DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “DPA”) is attached and made part of the agreement (the “Master Agreement”) between Customer (as identified on the Order Form), including all affiliates, if any, and the Service Provider which processes Personal Data on behalf of Customer pursuant to the Master Agreement (as identified on the Order Form).

Unless otherwise stated, the terms of this DPA will apply to all processing of Personal Data in relation to the Services provided under the terms of the Master Agreement.

  1. Purpose

The purpose of this data processing addendum (“Addendum”) is to define the provisions under which Voxco undertakes to perform, on behalf of the Customer, the data processing operations, which are described below. 

As part of their contractual relations, the parties shall undertake to comply with the applicable regulations regarding personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation“).

This Addendum amends and supplements the Agreement and any existing contract/terms of service/purchase order or any other document binding the two parties. The provisions of this Addendum are subject to the provisions of the Agreement, provided that, in the event of conflict, the provisions of this Addendum shall control. The Addendum is subject to the limitations of liability, and specifically the aggregate liability cap, of the Agreement.

  1. Duration of the contract

The Addendum, except for any modification as agreed upon by both parties, shall apply for the duration or any time span linking the Customer and Voxco in a relationship of the type controller to processor, or processor to processor, or as described in Section 11 (“International Personal Data Transfers”).

  1. Description of the processing being sub-contracted

Voxco is authorized to provide to the Customer  the following products and services as required/applicable as described in the Agreement or other contract between the parties, of which some are subject to an applicable maintenance contract external to this Addendum:

  • A user license for software and any other system components (the “software”) developed and maintained by Voxco under the Agreement or other terms between the parties.
  • Access to servers supplied by Voxco, on which Voxco hosts the software; and access to the software that is used for data collection and processing according to the programming and execution instructions provided by the Customer through their configuration of the software.
  • Online assistance to the Customer’s employees, as well as assistance provided directly by Voxco’s staff, including training, and any other services.
  • Maintenance services and operations conducted by Voxco.
  • For the purposes of such maintenance and for the Customer’s data collection projects, the analysis of computer event logs and collected data, where necessary, by Voxco personnel, who are subject to written contractual confidentiality agreements with Voxco. The access by the Customer to data collected and stored on Voxco-provided servers, where applicable, in order to download this data to and from the Customer’s IT equipment for analysis or other purposes.
  • If Customer provides the servers hosting Voxco’s software, whether these servers are located on the Customer’s premises or on the premises of a third party contractually bound to the Customer, and/or third-party software in connection with the Voxco software, then the access to and processing of the servers and/or third-party software shall be the Customer’s responsibility. Voxco undertakes if requested to install and ensure the software works according to specifications; said software being used by Customer for data collection and processing according to the programming and execution instructions provided by the Customer through their configuration of the software.
  • For on-premises clients, upon request, the configuration, by Voxco, of the software so that data are collected and stored according to the Customer’s instructions on servers to which the Customer has access.

  1. Processor obligations

As the processor, in relation to the Customer, Voxco undertakes to: 

  • process the data solely for the purpose(s) that are subject to the sub-contracting terms established with the controller;
  • only process the data in compliance with the documented instructions of the Customer. Where Voxco considers that an instruction infringes the General Data Protection Regulation or any other legal provision of the Union or of Member States bearing on data protection, it shall immediately inform the controller thereof;
  • take measures to ensure the confidentiality of personal data processed hereunder; and
  • ensure that the persons authorized to process the personal data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and receive the necessary personal data protection training.
  1. Sub-contracting by Voxco

Voxco may engage third party sub-processors (hereinafter referred to as “sub-processor(s)“) for specific processing activities and purposes. Voxco will only engage sub-processors if(i) it determines they are capable of providing the level of protection required by applicable data protection laws; (ii) the arrangement is governed by a written contract offering a substantially similar level of protection as this Addendum; and (iii) where the sub-processor fails to fulfill it obligations under GDPR, Voxco shall remain liable to Customer for the performance of those obligations as required by GDPR.

