This Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), amends and supplements any existing and currently valid Agreement for the use of LiveAction’s SaaS Software (the “Agreement”) either previously or concurrently made between
- LiveAction, Inc. (together with subsidiary(ies) and affiliated entities, collectively “LiveAction”); and
- either (a) a direct customer of LiveAction (together with subsidiary(ies) and affiliated entities, collectively, “Direct Customer”), or (b) a managed service provider (together with subsidiary(ies) and affiliated entities, collectively, “MSP”) who licenses the Services (as defined below) from LiveAction and sub-licenses them to end users (“End Users”) pursuant to a separate agreement between the MSP and such End Users. For the avoidance of doubt, this DPA does not create a contract or agreement by and between LiveAction and End Users.
For purposes of this DPA, “Customer” means either the Direct Customer or the MSP, as applicable. Other defined terms used herein but not otherwise defined shall have the meanings set forth in the Agreement.
RECITALS:
WHEREAS:
(A) Customer intends to transfer certain Personal Data to LiveAction, so that it may be Processed in accordance with the Agreement for the provision of LiveAction’s services (the “Services”).
(B) The parties agree that this DPA will govern the parties’ rights and obligations with respect to the Processing of such Personal Data.
NOW IT IS AGREED as follows:
- Data Protection
- Definitions: In this Clause, the following terms shall have the following meanings:
- “controller“, “processor“, “data subject“, “personal data” and “processing” (and “process“) shall have the meanings given in EU/UK Data Protection Law;
- “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, (i) EU/UK Data Protection Law; and (ii) the California Consumer Privacy Act (the “CCPA”);
- “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
- “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
- “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
- Relationship of the parties: Customer instructs LiveAction to process the personal data that is the subject of the Agreement (the “Data“) on its behalf. In respect of such processing, (a) where Customer is a Direct Customer, the Direct Customer is the controller and Processor shall be a processor, and (b) where Customer is an MSP, End User shall be the controller, MSP shall be a transfer processor, and LiveAction is the processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. For clarity, “Data” does not include Customer’s business contact information, which LiveAction processes as a controller.
- Prohibited data: Customer shall not disclose (and shall not permit any End User or data subject to disclose, as applicable) any special categories of Data to LiveAction for processing except where and to the extent expressly disclosed in Annex I.
- Purpose limitation: LiveAction shall process the Data for the purposes described in Annex I and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall LiveAction process the Data for its own purposes or those of any third party (other than End Users where MSP is Customer). LiveAction shall immediately inform Customer if it becomes aware that such processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Customer’s compliance with Applicable Data Protection Law).
- Restricted transfers: The parties agree that when the transfer of Data from Customer to LiveAction is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
- in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
- Definitions: In this Clause, the following terms shall have the following meanings:
(i) Module Two will apply where Customer is a Direct Customer, and Module Three will apply where Customer is an MSP;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 1.9 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by French law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of France;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA;
- in relation to Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between the Customer and the LiveAction on the following basis:
- Appendix 1 shall be completed with the relevant information set out in Annex I to this DPA;
- Appendix 2 shall be completed with the relevant information set out in Annex II to this DPA; and
- the optional illustrative indemnification Clause will not apply.
(ii) Where sub-clause (b)(i) above does not apply, but the Customer and the LiveAction are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
- The EU SCCs, completed as set out above in clause 1.5(a) of this DPA shall also apply to transfers of such Data, subject to sub-clause (B) below;
- The UK Addendum shall be deemed executed between the transferring Customer and the LiveAction, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Customer Data.
(iii) If neither sub-clause (b)(i) or sub-clause (b)(ii) applies, then the Customer and the LiveAction shall cooperate in good faith to implement appropriate safeguards for transfers of such Data as required or permitted by the UK GDPR without undue delay.
- Where the application of the EU SCCs is required under Swiss data protection law for the transfer of Data, the terms below will have the following substituted meanings: (a) “GDPR” means the Federal Act on Data Protection of 19 June 1992 (SR 235.1; “FADP”) and its revised version of 25 September 2020; (b) “European Union”, “Union” or “Member States” means Switzerland, provided that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c; and (c) “supervisory authority” means the Federal Data Protection and Information Commissioner (“FDPIC”).
