Connect & Engage - Data Processing Addendum (DPA)

Version: February 1st, 2023

This Data Processing Addendum (“DPA”) forms an integral part of the Agreement between Client and CM.com covering Client’s use of the Services.

1. Definitions and interpretation

The terms contained in these Terms and Conditions initially capitalized are defined and have the meaning as set out in this Clause.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Subject: an identified or identifiable natural person relating to Personal Data.

Technical and Organizational Measures: measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of Processing.

Personal Data Breach: a breach of security leading to the accident or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Processing/to Process: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sub-processor: A party engaged by CM.com for processing activities for which CM.com is a Processor under this DPA, as listed on: www.cm.com/trust-center/privacy/.

Trust Center: www.cm.com/trust-center/.

The expression ‘Data Protection Impact Assessment,’ shall have the meaning ascribed to them in the Applicable Data Protection Law.

1.2. References to the Applicable Data Protection Laws shall be replaced with or incorporate references to any laws replacing or amending those Applicable Data Protection Laws, and the equivalent terms defined in such laws, once in force and applicable.

1.3. This Data Processing Terms and Conditions shall exclusively apply to the processing of Personal Data by CM.com as a Processor on behalf of Client. In case of any conflict, the provisions of this Data Processing Terms and Conditions concerning Processing of Personal Data shall take precedence over the provisions of the Terms and Conditions Agreement . Where individual provisions of this Data Processing Terms and Conditions are invalid or unenforceable, the validity and enforceability of the other provisions shall not be affected.

2. Scope and Applicability

2.1 This DPA shall apply to the Personal Data processing activities, for which CM.com is a Processor subject to Applicable Data Protection Laws.

2.2 CM.com is a Processor for the processing activities described in clause 6 of this DPA.

3. Obligations of the Client

3.1 Client shall, in its use of the Service, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws. Client’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. Client is responsible for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client shall ensure that it meets all requirements for processing and transferring the Personal Data under Applicable Laws, including but not limited to, ensuring a lawful ground of processing and/or cross-border transfers. Client shall inform CM.com without undue delay if it can no longer meet its obligations in relation to the processing of Personal Data under the Applicable Laws and/or the Agreement.

3.2 Without limiting the generality of any other provision of the Agreement, prior to using the Service, Client shall obtain verifiable informed consent of the End Users or be able to provide confirmation of any other applicable lawful basis for Processing, and shall maintain a record of each such consent and/or lawful basis. Upon reasonable written notice, Client shall provide information on the lawful basis as requested and where required by CM.com, any Operator, regulator, or other competent authority.

4. Obligations of the Processor

4.1 Instructions

4.1.1 CM.com shall Process Personal Data in accordance with this DPA and the Agreement, and for the purposes and in the manner specified by Client from time to time in the Agreement and further instructions within the scope of the Agreement.

4.2 Technical and Organizational Measures

4.2.1 Taking into account the state of the art, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CM.com shall implement appropriate Technical and Organizational Measures (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data) to ensure a level of security appropriate to the risk. Up to date information regarding Technical and Organizational Measures can be found on www.cm.com/trust-center/security/ .

4.2.2 CM.com shall test, assess and evaluate the effectiveness of Technical and Organizational Measures for ensuring the security of the Processing on an ongoing basis. CM.com shall continuously enhance and improve Technical and Organizational Measures where appropriate.

4.3 Personnel requirements

CM.com ensures that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require access in order to perform the Services under the Agreement.

4.4. Confidentiality

CM.com agrees that it shall maintain the Personal Data in confidence. In particular, CM.com agrees that it shall not disclose any Personal Data supplied to CM.com by, for, or on behalf of Client to any third party without Client's prior consent, except as foreseen and required for the performance of the Service under the Agreement or mandatory law.

4.5.Data Subject Rights

4.5.1 Where Client so instructs CM.com, CM.com shall transfer, correct, delete or block Personal Data if Client receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”).

4.5.2 CM.com shall notify Client if CM.com receives a Data Subject Request. Taking into account the nature of the Processing, CM.com shall assist Client, in responding to a Data Subject Request under the Applicable Data Protection Law. CM.com shall assist Client to the extent CM.com is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.

4.6 Assistance with Client’s compliance

CM.com shall provide to Client further assistance reasonably required to ensure compliance with Client's obligations under Data Protection Laws, including with respect to:

(a) data protection impact assessment, by providing such information and cooperation as Client may require for the purpose of assisting Client in carrying out a data protection impact assessment and periodic reviews to assess if the Processing of Personal Data is performed in compliance with the data protection impact assessment;

(b) prior consultation with a data protection supervisory authority regarding high risk Processing.

4.7 Compliance, information, and audit

4.7.1 CM.com has obtained third-party certifications set forth in the Trust Center on the website of CM.com, available at www.cm.com/trust-center/, which provides information on Technical and Organizational Measures, privacy, compliance, risk management and data security. Upon Client’s written request, and subject to the confidentiality obligations set forth in the Agreement, CM.com shall make available to Client, that is not a competitor of CM.com (or Client’s independent, third-party auditor that is not a competitor of CM.com) a copy of CM.com’s then most recent third-party certifications and information regarding the IT architecture and security, as applicable and reasonably requested. Client is responsible for assessing the information that is made available by CM.com and determining whether it meets Client’s requirements and obligations under Applicable Data Protection Laws. Client agrees that the information provided hereunder shall serve to fulfill the audit rights of Client under Applicable Data Protection Laws.