Voxco will inform our Customers of any intended changes to the sub-processors used by Voxco, giving Customers the Voxco will inform our Customers of any intended changes to the sub-processors used by Voxco, giving Customers the opportunity to review and object to such a change.

Should Customer object to any new sub-contractor within the applicable time period, both parties shall discuss reasonable resolutions (such as stronger data protection measures) or alternatives in good faith (including non-or alternative sub-processors).

As at Jan 25, 2021, the following are potential sub-processors used by Voxco that may process Customer personal data:

NAME

POTENTIAL ACTIVITY

SendGrid

Email Delivery North America

Mailjet

Email Delivery Europe

Twilio

Text Message Delivery North America

Salesforce

Support ticket follow-up Global

Dimension Data

Applications and data hosting provider  Australia

Rapidscale

Applications and data hosting provider USA

Microsoft Azure

Applications and data hosting provider Europe

IBM

Applications and data hosting provider Canada

  1. Data subjects’ rights to information

It is the responsibility of the Customer to provide the relevant information to the individuals who are subject of the processing activity (i.e. referred to as data subjects under GDPR) at the time their data is collected. 

  1. Exercise of data subjects’ rights

To the extent possible, Voxco shall assist the Customer in fulfilling its obligation to respond when data subjects wish to exercise their rights under GDPR: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be the subject of an automated individual decision (including profiling).

For the most part, Voxco provides a self-service platform that allows Customer to independently obtain and/or modify the information they need to honour respondents’ rights.

Where the data subjects submit requests directly to Voxco to exercise their rights, we will forward these without undue delay to the relevant Customer or ask the respondent to contact the Customer directly (if we cannot determine in which survey the respondent participated).

Where possible, Voxco will forward these requests by email to the person responsible for processing at the Customer or to their Data Protection Officer, if applicable

  1. Notification of personal data breaches

Voxco will notify the Customer, if affected, of any personal data breach no later than 48 hours after becoming aware of a personal data breach. Notification will be sent via email to the Customer contact, the person responsible for data processing at the Customer or to their Data Protection Officer, if applicable. 

  1. Impact Assessment and Consultation

As a processor, Voxco will provide assistance, to the extent possible, to the Customer in the performance of data protection impact assessments or for consultation purposes before the supervisory authority.  These services are provided at the expense of the Customer.

  1. Voxco’s security measures

Voxco undertakes to implement the following security measures: 

  • the implementation of a training program for its developers designed to provide them the critical skills they need to develop secure applications, identify and address potential vulnerabilities;
  • measures designed to protect the confidentiality, integrity, availability and resilience of processing systems and services, including the confidentiality and security of personal data;
  • the system design for Voxco to restore the availability and access to personal data in a timely manner in the event of Voxco’s physical or technical incident; and
  • the implementation of a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for reasonably ensuring the security of the processing.

  1. International personal data transfers

To the extent that personal data is transferred to Customer outside of a country with an adequacy decision in circumstances where such transfer would be prohibited by an applicable data protection law due to the absence of a transfer mechanism, the parties agree that Module 1 (controller to controller) and Module 4 (processor to controller) provisions of the Standard Contractual Clauses are incorporated by reference into this Addendum and apply in case Personal Data is transferred (including disclosed) to the Customer under such circumstances. The parties agreement to this Addendum shall be deemed as having signed the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission’s Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) and their appendixes (“Standard Contractual Clauses“).

If the Standard Contractual Clauses are applicable, the parties agree that:

  • in the context of the services, where Voxco is a Processor and the Customer is a Controller, the personal data disclosures from Voxco to Customer are subject to the Module 4 (processor to controller) provisions of the Standard Contractual Clauses, meaning that Voxco acts as the data exporter and Customer acts as the data importer.
  • in case where Voxco and Customer are both acting as separate and independent Controllers, the personal data exchanges between the parties are subject to the Module 1 (controller to controller) provisions of the Standard Contractual Clauses, whereas Voxco acts as the data exporter and Customer acts as the data importer.
  • pursuant to Clauses 17 (Governing law) and 18 (Choice of forum and jurisdiction) any dispute arising out of the Standard Contractual Clauses will be resolved in accordance with the laws of France in Paris, France.
  • details required under the Standard Contractual Clauses’ Annexes are provided below in Schedule 2.

