This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between:
This DPA should be read in conjunction with our Privacy Policy, which explains how we handle personal data as both a controller and a processor.
(A) The Customer wishes to use the Processor's Software-as-a-Service (SaaS) cookie and consent management platform as described in the Agreement.
(B) In providing the services, the Processor will process certain personal data on behalf of the Customer.
(C) This DPA sets out the parties' rights and obligations in relation to such processing of personal data.
In this DPA, the following terms shall have the meanings set out below:
"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under the Agreement, including, where applicable, EU Data Protection Law, UK Data Protection Law, the Swiss Federal Data Protection Act, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other legislation relating to data protection or privacy which applies to either party.
"Business", "Business Purpose", "Service Provider", and "Sell" shall have the meanings given to them in the CCPA/CPRA.
"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" shall have the meanings given to them in EU Data Protection Law or, where not defined there, shall have the meaning given to them in other Applicable Data Protection Laws. The terms "Controller" and "Business," as well as "Processor" and "Service Provider," are used interchangeably in this DPA as appropriate to the applicable law.
"Customer Personal Data" means any Personal Data processed by the Processor on behalf of the Customer pursuant to or in connection with the Agreement.
"EU Data Protection Law" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or "GDPR") and any applicable national legislation implementing or supplementing the GDPR.
"IAB TCF" means the IAB Europe Transparency & Consent Framework.
"Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries adopted by the European Commission, or any successor clauses adopted in accordance with EU Data Protection Law.
"Sub-processor" means any processor engaged by the Processor to process Customer Personal Data.
"UK Data Protection Law" means the UK GDPR and the Data Protection Act 2018.
"UK GDPR" means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
In this DPA:
The parties acknowledge and agree that, for the purposes of Applicable Data Protection Laws, the Customer is the Controller or Business and the Processor is the Processor or Service Provider in respect of the Customer Personal Data.
The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data processed, and the categories of Data Subjects are set forth in Schedule 1 to this DPA.
The Processor shall:
(a) Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by EU or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
(b) Ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) Take all measures required pursuant to Article 32 of the GDPR (Security of Processing);
(d) Respect the conditions referred to in Clauses 2.4 and 2.5 for engaging another processor;
(e) Taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Applicable Data Protection Laws;
(f) Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security of processing, data breach notification, data protection impact assessments, prior consultation) taking into account the nature of the Processing and the information available to the Processor;
(g) At the choice of the Customer, delete or return all the Customer Personal Data to the Customer after the end of the provision of services relating to Processing, and delete existing copies unless EU or Member State law requires storage of the Customer Personal Data;
(h) Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer;
(i) Immediately inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.
(a) The Customer hereby provides general written authorization for the Processor to engage Sub-processors to process Customer Personal Data.
(b) The Processor's current Sub-processors engaged to process Customer Personal Data as of the date of this DPA include:
Add row aboveAdd row belowDelete rowAdd column to leftAdd column to rightDelete columnCompany NameCompany LocationServer/Data LocationAmazon Web Services, Inc.United StatesEU (Frankfurt, Germany)MongoDB Inc.United StatesEU (Frankfurt, Germany)Upstash, Inc.United StatesEU (Frankfurt, Germany)VercelUnited StatesNo data heldMailgun Technologies, Inc.United StatesEU (Germany)Cloudflare, Inc.United StatesNo data held
The Processor shall provide notice of any addition or replacement of a Sub-processor at least 30 days prior to the change.
(c) Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Applicable Data Protection Laws.
(d) Where the Sub-processor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Customer for the performance of that Sub-processor's obligations.
(e) If the Customer has a reasonable objection to any new or replacement Sub-processor, it shall notify the Processor of such objections in writing within ten (10) days of the update to the Sub-processor list. The parties will then discuss such concerns in good faith with a view to achieving resolution. If the parties are unable to reach a resolution, the Customer may, as its sole and exclusive remedy, terminate the Agreement and this DPA with respect to only those services which cannot be provided by the Processor without the use of the objected-to new or replacement Sub-processor.
(a) If the Customer uses the Processor's services in connection with the IAB TCF, the Processor shall process Customer Personal Data in accordance with the IAB TCF Policies and Technical Specifications.
(b) The Customer acknowledges that the Processor is registered as a Consent Management Provider (CMP) with the IAB and agrees to comply with its obligations under the IAB TCF when using the Processor's services.
Taking into account the nature of the Processing, the Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligations to respond to requests for exercising Data Subject rights under Applicable Data Protection Laws.
For assistance with Data Subject requests that require significant resources beyond normal operational support, the Processor may charge a reasonable fee.