- in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Onward transfers: LiveAction shall not participate in (nor permit any sub-processor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless: (i) it has first obtained Customer’s prior written consent; and (ii) the Restricted Transfer is made in full compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Data.
- Confidentiality of processing: LiveAction shall ensure that any person that it authorises to process the Data (including LiveAction’s staff, agents and sub-processors) (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. LiveAction shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
- Security: LiveAction shall implement appropriate technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a “Security Incident“). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
At a minimum, such measures shall include the measures identified in Annex II.
- Subprocessing: Customer agrees that LiveAction may engage sub-processors to Process Data on Customer’s behalf. LiveAction has currently appointed, as sub-processors, LiveAction’s affiliates and the third parties listed in Annex III to this DPA. LiveAction shall provide notice to Customer of such change(s), and Customer shall have five (5) days from such notice to object to such change(s) by providing objective, justifiable grounds related to the ability of such sub-processor(s) to adequately protect Data in accordance with this DPA. LiveAction will have the right to cure the objection through any options in its sole discretion. Where LiveAction engages sub-processors, LiveAction will impose data protection terms on the sub-processors that are consistent with those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such sub-processors. LiveAction will remain responsible for each sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such sub-processor that cause LiveAction to breach any of its obligations under this DPA.
- Cooperation and data subjects’ rights: LiveAction shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to LiveAction, LiveAction shall promptly inform Customer providing full details of the same.
- Data Protection Impact Assessment: If LiveAction believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Customer and LiveAction shall provide Customer with all such reasonable and timely assistance as Customer may require in order to enable it to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Customer to consult with its relevant data protection authority.
- Security incidents: Upon becoming aware of a Security Incident, LiveAction shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. LiveAction shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all developments in connection with the Security Incident.
- Deletion or return of Data: Upon termination or expiry of the Agreement, LiveAction shall (at Customer’s election destroy or return to Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that LiveAction is required by any applicable law to retain some or all of the Data, in which event LiveAction shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
- Audit: LiveAction shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. In fulfilment of this requirement:
- Customer acknowledges that LiveAction is regularly audited against SSAE 18 SOC 2 standards by independent third auditors. Upon request, LiveAction shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement.
- LiveAction shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.
CCPA. To the extent that Customer is a “business” under the CCPA, LiveAction processes Data as a “service provider” as defined under the CCPA, and except for usage of Data as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Applicable Data Protection Law, shall not collect, access, retain, use, sell or disclose the Data for any purpose, including for any commercial purposes, other than in connection with performing the Services as specified in the Agreement and as otherwise permitted under the Agreement. LiveAction will not combine the Data it receives from Customer with other personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer. The parties acknowledge and agree that Customer’s provision of access to personal information is not part of and explicitly excluded from the exchange of consideration or any other things of value between the parties.
Annex I
Data Processing Description
This Annex I forms part of the DPA and describes the processing that the LiveAction will perform on behalf of the Customer.
- LIST OF PARTIES
Data exporter(s): The data exporter is Customer, a user of services provided by LiveAction, with contact details regarding the Customer and its representative and the activities relevant to the Data being transferred as set forth in the Agreement and the applicable order for software and services.
Data importer(s): The data importer is LiveAction, a producer of software and services, with contact details for LiveAction and its representative and the activities relevant to the personal data being transferred as set forth in the Agreement and the applicable order for software and services.
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit personal data to data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, customer and prospective customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal data to users of the software and services.
Categories of personal data transferred
Data exporter may submit personal data to data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) ID data; (g) Professional life data; (h) Personal life data; (i) Connection data; (j) Localisation data; and (k) other data in an electronic form provided to data importer in the context of the software and services.
Sensitive data transferred (if applicable)
The Processing may include sensitive data if such information is uploaded or transmitted via the software, at the sole discretion of the user of the software.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the term of the Agreement.
Nature of the processing
The personal data transferred will be subject to the processing activities that are necessary to provide the data importer’s software and services to the data exporter, including hosting, storage, providing access, and applying analytics.
