Data Processing Addendum
You can sign this Data Processing Addendum here.
Data Processing Addendum
1. Parties and Background
a. CUSTOMER as named in the relevant order form, exhibit, attachment, addendum or other agreement (the “Customer”); and PARTNERSTACK INC., a corporation incorporated under the laws of Delaware, having its registered office at 1000 Brickell Avenue Suite #715 (PMB-315) Miami, FL 33131 (“PartnerStack”) (each a “Party” and together the “Parties”) entered into a services agreement as dated in the relevant order form, exhibit, attachment, addendum or other agreement (the “Agreement”). This Data Processing Addendum forms part of the Agreement and shall be effective as of the effective date of the Agreement and shall continue in effect until PartnerStack deletes or returns Customer Personal Data as set forth herein.
b. To the extent that PartnerStack processes Customer Personal Data (as defined below) on behalf of Customer or its affiliates in connection with providing the Services, the Parties have agreed that it shall do so under the terms of this Data Processing Addendum (“DPA”).
c. In the event of any conflict between this DPA and the Agreement, the DPA shall control with respect to any processing of Customer Personal Data.
2. Roles of the Parties
a. The Parties acknowledge and agree that:
i. for the purposes of the GDPR, Customer is the Data Controller and PartnerStack is the Data Processor; and
ii. for the purposes of the CCPA, PartnerStack is a Service Provider to Customer.
3. Details of Data Processing
a. The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Appendix 1.
b. PartnerStack will only process Customer Personal Data according to the instructions of Customer and in accordance with applicable law. The Agreement and this DPA constitute Customer's instructions for PartnerStack’s processing of Customer Personal Data.
c. In using the PartnerStack Platform, Customer represents and warrant that they: (i) will at all times comply with all applicable laws (including all applicable privacy laws); and (ii) have obtained all required rights, authorizations, consents and permissions for all information, material, or content that they enter into the Platform including any information about identifiable individuals (“Personal Information"). If Customer has collected Personal Information from another site and are sharing it on the Platform, Customer represents that they have disclosed that fact in a publicly facing and appropriate privacy policy.
d. If PartnerStack believes Customer’s instructions are not compliant with applicable law or outside the scope of the Agreement or the DPA, PartnerStack will promptly inform Customer thereof, unless prohibited by applicable law (without prejudice to the SCCs) and will not further process Customer Personal Data until the issue is resolved.
e. PartnerStack may anonymize Customer Personal Data through a reliable state of the art anonymization procedure and may use such anonymized data for its own business purposes, including for research, development of new products and services, and security purposes.
4. Sub-Processors
a. PartnerStack may utilize Sub-processors to process Customer Personal Data subject to Section 4 (b). PartnerStack’s current Sub-processors are identified as of the Effective Date.
b. PartnerStack shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than PartnerStack’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
c. Should PartnerStack elect to engage another Sub-processor (including any addition or replacement of any Sub-processors), it shall provide Customer with at least thirty (30) days' notice. Customer may object to the new Sub-processor by providing PartnerStack with written notice of the objection within ten (10) days after PartnerStack has provided notice to Customer of such proposed change (an "Objection"). With an Objection, Customer and PartnerStack will work together in good faith to resolve the Objection. If the parties cannot resolve the Objection within a reasonable time, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, PartnerStack may suspend the affected portion of the Services. If Customer does not object during the period set forth above, it shall be deemed to have consented to the use of the new Sub-processor.
5. Data Subject Requests
a. Customer shall have sole responsibility to respond to requests by any Data Subject related to their rights in relation to Customer Personal Data (“Data Subject Request”).
b. If PartnerStack receives a Data Subject Request, it will forward it to Customer without undue delay and may advise the individual to submit their request directly to Customer.
c. PartnerStack will (taking into account the nature of the processing of Customer Personal Data) provide Customer with reasonable assistance as necessary and at Customer’s expense to allow Customer to fulfil its obligation to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests to exercising the rights set out in the GDPR or CCPA.
6. Security and Audits
a. Taking into account the state of the art, the implementation costs as well as the nature, scope, context and purposes of processing, PartnerStack will implement and maintain appropriate technical and organizational measures designed to ensure security of Customer Personal Data, including, without limitation, protection against unauthorized or unlawful processing, unauthorized or unlawful disclosure of, access to and/or alteration of Customer Personal Data and against accidental loss, destruction, or damage of or to Customer Personal Data.
b. PartnerStack will ensure that its personnel who are authorized to access Customer Personal Data are subject to appropriate confidentiality obligations.
c. PartnerStack will implement and maintain the measures set out in Annex II. PartnerStack may periodically update or modify the security measures set out in Annex II.
d. Upon thirty (30) days’ notice and at Customer’s expense, Customer or its independent third-party auditor reasonably acceptable to PartnerStack may audit PartnerStack’s compliance with its obligations under this DPA up to once per year unless more frequent audits are required by a competent data authority or following a Security Incident. All such audits must be conducted during regular business hours and may not unreasonably interfere with PartnerStack business activities.
e. Customer will promptly notify PartnerStack of any non-compliance discovered by an audit and provide PartnerStack any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
f. PartnerStack shall audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with data protection law and the obligations set upon Sub-processors according to the data processing agreement concluded with them.