If the Processor receives a request from a Data Subject regarding Customer Personal Data, the Processor shall:
(a) If the request is made in relation to the rights of access, rectification, restriction, erasure, data portability, objection to Processing, or automated decision-making, promptly notify the Customer;
(b) Not respond to the Data Subject directly without the Customer's prior written consent except to confirm that the request relates to the Customer and to advise the Data Subject to submit the request directly to the Customer; and
(c) Provide the Customer with commercially reasonable cooperation and assistance in relation to handling the Data Subject's request, to the extent legally permitted and to the extent the Customer does not have access to such Customer Personal Data through its use of the Services.
The Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall at a minimum:
(a) Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) Communicate the name and contact details of the Processor's data protection officer or other contact point where more information can be obtained;
(c) Describe the likely consequences of the Personal Data Breach; and
(d) Describe the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to the processing of Customer Personal Data and taking into account the nature of the Processing and information available to the Processor.
Upon termination or expiration of the Agreement, the Processor shall, at the Customer's election, delete or return to the Customer all Customer Personal Data (including copies) in its possession or control, except to the extent that the Processor is required by applicable law to retain some or all of the Customer Personal Data.
The Processor will delete the Customer's Personal Data within 30 days of account closure or termination of the Agreement, unless applicable law requires longer retention of certain data. If no explicit choice is made by the Customer at the time of termination, the default action will be deletion of Customer Personal Data.
If the Customer elects for the deletion of the Customer Personal Data, the Processor shall, upon request, provide a certification of its deletion of Customer Personal Data.
The Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Processor.
Any audit conducted under this Clause shall be subject to the following conditions:
(a) The Customer shall provide reasonable prior notice of any audit and shall conduct its audit during normal business hours;
(b) The Customer shall ensure that any auditor is bound by confidentiality obligations no less protective than those in the Agreement;
(c) The Customer shall limit the scope of the audit to the Processor's processing of Customer Personal Data and compliance with the terms of this DPA; and
(d) The Customer shall be responsible for any costs and expenses incurred in connection with the performance of the audit, unless the audit reveals a material breach by the Processor of this DPA, in which case the Processor shall bear its own expenses of the audit.
The Processor shall not transfer Customer Personal Data outside the European Economic Area (EEA), the United Kingdom, or Switzerland without the prior written consent of the Customer.
Where the Customer consents to an international transfer of Customer Personal Data, the Processor shall ensure that:
(a) The transfer is to a country that the European Commission has decided provides an adequate level of protection for Personal Data; or
(b) The transfer is subject to appropriate safeguards as set out in Article 46 of the GDPR; or
(c) The transfer is covered by Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA. For the purposes of the descriptions in the Standard Contractual Clauses, the Processor shall be the "data importer" and the Customer shall be the "data exporter."
When processing Customer Personal Data subject to the CCPA/CPRA, the Processor is a "Service Provider" as defined in the CCPA/CPRA and shall:
(a) Not retain, use, or disclose Customer Personal Data for any purpose other than for the Business Purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA;
(b) Not sell or share Customer Personal Data as those terms are defined in the CCPA/CPRA;
(c) Not retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Processor and the Customer; and
(d) Certify that it understands the restrictions in this Clause and will comply with them.
The Processor shall assist the Customer in fulfilling its obligations to respond to consumer requests to exercise their rights under the CCPA/CPRA with respect to Customer Personal Data, including rights of access, deletion, correction, and opt-out of sale or sharing.
Each party must keep this DPA and information it receives about the other party and its business in connection with this DPA ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other party except to the extent that:
(a) Disclosure is required by law;
(b) The relevant information is already in the public domain.
All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the Agreement at an address specified in the Agreement.
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents shall prevail in the following order: (i) Standard Contractual Clauses; (ii) this DPA; and then (iii) the Agreement. Except as amended by this DPA, the Agreement will remain in full force and effect.
The parties agree to negotiate in good faith to amend this DPA if necessary to comply with any changes in Applicable Data Protection Laws.
This DPA forms part of the Agreement between Dorik, Inc. (Consently) and the Customer. By using Consently's services, the Customer agrees to the terms of this DPA. No signature is required for this DPA to be binding and enforceable between the parties.
The subject matter of the Processing is the provision of Consently Software-as-a-Service (SaaS) cookie and consent management platform by the Processor to the Customer as set out in the Agreement. The Processing will continue for the duration of the Agreement.
The Processor will Process Customer Personal Data as necessary to provide the Services under the Agreement, as further specified in the Agreement, and as further instructed by the Customer in its use of the Services.
The Customer Personal Data Processed by the Processor may include the following categories of data:
The Customer Personal Data Processed by the Processor may relate to the following categories of Data Subjects:
The Processor will Process Customer Personal Data for the following purposes:
IN WITNESS WHEREOF, this DPA has been made available as part of the Agreement between the parties. This DPA takes effect when the Customer accesses or uses the Consently platform, without the need for signature from either party.
