Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of our Terms of Service (“Agreement”) between the Customer and CRM Refresh to reflect the parties’ agreement with regard to the Processing of Personal Data of the Customer, in accordance with the requirements of European Data Protection Regulation (“GDPR”).
CRM Refresh’s services offered in the European Union are GDPR ready and this DPA provides the necessary documentation of this readiness.
This Data Processing Agreement (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between CRM Refresh (“CRMR” or “CRM Refresh”) and the Customer. The Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to the Customer pursuant to the Agreement, CRMR may process Personal Data on behalf of the Customer. CRMR agrees to comply with the following provisions with respect to any Personal Data Processed for the Customer in connection with the provision of the Services.
This Data Processing Agreement shall remain in effect as long as the Data Processor is processing personal data on behalf of the Customer.
The Customer may suspend or terminate the Service Agreement and this Data Processing Agreement at any time, with immediate effect, by notice in writing.
1. Scope and Applicability of this DPA
1.1 This DPA applies where and only to the extent that CRM Refresh processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to the Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
1.2 Role of the Parties. As between CRM Refresh and the Customer, the Customer is the Controller of Personal Data and CRMR shall process Personal Data only as a Processor on behalf of the Customer. Nothing in the Agreement or this DPA shall prevent CRMR from using or sharing any data that CRMR would otherwise collect and process independently of Customer’s use of the Services.
1.3 Customer Obligations. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to CRM Refresh; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for CRM Refresh to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
1.4 CRM Refresh Processing of Personal Data. As a Processor, CRMR shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; and (iii) to comply with other reasonable instructions provided by the Customer to the extent they are consistent with the terms of this Agreement and only in accordance with the Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to CRM Refresh in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and CRMR.
1.5 Nature of the Data. CRM Refresh handles Customer Data provided by the Customer. Such Customer Data may contain special categories of data depending on how the Services are used by the Customer. The Customer Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to the Customer; (ii) to provide customer and technical support to the Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
1.6 CRM Refresh Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that CRM Refresh shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, CRMR is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
2. Processing of Personal Data
2.1 The parties agree that with regard to the Processing of Personal Data, the Customer is the Data Controller, CRMR is a Data Processor and that CRMR will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
2.2 The Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of GDPR and the Customer will ensure that its instructions for the Processing of Personal Data shall comply with GDPR. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
2.3 CRM Refresh shall only Process Personal Data on behalf of and in accordance with the Customer’s instructions and shall treat Personal Data as confidential information. The Customer instructs CRMR to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable orders; and (ii) Processing to comply with other reasonable instructions provided by Customer (e.g., via a support chat) where such instructions are consistent with the terms of the Agreement.
2.4 CRM Refresh stores and processes personal data on servers located in US and provides clients with the option to store data in the EU.
3. Right of Data Subjects
3.1 To the extent the Customer, in its use or receipt of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws, CRM Refresh shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent CRMR is legally permitted to do so.
3.2 CRM Refresh shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. CRMR shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to the Customer.
CRMR shall provide the Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use or receipt of the Services.
4.1 CRM Refresh shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that person’s engagement with CRM Refresh.
4.2 CRMR shall take commercially reasonable steps to ensure the reliability of any CRMR personnel engaged in the Processing of Personal Data.
4.3 CRMR shall ensure that its access to Personal Data is limited to those personnel who require such access to perform the Agreement.
5.1 The Customer acknowledges and agrees that (a) CRMR’s Affiliates may be retained as Sub- processors; and (b) CRMR and CRMR’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
5.2 Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services CRMR has retained them to provide, and they are prohibited from using Personal Data for any other purpose.
5.3 CRM Refresh shall be liable for the acts and omissions of its Sub-processors to the same extent CRMR would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6.1 CRMR shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data.
6.2 CRMR will allow for and contribute to audits or inspections.
7. Security Breach Management and Notification
7.1 If CRMR becomes aware of any unlawful access to any Customer Personal Data stored on CRMR’s equipment or unauthorized access to such equipment resulting in loss, disclosure, or alteration of Customer Personal Data (“Security Breach”), CRMR will promptly: (a) notify Customer of the Security Breach; (b) investigate the Security Breach and provide Customer with information about the Security Breach; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
7.2 Customer agrees that:
7.2.1 An unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer Personal Data or to any of CRMR’s equipment storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents;
7.2.2 CRMR’s obligation to report or respond to a Security Breach under this Section is not and will not be construed as an acknowledgement by CRMR of any fault or liability with respect to the Security Breach.
7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the Customer’s business, technical or administrative contacts by any means CRMR selects, including via email. It is the Customer’s sole responsibility to ensure it maintains accurate contact information on CRMR’s support systems at all times.
8. Return and Deletion of Customer Data
8.1 CRM Refresh shall return Customer Data to the Customer and/or delete Customer Data in accordance with Data Protection Laws and/or consistent with the terms of the Agreement.
8.2 Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent CRM Refresh is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on backup systems, which such Personal Data CRM Refresh shall securely isolate and protect from any further processing, except to the extent required by applicable law.
“Affiliates” means any entity which is controlled by, controls or is in common control with CRM Refresh.
“CRM Refresh” or “CRMR” means the CRM Refresh service, controlled by CRM Refresh, LLC.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the “CRM Refresh” entity which Processes Personal Data on behalf of the Data Controller.
“EU Data Protection Law” means (i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”) and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable person.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Security Breach” has the meaning given in Section 7 of this DPA.
“Services” means the provision of maintenance and support services, consultancy or professional services and the provision of software as a service or any other services provided under the Agreement where CRMR Processes Personal Data of the Customer.
“Sub-processor” means any Data Processor engaged by CRMR.