7. Security Incidents
a. PartnerStack shall notify the Customer without undue delay after becoming aware of any incident where the security of Customer Personal Data has been compromised or is likely to have been compromised (a “Security Incident”). PartnerStack will investigate the Security Incident and provide the Customer with such co-operation and assistance as may be reasonably required to comply with any notification or reporting obligations which may apply in respect of any such personal data breach.
8. Deletion and Return
a. PartnerStack shall, within 45 days of the date of termination or expiry of the Agreement, (a) if requested to do so by Customer within that period, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by Customer to PartnerStack; and (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by PartnerStack or any Sub-processors unless EU law or the laws of an EU Member State require storage of the personal data.
9. Impact Assessments
a. PartnerStack will (taking into account the nature of the Processing and the information available to PartnerStack) reasonably assist Customer at Customer’s expense in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of PartnerStack’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.
10. Data Transfers
a. PartnerStack and its sub-processors may process personal data outside the EEA in one or more countries that have not received an adequacy decision as required by GDPR. The transfer of personal data from the Customer to PartnerStack in these circumstances shall be governed by the Standard Contractual Clauses, which are hereby incorporated into this DPA. For the purpose of the Standard Contractual Clauses:
i. The data exporter is the Customer;
ii. The data importer is PartnerStack;
b. For the purpose of Annex I to the Appendix to the Standard Contractual Clauses, the (A) list of parties, (B) description of the transfer, and (C) competent supervisory authority. are as set out or referenced in Annex I to this DPA;
c. For the purpose of Annex II to the Appendix to the Standard Contractual Clauses, the technical and organisational measures implemented by PartnerStack are set out or referenced in Annex II to this DPA;
d. For the purpose of Annex III to the Appendix to the Standard Contractual Clauses, the list of sub-processors is set forth in Section 4(a) of this DPA; and
11. Customer Personal Data Subject to UK and Swiss Data Protection Laws
a. To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 1 shall apply.
12. Customer Personal Data Subject to the CCPA
a. To the extent that the processing of Customer Personal Data is subject to the CCPA, PartnerStack: (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement, pursuant to which PartnerStack will provide Customer with its services; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that PartnerStack’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by PartnerStack that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
b. The Parties intend that PartnerStack be a Service Provider with respect to its processing of Customer Personal Data. PartnerStack shall not (a) Sell or Share Personal Information; (b) retain, use or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between PartnerStack and Customer; or (d) except as permitted by the CCPA, combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person; or (ii) collected from PartnerStack’s own interaction with any Consumer to whom such Personal Information pertains. PartnerStack certifies that it understands the obligations under this Section and will comply with them.
c. Compliance with Section 4 of the DPA shall satisfy PartnerStack ’s obligation under the CCPA to give notice of Subprocessor engagements.
d. The Parties acknowledge and agree that (a) PartnerStack ’s access to Personal Information is not part of the consideration exchanged by the parties in respect of the Agreement; and (b) Customer’s instructions documented in the DPA are integral to PartnerStack ’s provision of the Services and the business relationship between the Parties.
13. Definitions
Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows:
a. “Affiliate" means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement.
b. "Approved Addendum" means the template Addendum issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses;
c. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the Effective Date of this DPA;
d. "Customer Personal Data" means the Personal Data processed by PartnerStack on behalf of Customer in connection with the provision of the Services;
e. "EEA" means the European Economic Area;
f. "GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law;
g. "Mandatory Clauses" means Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses;
h. "Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;
i. "Personal Data" means any information relating to an identified or identifiable individual or device, or is otherwise "personal data," "personal information," "personally identifiable information" and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws.
j. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Customer Personal Data.
k. "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914; and
l. "Sub-processor" means PartnerStack Affiliates and third-party processors appointed by PartnerStack to process Customer Personal Data.
m. “UK” means the United Kingdom of Great Britain and Northern Ireland.
The terms "controller", "processor", "data subject", "process", and "supervisory authority" shall have the same meaning as set out in the GDPR.
The terms “sell” and “service provider” shall have the same meaning as set out in the CCPA.
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
Name: As contained in the relevant order form, exhibit, attachment, addendum or other agreement.
Address: As contained in the relevant order form, exhibit, attachment, addendum or other agreement.
Contact person’s name, position and contact details: As contained in the relevant order form, exhibit, attachment, addendum or other agreement.
Activities relevant to the data transferred under these Clauses: As per Agreement
Role (controller/processor): Controller
Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection
Name: PartnerStack Inc.