4.7.2 In the event the information provided by CM.com is insufficient to prove compliance with this DPA, Client has the right to appoint an accredited external expert at most once per year to audit the procedures regarding the data Processing for Client. CM.com will cooperate with such audit upon a reasonable prior written notice of no less than ten Working days. Client shall reimburse CM.com for any time expended by CM.com for any such audit at CM.com’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such audit, the Parties shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible.

4.7.3 CM.com is entitled to request that the external expert signs a confidentiality declaration in favor of CM.com. The confidentiality declaration shall contain the terms and conditions that are usual for this type of declaration. Any report or statement provided by the external expert shall be made available to CM.com. Client shall ensure that the audit hinders CM.com 's operations as little as possible.

4.8 Records

CM.com shall maintain complete, accurate and up to date records of Processing activities carried out on behalf of its Clients.

4.9 Affiliates and Sub-processors

4.9.1 Some or all of CM.com’s obligations under the Agreement may be performed by affiliates of CM.com. CM.com is responsible for compliance of its affiliates' with the Agreement.

4.9.2 Client acknowledges and agrees that (a) CM.com’s affiliates may be retained as Sub-processors; and (b) CM.com and CM.com’s affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Provided always CM.com or a CM.com affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Service provided by such Sub-processor and CM.com maintains an up to date list of Sub-processors. CM.com’s current list of Sub-processors is available on: www.cm.com/trust-center/privacy/. CM.com shall inform Client thirty (30) days prior to any changes with respect to the Sub-processor list. Within that timeframe, Client may object to the change to the Sub-processor list, provided such objection is submitted in writing and based on reasonable grounds with respect to Applicable Data Protection Laws. The Parties will make a good faith effort to resolve the Client’s objection. If the objection is not resolved within thirty (30) days, either Party may terminate the Agreement.

4.9.3 CM.com shall be responsible for each of its Sub-processors to the same extent CM.com would be responsible if performing the services of each Sub-processor directly under the terms of the Agreement.

4.10 Breach Notification

In respect of a Personal Data Breach, CM.com shall:

(a) notify Client of a Personal Data Breach involving CM.com or a sub-contractor without undue delay (but in no event later than forty-eight hours after becoming aware of the Personal Data Breach).

(b) provide reasonable cooperation and assistance to Client in relation to any action to be taken in response to a Personal Data Breach under Applicable Data Protection Laws, such as Art. 33(3) and 34(3) GDPR, including regarding any communication of the Personal Data Breach to the Data Subject and data protection authorities.

CM.com will promptly investigate a Personal Data Breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, CM.com will provide Client with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, and other information Client may reasonably request. The Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or the relevant data protection authorities.

5. Cross Border Data Transfer

To the extent that the engagement of a Sub-processor under art. 4.9 requires a cross border transfer mechanism under Applicable Data Protection Laws to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area, the United Kingdom or any other relevant jurisdiction) to a third party located outside of that jurisdiction the following terms shall apply. Client authorizes CM.com to transfer Personal Data outside the jurisdiction in which CM.com is located and the Personal Data was first received, provided that CM.com shall ensure that such transfers will be executed in accordance with this DPA and a lawful data transfer mechanism that provides an adequate level of protection under Applicable Data Protection Laws.

6. Storage, retention, and deletion of Personal Data

CM.com shall Process and retain data, including Personal Data, in accordance with Applicable Law, regulations, including but not limited to national telecom legislation and Applicable Data Protection Laws. The data, including Personal Data, submitted to the platform of CM.com shall be Processed and stored in accordance with CM.com’s data retention policy. The Personal Data shall be retained for no longer than is necessary for providing the Services under the Agreement, for the purposes as stated in the Agreement and as far as required and/or allowed under Applicable Law. CM.com shall de-identify or depersonalize data into anonymized data after the applicable retention period. This results in data that includes no Personal Data or unique identifiers that could later be used to refer to the Personal Data to which the data was once associated.

7. Description of Processing

7.1 Nature and Purpose of Processing

CM.com will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Agreement, and as further instructed by Client within the scope of the Agreement.

7.2 Duration of the Processing

CM.com will process Personal Data for the duration of the Agreement and in accordance with clause 6 of this DPA.

7.3 Categories of Data Subjects

Client may submit data to CM.com in using the Service, the content of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the categories of Data Subjects listed in Annex 1

7.4 Type of Personal Data Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the categories of Personal Data listed in Annex 1.


Annex 1: Description of data subjects and categories of personal data:

Data Subjects:

As described for the following services:


Conversational AI Cloud


Conversational Channels


Customer Data Platform


Mobile Marketing Cloud

• Senders and recipients of Client’s communications through the Mobile Marketing Cloud service, such as (potential) customers, prospects, website visitors and the like.


Mobile Service Cloud


Sign


SMS


Voice



Categories of Personal Data:

As described for the following services:


Conversational AI Cloud


Conversational Channels

• Content of communications.


Customer Data Platform


Mobile Marketing Cloud


Mobile Service Cloud


Sign


SMS

• Content of communications.


Voice