This Data Processing Agreement (the DPA) governs the processing of personal data from CompanionLink customer (Customer) by CompanionLink Software, Inc. (CompanionLink) in the case that Customer is regulated by EU Data Protection Laws.
This DPA is incorporated into End User License and CompanionLink Services Agreement and incorporates the CompanionLink Privacy Agreement. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the EU Standard Contractual Clauses; (b) this DPA; (c) the CompanionLink Services Agreement and the CompanionLink Privacy Policy.
This DPA incorporates Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010.
Controller to Processor
Definitions
"Customer Personal Data" means Personal Data that pertains to Customer, or that Customer uploads or sends to CompanionLink, that is subject to EU General Data Protection Regulations
"Data Controller" means Customer.
"Data Processor" means CompanionLink.
Other terms have the meaning stated in the EU General Data Protection Regulation.
Applicability
This Data Processing Agreement is applicable only where regulated by EU Data Protection Laws.
Processing of Customer Personal Data
CompanionLink agrees to process Personal Data received by Customer only for the purposes set forth in the Agreement. The categories of Personal Data are described in Schedule A.
Customer agrees to:
a. Provide instructions to CompanionLink and determine the purposes and general means of CompanionLink's processing of Customer Personal Data in accordance with the Agreement; and
b. Comply with its protection, security and other obligations with respect to Customer Personal Data prescribed by Data Protection Requirements for data controllers.
c. Notify CompanionLink if any Personal Data contains Sensitive Personal Data that may be subject to additional security measures, and to adopt any measures CompanionLink suggests that increase security of such data.
CompanionLink agrees to:
a. Provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks.
b. Process Customer Personal Data (i) according to the Customer's instruction for providing sync services and providing technical support for Customer.
c. Inform Customer promptly if an instruction from Customer violates applicable Data Protection Requirements;
d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on CompanionLink's behalf comply with the terms of the Agreement;
e. Ensure Subprocessors comply with the obligations of this DPA. CompanionLink is liable to Customer for the Subprocessors' acts and omissions with regard to data protection. CompanionLink maintains contractual arrangements Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
f. Maintain organizational and technical security measures to protect against unauthorized or accidental access, loss, disclosure or destruction of Customer Personal Data;
g. Be responsible for the Customer Personal Data and liable for any failure by such CompanionLink personnel to meet the terms of this DPA;
h. Notify Customer of any Personal Data Breach by CompanionLink, its Subprocessors, or any other third-parties acting on CompanionLink's behalf within 72 hours of becoming aware of a Personal Data Breach.
Rights of Data Subjects
If the Data Controller or Data Processor receives a request from a data subject for the exercise of the data subject's rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the other party's assistance, each party shall assist the other party by providing the necessary information and documentation.
Documentation of compliance and Audit Rights
Upon Customer's request by email to [email protected], CompanionLink will email DPIA certification or audit results, if any. If this Report does not provide sufficient information to confirm compliance with the terms of this DPA, then Customer or an accredited third-party audit firm agreed to by both Customer and CompanionLink may audit CompanionLink's compliance with the terms of this DPA during regular business hours, with reasonable advance notice to CompanionLink and subject to reasonable confidentiality procedures. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for all time CompanionLink expends for any such audit, in addition to the rates for services performed by CompanionLink. Before the commencement of any such audit, Customer and CompanionLink shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify CompanionLink with information regarding any non-compliance discovered during the course of an audit. Customer may not audit CompanionLink more than once annually.
Data Transfer
CompanionLink will not transfer data to servers outside the country of service other than the one selected by Customer when Customer created their account, except by Customer request.
Data Deletion
The parties agree that on the termination of the data processing services or upon Customer's reasonable request, CompanionLink shall, and shall cause any Subprocessors to, at the choice of Customer, return all the Customer Personal Data and copies of such data to Customer or securely destroy them and demonstrate to the satisfaction of Customer that it has taken such measures, unless Data Protection Requirements prevent CompanionLink from returning or destroying all or part of the Customer Personal Data disclosed. In such case, CompanionLink agrees to preserve the confidentiality of the Customer Personal Data retained by it and that it will only actively process such Customer Personal Data after such date in order to comply with applicable laws.
Duration
This DPA shall remain in effect as long as Customer uses CompanionLink as a data Processor. When customer ends use, CompanionLink will delete Customer Personal data within seven months, and maintain backups for two more months, with the exception of purchase and account records.
Limitation of Liability
The total aggregate liability to the Customer, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the "Limitation of Liability" clause set out in the CompanionLink Services Agreement.
Governing Law
Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by the laws of the State of Oregon, USA.
SCHEDULE A
Description of the Transfer
1.Subjects. The personal data transferred concern the following categories of data subjects:
• Contacts contained in Customers synchronized database
• Calendar and Task items related to Contacts
• Notes and other material related to Contacts
2. Purpose. The transfer is made for the following purposes:
The transfer enables the data exporter to user data importer's service to view Personal Data on a website, or to move Personal Data to another device, usually a mobile phone.
3.Categories. The personal data transferred concern the following categories of data:
Personal data may include first name, last name, email address, contact information, calendar events, CRM data and notes, as provided by the data exporter regarding the foregoing.
4. Sensitive Data.
Data exporter to notify data importer if any data is Sensitive.
Subprocessors
The following is a list of CompanionLink Subprocessors
Rackspace, Inc.
Linode, LLC.
Vultr Holdings Corporation
Data Protection Officer
For CompanionLink:
[email protected]
CompanionLink Software, Inc.
519 SW 3rd Ave, Suite 803
Portland, OR 97204
Last modified: Feb 28, 2023 1:06 pm