Purpose(s) of the data transfer and further processing
To provide the data importer’s Services to the data exporter pursuant to the Agreement between the parties governing the provision of the Services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Personal data is transferred to the data importer’s sub-processors for the purpose of providing the data importer’s software and services to the data exporter for the duration of the underlying Agreement unless the personal data is deleted prior to the termination or expiration of that contract by the data exporter or by the data importer at the data exporter’s instruction or pursuant to the terms of the Agreement.
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)
France
Annex II
Technical and Organisational
Security Measures
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measure:
- Measures of pseudonymisation and encryption of personal data
- Industry standard encryption technologies for Personal Data that is: (i) transmitted over public networks (i.e., the Internet); or (ii) at rest.
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Organisational management and dedicated staff responsible for the development, implementation and maintenance of Data Importer’s information security program.
- Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Personal Data, as described above.
- Network security controls that provide for the use of stateful firewalls and layered DMZ architectures and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Incident / problem management procedures designed to allow Data Importer to investigate, respond to, mitigate and notify of events related to Data Importer’s technology and information assets.
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Data Importer’s organisation, monitoring and maintaining compliance with Data Importer’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Measures for user identification and authorisation
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage.
- Measures for the protection of data during transmission
- Industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly.
- Measures for the protection of data during storage
- Industry standard encryption technologies for Personal Data that is at rest.
- Measures for ensuring physical security of locations at which personal data are processed
- Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of Data Importer facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Measures for ensuring events logging
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Measures for ensuring system configuration, including default configuration
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Data Importer’s possession.
- Measures for internal IT and IT security governance and management
- Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Data Importer’s technology and information assets.
- Measures for certification/assurance of processes and products
- Organisational management and dedicated staff responsible for the development, implementation and maintenance of Data Importer’s information security program.
- Measures for ensuring data minimisation
- Not applicable to Data Importer. Data Importer is processing the Personal Data on behalf of the Data Exporter for the sole purpose of providing services to the Data Importer for the duration of the services agreement entered into between the Data Importer and the Data Exporter.
- Measures for ensuring data quality
- Not applicable to Data Importer. Data Importer is processing the Personal Data on behalf of the Data Exporter for the sole purpose of providing services to the Data Importer for the duration of the services agreement entered into between the Data Importer and the Data Exporter. The Data Importer does not have the ability to monitor the quality of the Personal Data.
- Measures for ensuring accountability
- The Data Importer takes responsibility for complying with the EU GDPR and the UK GDPR, at the highest management level and throughout our organisation. The Data Importer puts in place appropriate technical and organisational measures, such as: (i) adopting and implementing data protection policies (where proportionate), (ii) putting written contract in place with organisations that process personal data on our behalf, (iii) maintaining documentation of our processing activities, (iv) implementing appropriate security measures, (v) recording and, where necessary, reporting personal data breaches, and (vi) carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests. We review and update our accountability measures at appropriate intervals.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller (and, for transfers from a processor to a sub-processor, to the data exporter).
Sub-processors are required to maintain technical and organizational measures that are consistent with those in this DPA.
Annex III
Sub-processors
The Customer has authorised the use of LiveAction’s affiliates as sub-processors as well as the following:
- Amazon Web Services, Inc.
- Address: 2021 Seventh Ave., Seattle, Washington 98121, USA
- Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
- Data importer uses AWS to host its server infrastructure used by the software and Services.
- Benison Tech USA Inc., and its sub-processor Benison Technologies Pvt Ltd.
- Address: c/o – 2100 Geng Road Embarcadero Place, Suite 210, Palo Alto, CA 94303 USA
- Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
- Data importer uses Benison for technology support
- SunArc Technologies Pvt. Ltd.
- Address: 29,30 Panchshati Circle, Sadulganj, Bikaner 344001 Rajasthan, India
- Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
- Data importer uses SunArc for technology support
- GBSFO
- Address: Sat Rosu, Comuna Chiajna, str. Rezervelor Nr. 46A, fl. 2, Bucharest, Romania
- Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
- Data importer uses GBSFO for technology support