Where the parties rely on an adequacy decision as a data transfer safeguard, if the adequacy decision is amended or withdrawn resulting in the inability to rely on it, the transfer of the personal data between the parties shall be conducted in accordance with the Standard Contractual Clauses approved by the European Commission, including applying any other necessary terms.

  1. Responsibilities of the Customer

The Customer is responsible for all actions its staff performs using Voxco’s software applications and systems. In particular, the Customer is responsible for, but not limited to, the following:  

  • Notice to, and communication with, the data subjects who provide their personal data, and as a result, providing these data subjects with information regarding the manner in which their data will be processed.
  • Responding, where required, to requests from data subjects who wish to have access to stored data related to them, to rectify or destroy said data, or request action on any other rights afforded to them under GDPR. In this regard, Voxco’s applications contain features that allow the Customer to meet the data subjects’ requests. At the request and expense of the Customer, Voxco may provide additional technical assistance to enable the Customer to comply with its GDPR obligations.
  • The access rights granted to Customer employees to use the software provided by Voxco, and for the use that these employees may make of the data to which they have access.
  • Informing Voxco of any anomaly or flaw in any aspect of the software or databases that it may detect and that could endanger the confidentiality and security of the data subjects’ personal data.
  • Limiting the processing of personal data to the strict needs of the purposes for which these personal data were collected, stored and otherwise treated.
  • The accuracy, quality, and legality of personal data.
  • The means by which the personal data was acquired.
  • Ensuring the services are appropriate for Customer as well as its personal data, and the processing lawful under the applicable data protection laws.
  • Ensuring any required consent of a data subject is obtained.
  • Establishing and maintaining the applicable information security safeguards and policies for protecting personal data in Customer’s facilities and data centers.

  1. Return or deletion of Customer data

Upon completion of the services related to the processing of Customer data, Voxco undertakes to provide the Customer with the necessary technical assistance so that the Customer may, where applicable, transfer the data stored on Voxco’s servers back to its own servers. Furthermore, if the Customer so wishes, Voxco will provide assistance to destroy any personal data remaining on Voxco’s servers.

Upon termination of any contract between the two parties, any Customer data that has not previously been deleted and remains on Voxco’s servers may be destroyed within 30 days of the termination of the contract. 

  1. Voxco Privacy Contact

Questions or notices about data protection may also be directed to Voxco by email to privacy@voxco.com.

  1. CCPA

Where Customer is a “business” as defined and covered by the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended (“CCPA”), or a service provider to such a business, the following section applies: Voxco shall be a service provider to Customer under the CCPA. Voxco will not: (i) sell, or share for cross-contextual behavioral advertising, personal data; (ii) retain, use, or disclose personal data for any purpose other than for the specific purpose of performing the services specified in the Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than providing the services specified in the Agreement; (iii) retain, use, or disclose the personal data outside of the direct business relationship between Voxco and Customer; or (iv) combine personal data from Customer with personal data that Voxco receives from another customer, or collects from its own interactions with an individual. Voxco acknowledges and agrees that it understands the requirements of the CCPA for service providers and will comply with them as applicable.

  1. Documentation

Voxco provides the Customer with the necessary documentation for demonstrating compliance with all its obligations and for allowing the Customer or any other auditor it has authorized to conduct audits, including inspections, and for reasonably contributing to such audits. Such audits shall be subject to reasonable advance written notice, occur not more than once per calendar year, and at Customer’s cost.

  1. Updates / Change in Law

No alteration, amendment, or modification of this Addendum will be valid unless in writing and signed by an authorized representative of both parties. Notwithstanding the foregoing, Voxco may, subject to thirty (30) days’ written notice to Customer, make any reasonable variations to this Addendum necessary to address the requirements of any applicable data protection law, provided that Customer has an opportunity to object to the amendment.