Address: 1000 Brickell Avenue Suite #715 (PMB-315) Miami, FL 33131
Data protection officer: privacy@partnerstack.com
Activities relevant to the data transferred under these Clauses: As per Agreement
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred
• Customer’s employees, contractors, agents, and/or representatives
• Customer’s customers and affiliates, and their employees, contractors, agents, representatives, and customers (some of which may be end users of Customer’s software products and services)
Categories of personal data transferred
• Demographic data: first name, last name, e-mail, IP address, postal address, phone number; may include data of birth. There is also data generated when users view products of a customer
• Contact data: Personal/work email address; Personal/work telephone number; Work postal address
• Digital Identifiers: IP Address, MAC Address
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
• Not Applicable
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
• Continuous basis
Nature of the processing
• The scope and nature of the processing is the provision of services by PartnerStack to Customer as set forth in the Agreement.
Purpose(s) of the data transfer and further processing
• The purpose of the data transfer and further processing is to enable PartnerStack to fulfil its obligations to Customer under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
• 7 Years since last used.
For transfers to (sub) processors, also specify subject matter, nature and duration of the processing, see list of subprocessors
Duration of the Processing: Continues until service is terminated with Sub-processors
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymisation and encryption of personal data
• All data at rest is encrypted
• Personally identifiable information is used on a principles of least privilege and need to know basis
• Analytics data is always anonymized through aggregation and identifiers removed
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
• Holistic Information Security Management System that scopes in all the critical processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Business Continuity and Disaster Recovery Plan
• Annual testing of BC and DR plans
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
• Annual audits (SOC 2)
• Annual penetration testing done by a third-party
Measures for user identification and authorisation
• All access requires unique identification and/or logging to ensure auditability and accountability
Measures for the protection of data during transmission
• Data in transit is encrypted
Measures for the protection of data during storage
• Data at rest is encrypted
Measures for ensuring physical security of locations at which personal data are processed
• Usage of subservice providers that meet the high level of physical security of locations that hold critical data
Measures for ensuring events logging
• Dedicated Engineering infrastructure team is responsible for this
Measures for ensuring system configuration, including default configuration
• Dedicated Engineering infrastructure team is responsible for this
Measures for internal IT and IT security governance and management
• Information Security Management System implemented in accordance with ISO27001 and AICPA Trust Services Principles guideline
Measures for certification/assurance of processes and products
• PartnerStack platform is SOC 2 Type 2 compliant
Measures for ensuring data minimisation
• Annual risk assessment identifies and assesses risks pertaining to privacy, which includes data minimisation
Measures for ensuring data quality
• Engineering quality reviews and standard development practices
• Data engineering team dedicated to help ensuring data quality
Measures for ensuring limited data retention
• Data retention policies are set at the data storage layer
Measures for ensuring accountability
• Audit logging enabled at all critical layers of the system and platform
Measures for allowing data portability and ensuring erasure
• Defined processes and tooling implemented for data portability and erasure scripts created by the Engineering team and supported by the Technical Support team
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
• Dedicated vendor risk management program to help ensure (sub-)processors are able to meet the security standards set by our organization which includes requirements such as:
o Security certification programs (e.g. ISO27001, SOC 2, etc)
o Demonstration of a security management system/program
o Data Protection Agreements
o Other risk assessments as deemed necessary
Appendix 1 – Details of Data Processing
Nature of Processing: the scope, nature and purpose of the processing is the provision of services by PartnerStack to Customer as set forth in the Agreement.
Customer’s customers and affiliates, and their employees, contractors, agents, representatives, and customers (some of which may be end users of Customer’s software products and services).
Types of personal data i.e. any information relating to an identified or identifiable person.
There is also data generated when users view products of a customer
Personal/work telephone number
Work postal address
SCHEDULE 1
UK AND SWISS ADDENDUM
1. UK Addendum
With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (as data exporter) to PartnerStack (as data importer):
a. Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Mandatory Clauses;
b. PartnerStack (as data importer) may end this DPA, to the extent the Mandatory Clauses apply, in accordance with clause 19 of the Mandatory Clauses;
c. Neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the "UK Data Protection Laws"); and
d. The Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:
i. for transfers made by Customer to PartnerStack , to the extent that UK Data Protection Laws apply to the Customer’s processing when making that transfer; and
ii. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR;
2. SWISS ADDENDUM
As stipulated in Section 11 of the DPA, this Swiss Addendum shall apply to any processing of Customer Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR.
a. Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
b. Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
c. Incorporation of the Clauses
i. In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Schedule 1 of this DPA to the extent necessary so they operate:
1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and
2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
ii. To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 1 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):
1. References to the "Clauses" or the "SCCs" means this Swiss Addendum as it amends the SCCs.
2. Clause 6 Description of the transfer(s) is replaced with:
"The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer."
3. References to "Regulation (EU) 2016/679" or "that Regulation" or "“GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
4. References to Regulation (EU) 2018/1725 are removed.
5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;
7. Clause 17 is replaced to state:
These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws.
8. Clause 18 is replaced to state:
Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.
Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.
iii. To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 1 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.
iv. Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.
