Effective from 2/18/2022
Data Processing Addendum
Data Processing Addendum Notice
Last updated February 18, 2022
We provide the latest version of OptiSigns DPA for you to review here. If you would like to get it signed and executed with us, please contact us at support@optisigns.com
Signing a DPA does not change our practices regarding the protection of your privacy and your data. Every customer gets the same high standards of privacy and security.
Data Processing Addendum
This Data Processing Addendum (this “Addendum”) is part of the agreement between you and the Company and applies only to the extent the Company receives, stores, or Processes Personal Data in connection with the Terms of Use and your capacity as Controller and the Company’s capacity as Processor. Capitalized terms used in this Addendum but not otherwise defined will have the meanings attributed to them in the Terms of Use. Except for the changes made by this Addendum, the Terms of Use between you and the Company remain in full effect.
1.Operative Provisions.
(a) Definitions.
(i) In this Addendum:
Controller Has the meaning given in applicable Data Protection Laws from time to time.
Data Protection Laws Means, as binding on either party or the services:
- The Directive 95/46/EC (Data Protection Directive) and/or Data Protection Act 1998 or the GDPR;
- Any laws which implement any such laws or regulations; and
- Any laws that replace, extend, re-enact, consolidate, or amend any of the foregoing.
Data Subject Has the meaning given in applicable Data Protection Laws from time to time.
GDPR Means the General Data Protection Regulation (EU) 2016/679.
International Organization Has the meaning in the GDPR.
Personal Data Has the meaning given in applicable Data Protection Laws from time to time.
Personal Data Breach Has the meaning given in applicable Data Protection Laws from time to time.
Processing Has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly).
Processor Has the meaning given in applicable Data Protection Laws from time to time.
Protected Data Means Personal Data received from or on your behalf of in connection with the performance of our obligations under the applicable Terms of Use.
(b) Your Compliance with Data Protection Laws.
The parties agree that you are a Controller, and we are a Processor for the purposes of Processing Protected Data pursuant to the Terms of Use. You shall at all times comply with all Data Protection Laws in connection with the Processing of Protected Data. You shall ensure all instructions given by you to us in respect of Protected Data (including the terms of the Terms of Use) shall at all times be in accordance with Data Protection laws.
(c) Our Compliance with Data Protection Laws.
We shall Process Protected Data in compliance with the obligations placed on us under Data Protection Laws and the Terms of Use.
(d) Security.
Taking into account the state of technical development and the nature of Processing, we shall implement and maintain the technical and organizational measures set out in Section 2(b) of this Addendum to protect the Protected Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.
(e) Instructions.
(i) We shall only process (and shall ensure our personnel only process) the Protected Data in accordance with Section 2(a) of this Addendum and the Terms of Use, except to the extent:
(A) that alternative Processing instructions are agreed between the parties in writing; or
(B) otherwise required by applicable law (and shall inform you of that legal requirement before Processing, unless applicable law prevents us doing so on important grounds of public interest).
(ii) Without prejudice to Section 1(e)(i), if we believe that any instruction received by us from you is likely to infringe the Data Protection Laws, we shall promptly inform you and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.
(f) Sub-processing and Personnel.
(i) We shall:
(A) not permit any processing of Protected Data by any agent, subcontractor, or other third party (except its or its Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without your authorization;
(B) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Schedule (including those relating to sufficient guarantees to implement appropriate technical and organizational measures) that is enforceable by us and ensure each such Sub- Processor complies with all such obligations;
(C) remain fully liable to you under this Addendum for all the acts and omissions of each Sub-Processor as if they were our own; and
(D) ensure that all persons authorized by us or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
(g) List of Authorized Sub-Processors.
(i) You expressly authorize the appointment of the Sub-Processors listed below.
(A) Amazon: Cloud Hosting
(B) Digital Ocean: Cloud Hosting
(C) Compose.com: Cloud Database
(D) Google: Cloud Storage, Internal Collaboration, Marketing, Analytics
(E) CloudFlare: Content Delivery Network
(F) Transloadit: File Conversion
(G) Zapier: Process Automation
(H) Elastic.io: Log & Monitoring
(I) Sentry.io: Log & Monitoring
(J) HubSpot: Customer Relation Management
(K) Customer.io: Customer Communication
(L) Slack: Internal Communication
(M) ZenDesk: Issue Management
(N) Stripe: Payment Processor
(h) Assistance.
(i) We shall (at your cost) assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the Processing and the information available.
(ii) We shall (at your cost) taking into account the nature of the Processing, assist you (by appropriate technical and organizational measures), insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
(i) Audits and Processing.
We shall, in accordance with Data Protection Laws, make available to you such information that is in our possession or control as is necessary to demonstrate our compliance with the obligations placed on us under this Addendum and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to your audits, including inspections, (or another auditor mandated by you) for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph).
(j) Breach.
We shall notify you without undue delay and in writing on becoming aware of any Personal Data breach in respect of any Protected Data.
(k) Deletion/Return and Survival.
Following the termination of the services relating to the Processing of Protected Data, at your cost and upon your election, we shall either return all of the Protected Data to you or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires us to store such Protected Data. If you do not elect to have Protected Data deleted or returned, we will retain certain of the Protected Data in case of the restart or renewal of services hereunder. This Addendum shall survive termination or expiry of the Terms of Use.
2.Data Processing and Security Details.
(a) Data Processing Details.
(i) Subject-matter of Processing:
Orders, requests, and related software use and access requested through the Company’s platform.
(ii) Duration of the Processing:
Personal Data will be retained for the duration of your engagement with the Company and returned or destroyed in accordance with the terms hereof.
(iii) Nature and purpose of the Processing:
Personal Data will be Processed in accordance with the Terms of Use and this addendum for the purpose of complying with valid instructions from Controller to Processor.
(iv) Type of Personal Data:
Any data uploaded or captured in accordance with the Terms of Use in connection with the use of our platform, including (but not limited to) email addresses, names, and related Personal Data.
(v) Categories of Data Subjects:
Individuals about whom Personal Data is uploaded or captured in compliance with the Terms of Use in connection with the use of Processor’s platform by Controller.
(b) Technical and Organizational Security Measures.
We shall implement and maintain the following technical and organizational security measures to protect the Protected Data:
(i) In accordance with the Data protection laws, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the Processing of the Protected Data to be carried out under or in connection with the Terms of Use, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the Processing, especially from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Protected Data transmitted, stored, or otherwise processed, we shall implement appropriate technical and organizational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR.
(c) International Data Transfers
(i) Some jurisdictions require that an entity transferring Personal Data to, or accessing Personal Data from, a foreign jurisdiction take extra measures to ensure that the Personal Data has special protections. In the absence of appropriate safeguards pursuant to Article 46, the transfer is subject to the Standard Contractual Clauses approved by the European Commission, and which themselves form part of this DPA (Attachment 1).
(ii) You agree to indemnify and hold the Company, its directors, officers, employees, agents, and representatives harmless, including costs and attorneys’ fees, from any claim or demand made by any third party due to or arising out of (i) your access to or use of the Company’s platform, (ii) your violation of the Terms of Use or this Addendum, (iii) your infringement, or the infringement by any third party using your registration information, of any intellectual property, or other right of any person or entity, including but not limited to any third party claims relating to your use, disclosure, or transfer of Personal Data to the Company, and (iv) the Data or any other materials provided to the Company.