  1. No Third Party Beneficiaries.

Nothing expressed or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

SCHEDULE 1

Data Processing Details

 

For the purposes of the Addendum and Schedule 2, the parties set out below a description of the Personal Data being processed under the Agreement.

Subject Matter of the Processing

Vendor’s provision of the Services to Company.

Nature and purpose of Processing

The collection and storage of Personal Data pursuant to providing the Services to Company.

Types of Personal Data

Personal Data that Company in its discretion provides for the Services or Vendor is directed to collect.

Sensitive Personal Data and applied restrictions

Sensitive Personal Data that Company in its discretion provides for the Services or Vendor is directed to collect.

Categories of Data Subject

Data Subjects may include any persons (including without limitation employees, customers, or suppliers) about whom Personal Data is provided to Vendor for the Services by, or at the direction of, Company.

Duration of Processing

For the duration of the Agreement, or until the processing is no longer necessary for the purposes.

List of Subprocessors

See Section 5 of the Addendum.

SCHEDULE 2

Standard Contractual Clauses

  1. For the purposes of this Schedule 2, the Standard Contractual Clauses (Module I and Module IV as applicable), available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by reference to this Schedule and this Addendum and shall be considered an integral part thereof, and the Parties’ signatures in the Addendum, shall be construed as the Parties’ signature to the Standard Contractual Clauses. In the event of an inconsistency between the Addendum and the Standard Contractual Clauses, the latter will prevail.
  1. For the purposes of the Standard Contractual Clauses, the following shall apply:
  • Voxco shall be the data exporter and Customer shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the Standard Contractual Clauses.
  • Clause 7 (Docking clause) shall be deemed as included.
  • Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
  • Clause 13 (a) (Supervision):
  • [Where Voxco is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
  • Clause 17 (Governing law):

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of France.

  • Clause 18 (b) (Choice of forum and jurisdiction): The Parties agree that any dispute between them arising from the Standard Contractual Clauses shall be resolved by the courts of Paris, France.

ANNEX I to Schedule 2

  1. LIST OF PARTIES

Data exporter(s):

Name: Voxco as specified on the Agreement

Address: As specified on the Agreement

Contact person’s name, position and contact details: As specified on the Agreement or available on Privacy Policy

Activities relevant to the data transferred under these Clauses: data exporter will transfer Personal Data to the data importer as required for the provision of Services by the data importer under the Agreement and as set out in the DPA.

Signature and date: please refer to signature and date in the Agreement.

Role (controller/processor): Controller or Processor, as appropriate

Data importer(s):

Name: Customer as specified on the Agreement

Address: As specified on the Agreement

Contact person’s name, position and contact details: As specified on the Agreement or available on Privacy Policy.

Activities relevant to the data transferred under these Clauses: data importer will process personal data as required for the provision of Services under the Agreement and as set out in the Agreement.

Signature and date: signature and date in the Agreement

Role (controller/processor): Controller or Processor, as appropriate

  1. DESCRIPTION OF TRANSFER


Categories
of data subjects whose personal data is transferred
See Schedule 1 to the Addendum

Categories of personal data transferred
See Schedule 1 to the Addendum

Sensitive data transferred (if applicable) and applied restrictions or safeguards
See Schedule 1 to the Addendum

Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfers will occur from time to time as required during the course of the performance of the Services under the Agreement.

Nature of the processing
See Schedule 1 to the Addendum

Purpose(s) of the data transfer and further processing
See Schedule 1 to the Addendum

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Schedule 1 to the Addendum

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Schedule 1 to the Addendum

  1. COMPETENT SUPERVISORY AUTHORITY
    Identify the competent supervisory authority/ies in accordance with Clause 13

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL
Measures equivalent to those provided in clause 10 of the Addendum

ANNEX III – LIST OF SUB-PROCESSORS
See Schedule 1 to the Addendum