affiliate shall be entitled to exercise its rights and remedies available under this Addendum to the extent required under Data Protection Laws. However, if Data Protection Laws require the Permitted Affiliate to directly exercise a right or remedy against ServiceRocket directly by itself, the parties agree that to the extent permitted under law: (i) only the Customer that is the contracting entity to the Underlying Agreement shall exercise any such right or seek any such remedy on behalf of the Permitted Affiliate; and (ii) the Customer that is the contracting party to the Addendum shall exercise any such rights under this Addendum in a combined manner for all of its Permitted Affiliates together, instead of doing so separately for each Permitted Affiliate. The Customer that is the contracting entity is responsible for coordinating all communication with ServiceRocket under the Addendum and is entitled to make and receive any communication related to this Addendum on behalf of its Permitted Affiliates.
As used in this Addendum, the terms below are defined as follows:
(a). "Affiliates" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b). "Approved Subprocessor(s)" means, those authorized contractors, agents, vendors and third party service providers (i.e., sub-processors) that Process Customer Personal Data listed in Annex 2 to this Addendum and subsequently, those which are deemed to be "Approved Subprocessors" pursuant to Section 3.
(c). "CCPA" means the California Consumer Privacy Act (California Civil Code §§1798.100 et seq.) and its implementing regulations, as amended by the California Privacy Rights Act ("CPRA") when effective, as well as any regulations and guidance that may be issued thereunder.
(d). "Controller" means an entity that alone or jointly with others determines the purposes and means of Processing of Customer Personal Data. For purposes of this Addendum, a Controller includes a "business" as such term is defined by the CCPA/ CPRA, or a similar designation under Data Protection Laws.
(e). "Customer" means the legal entity that is a party to and receives products or services from ServiceRocket under the Underlying Agreement. Customer enters into this Addendum on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Permitted Affiliates. For the purposes of this Addendum, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates.
(f). "Customer Personal Data" means Personal Data which is Processed by ServiceRocket on behalf of the Customer in connection with the Underlying Agreement, as further described in Annex 1 attached hereto.
(g). "Data Subject" has the meaning given to it in the definition of "Personal Data".
(h). "Data Protection Laws" means the CCPA/ CPRA and European Data Protection Laws, as well data protection laws enacted in other countries with similar data protection requirements, that are applicable to the processing of Customer Personal Data under this Addendum.
(i). "Europe" means, for the purposes of this Addendum, the European Economic Area and/or its member states ("EEA"), the United Kingdom ("UK") and/ or Switzerland.
(j). "European Data Protection Laws" means data protection laws enacted in Europe, and applicable (in whole or in part) to the respective party's processing of Customer Personal Data, including (as applicable): (i) EU Regulation 2016/679 (General Data Protection Regulation) ("EU GDPR"); (ii) EU e-Privacy Directive 2002/58/EC; (iii) any national data protection laws made under or pursuant to (i) or (ii); (iv) in respect of the UK, the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other laws in force in the UK applicable to the processing of Personal Data (together, "UK Data Protection Laws"); and (v) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"); in each case as may be amended, superseded or replaced from time to time.
(k). "Permitted Affiliate" means any Affiliate of Customer which: (i) is subject to Data Protection Laws and the controller or business with respect to the Customer Personal Data; and (ii) is permitted to use ServiceRocket's services pursuant to the Underlying Agreement, but has not signed its own order form or agreement with ServiceRocket and is not a "Customer" as defined under the Underlying Agreement.
(l). "Personal Data" shall have the meaning assigned to the terms “personal data”, "personally identifiable information" and/or “personal information” under Data Protection Laws.
(m). "Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield self-certification programs operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on 11 January 2017 respectively (as amended, superseded or replaced from time to time).
(n). "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 (as amended, superseded, or replaced from time to time).
(o). "Process," "Processes," "Processing," "Processed" means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(p). "Processor" means an entity that Processes Customer Personal Data on behalf, and in accordance with the instructions, of a Controller. For purposes of this Addendum, a Processor includes a "service provider" as such term is defined by the CCP/ CPRA, or any similar or analogous designation under Data Protection Laws.
(q). "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer (directly or via onward transfer) of Customer Personal Data from the EEA to a country outside of the EEA or Switzerland which is not subject to an adequacy determination by the European Commission or Swiss authorities; and (ii) where UK Data Protection Laws apply, a transfer (directly or via onward transfer) of Customer Personal Data from the UK to any other country which is not subject to an adequacy determination based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
(r). "Security Incident(s)" means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
(s). "ServiceRocket" means ServiceRocket Inc. and ServiceRocket Pty Ltd.
(t). "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission's Implementing Decision 2021/914 of 4 June 2021.
(u). "UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0) issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as it is revised under Section 18 therein; as may be amended, superseded or replaced from time to time.
"Underlying Agreement" means the agreement by and between ServiceRocket and the Customer for the provision of services by ServiceRocket.
The words "includes" or "including" shall be construed as illustrative only and shall not limit the generality of the preceding words.
A reference to a statute or statutory provision is a reference to it as it is in force from time to time (including any statute or statutory provisions which modify, consolidate, re-enact or supersede it), and any applicable associated, implementing or supplementary data protection laws, as updated, amended or replaced from time to time.
General.
(a). Except for the changes made by this Addendum, all of the terms and provisions of the Underlying Agreement remain unmodified and in full force and effect. In the event of any conflict between the terms and provisions of the Underlying Agreement and the terms and provisions of this Addendum, the terms and provisions of this Addendum shall prevail.
(b). This Addendum shall be deemed a part of and incorporated into the Underlying Agreement so that references in the Underlying Agreement to "Agreement" shall be interpreted to include this Addendum.
(c). Customer acknowledges that ServiceRocket may disclose this Addendum (including the Standard Contractual Clauses and UK Addendum) to European data protection authority, the US Department of Commerce, the Federal Trade Commission, or any other US or European judicial or regulatory body upon their request.
(d). Notwithstanding anything to the contrary in the Underlying Agreement, ServiceRocket may periodically make modifications to this Addendum as may be required to comply with Data Protection Laws.
(e). This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Underlying Agreement, unless required otherwise by the Standard Contractual Clauses, the UK Addendum or Data Protection Laws.
(f). This Addendum shall remain in effect during the term of the Underlying Agreement and for so long as ServiceRocket is Processing Customer Personal Data.
The technical and organizational measures implemented by ServiceRocket (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purposes of the Processing, and the risks for the rights and freedoms of natural persons, are as follows:
1. Physical access control
Technical/organizational measures for physical access control, notably proof of identity of authorized persons:
2. Logical access control
Technical (login/password protection) and organizational measures regarding identification and authentication:
3. Data access control
Demand-oriented design of the authorization concept and access rights, including their monitoring and logging:
4. Disclosure controls
Measures during transport, transfer, transmission or recording onto storage media (manual or electronic) and in connection with subsequent inspections:
5. Input controls
Measures for subsequent checks establishing whether data have been entered, altered or removed (erased) and if so, by whom:
6. Job controls
Technical/organizational measures to delimit the respective competences of Controller and Processor:
7. Availability controls
Measures for (physical/logical) data backup:
8. Separation controls
Measures for the separate processing (storage, alteration, erasure, transfer) of data for differing purposes: