“Data Controller”, “Data Processor”, “subprocessor“, “Supervisory Authority”, “data subject” and “process” have the meanings given in the relevant Data Protection Requirements (as defined below). “Consumer”, “business”, “sale”, and “service provider” shall have the meaning given in the CCPA (as defined below). “Personal Data” means (a) the personal data (as defined in GDPR) that Company provides to Supplier for the provision of the Services and (b) any other information that Company provides to Supplier for the provision of the Service that constitutes “personal information” under and governed by the CCPA.
As between the parties, with regard to EU Personal Data, Company is a Data Controller and Supplier may be either a Data Processor for a Company entity located in the EU or a subprocessor with regard to EU Personal Data.
As between the parties, with regard to CA Personal Data, Company is a business and Supplier is a service provider.
1. Nature of Data Processing.
The subject matter of the data processing, including the processing operations carried out by Supplier on behalf of Company and Company’s data processing instructions for Supplier, will be described in the Agreement, this Addendum, and each SOW, Order, or equivalent document where Company orders services, or licenses software from, Supplier, which form integral parts of the Agreement.
Categories of data subjects: Individuals who may use Supplier’s services as provided to Company under the Agreement.
Types of Personal Data processed: Personal Data provided by Customer to Supplier in connection with the Agreement, including Name and Surname, email address, other profile information, content of messages sent by data subjects in connection with the services under the Agreement.
2. Compliance with Laws.
The parties shall each comply with their respective obligations under all applicable laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data (“Privacy Laws”), including, without limitation, the California Consumer Privacy Act of 2018 (as amended) (“CCPA”). With regard to EU Personal Data, the parties will comply with each of their respective obligations under the EU Data Protection Directive 95/46/EC (as amended), (the “Directive”), any subordinate legislation and regulation implementing the Directive which may apply (“Local Data Protection Laws”), and, as of 25 May 2018 and thereafter, the European Union Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or “GDPR”) and any subordinate legislation and regulation implementing the GDPR which may apply (collectively, with Privacy Laws, the “Data Protection Requirements”).
3. Company Obligations.
provide instruction to Supplier and determine the purposes and general means of Supplier’s processing of Personal Data on behalf of Company under the Agreement; and
comply with its personal data protection, data security and other obligations prescribed by Data Protection Requirements for Data Controllers by, without limitation, meeting its obligations under Data Protection Requirements to:
A. establish and maintain a procedure for the exercise of the rights of the individuals whose EU Personal Data Supplier processes on behalf of Company;
B. as required by Data Protection Requirements, provide notice and obtain consent from the individuals whose EU Personal Data Supplier processes on behalf of Company;
C. establish or ensure that another party has established a legal basis for Supplier’s processing of Personal Data contemplated by this Addendum;
D. process only data that have been lawfully and validly collected and ensure that such data will be relevant and proportionate to the respective uses; and
E. ensure compliance with the provisions of this Addendum by its personnel and by any person accessing or using Personal Data on its behalf.
By entering into this Addendum, Company instructs Supplier to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as authorised by the Agreement, including this Addendum; and (c) as further documented in any other written instructions given by Company and acknowledged in writing by Supplier as constituting instructions for purposes of this Addendum.
4. Supplier Obligations.
Supplier, in its capacity as a Data Processor or subprocessor of Personal Data, shall:
A. process Personal Data solely for the purposes of providing the Services as described in the Agreement (which shall encompass the processing authorized by Company’s instructions), and in compliance with the instructions received from Company and the Agreement;
B. not sell any CA Personal Data or retain, use or disclose CA Personal Data outside of the direct business relationship between Supplier and Company;
C. inform Company immediately if, in Supplier’s opinion, an instruction from Company violates applicable Data Protection Requirements;
D. adopt and maintain appropriate security measures including organizational and technical measures (the “Security Measures” as set forth in Attachment 1), designed to ensure a level of security appropriate to the risks presented by processing the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
E. grant access to Personal Data only to personnel who need such access for the scope of their job duties, and are subject to appropriate confidentiality arrangements;
F. if it intends to engage one or more third parties acting on its behalf (“subprocessor”) to help it to satisfy its obligations in accordance with this Addendum or to delegate all or part of the processing activities to such subprocessors, (i) remain responsible, and liable, to Company for the subprocessors’ acts and omissions with regard to data protection; and (ii) enter into contractual arrangements with such subprocessors requiring them to provide a substantially similar level of data protection compliance and information security to that provided for herein. Subject to the requirements of this Section 4.1(F), Company hereby generally authorizes the engagement of subprocessors. Information about subprocessors is available at https://help.donut.ai/en/articles/4120017-do-you-use-any-subprocessors (as may be updated by Supplier from time to time). When any new subprocessor is engaged during the term of the Agreement, Supplier will notify Company of the engagement by updating this website. If Company objects to such engagement in a written notice to Supplier within 15 days of being informed thereof on reasonable grounds relating to the protection of Personal Data, Supplier and Company will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Company may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Supplier.
Supplier shall inform Company without delay if Supplier becomes aware of:
A. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities; or
B. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data.
Supplier further agrees to notify Company of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Supplier’s possession, custody or control (“Personal Data Breach”) without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
Supplier shall reasonably assist Company regarding:
A. any requests from data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data. In the event that a data subject sends such a request directly to Supplier, Supplier will direct the data subject to submit such request to Company directly, and Company shall be responsible for responding to such requests;
B. the investigation of Personal Data Breaches and the notification to the Supervisory Authority and data subjects in respect of such breaches by providing available details of the Personal Data breaches, including steps Supplier has taken to mitigate the potential risks and steps Suppliers recommends Company take to address the Information Security Incident; and
C. the preparation of data protection impact assessments and, where applicable, carrying out consultations with any Supervisory Authority.
If Supplier is required by Data Protection Requirements to process any Personal Data other than as set forth in this Addendum, Supplier shall inform Company of this requirement in advance of any processing, unless Supplier is legally prohibited from informing Company of such processing.
5. Audit; Certification.
Company may audit Supplier’s compliance with this Addendum up to once per year and on such other occasions as may be required by Data Protection Requirements. Supplier will cooperate with the audit by providing Company or Company’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. Company will reimburse Supplier for its reasonable expenses incurred to cooperate with such an audit. For the purposes of this section, “Supervisory Authority” has the same meaning as given by Article 28 of the Directive or, from 25 May 2018, Article 51 of the General Data Protection Regulation. The audit must be conducted during regular business hours, subject to an agreed upon audit plan and Supplier’s safety, security or other relevant policies, and may not unreasonably interfere with Supplier’s business activities. Supplier shall not be required to breach any duties of confidentiality in connection with such audit, and Company may use the audit reports only for the purposes of meeting Company’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum.
6. Data Transfers.
Supplier is located in the United States and may store and process Personal Data in the United States or anywhere Supplier or its Subprocessors maintains facilities. To the extent Slack maintains the Company’s Slack workspace in the EEA, Switzerland or the United Kingdom, transfers of EU Personal Data from the Company’s Slack workspace to Supplier in the US (or in another country not deemed by the European Commission to have adequate data protection) are governed (a) with respect to transfers from Switzerland to the United States, the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, or (b) where the Swiss-U.S. Privacy Shield does not apply, the Standard Contractual Clauses for the transfer of EU Personal Data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU (“Standard Contractual Clauses”), the terms of which are hereby incorporated into this Addendum.
In furtherance of the forgoing, the parties agree that:
- for purposes of the Standard Contractual Clauses, (a) Company will act as the data exporter; and (b) Supplier will act as the data importer;
- for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate) and the processing operations shall be as set out in Section 1 to this Addendum (Nature of Data Processing);
- for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;
- upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent beforehand;
- the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 5 of this Addendum (Audit; Certification) and satisfy the parties’ rights and obligations under the Standard Contractual Clauses;
- Company agrees that the provisions of Section 4.3 of this Addendum satisfy the requirements under the Standard Contractual Clauses between Company and Supplier under Clause 5(d)(ii);
- Company’s authorizations in Section 4.1(F) of this Addendum constitute Company’s prior written consent to the subcontracting by Supplier of the processing of EU Personal Data if such consent is required under Clauses 5(h) and 11(1) of the Standard Contractual Clauses; and
- certification of deletion of EU Personal Data in Clause 12(1) of the Standard Contractual Clauses shall be provided upon Company’s request.
Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of EU Personal Data outside the EEA (e.g., binding corporate rules) applies to the transfer.
Company acknowledges and agrees that Supplier may create and derive from processing under the Agreement anonymized and/or aggregated data that does not identify Company or any natural person, and use, publicize or share with third parties such data to improve Supplier’s products and services and for its other lawful business purposes.
This Addendum shall remain in effect as long as Supplier carries out Personal Data processing operations on behalf of Company or until the termination of the Agreement and all associated SOWs (and all Personal Data has been returned or deleted in accordance with section 9 below).
9. Data Return and Deletion.
The parties agree that upon the expiration or termination of the Agreement, Supplier shall securely destroy all Personal Data and, at the request of Company, certify that it has taken such measures, unless applicable laws prevent Supplier from returning or destroying all or part of the Personal Data disclosed. In such case, Supplier agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with the laws it is subject to.
The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with this Addendum and the Standard Contractual Clauses (if entered into as described in Section 6 of this Addendum) combined will be limited to the liability limitations or other liability caps agreed to by the parties subject to Section 10.1.
Nothing in this Section 10 will affect any party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent the limitation of such rights is prohibited by Privacy Laws or Local Data Protection Laws, where applicable.
Supplier may update the Security Measures from time to time, provided the updated measures do not decrease the overall protection of Personal Data.
- Organizational management and staff responsible for the development, implementation and maintenance of the Supplier’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Supplier’s organization, monitoring and maintaining compliance with the Supplier’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Supplier’s passwords that are assigned to its employees have defined complexity.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity.
- Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Supplier’s technology and information assets.
- Incident management procedures designed to allow Supplier to investigate, respond to, and mitigate events related to the Supplier’s technology and information assets.
- Disaster recovery procedures designed to maintain service and/or recover from foreseeable emergencies or disasters.