Switchboard Data Processing Addendum
This Data Processing Addendum ("DPA") is entered into between Customer on behalf of itself and its Subsidiaries (collectively, “CUSTOMER”) and Switchboard Software, Inc. on behalf of itself and its affiliates (collectively, "Switchboard").
(1) Switchboard has entered into one or more purchase orders, contracts and/or agreements (the "Contract(s)”) with CUSTOMER and/or CUSTOMER Subsidiaries (as defined below). In delivering the Services under the Contract(s), Switchboard may process Personal Data controlled by CUSTOMER, a CUSTOMER Subsidiary and/or their respective customers, contacts or partners.
"Applicable Privacy Law(s)" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law.
"Authorized Persons" means any person who processes Personal Data on Switchboard’s behalf, including Switchboard’s employees, officers, partners, principals, contractors and Subcontractors.
"CUSTOMER Subsidiary" means any entity that is directly or indirectly controlled by, controlling or under common control with CUSTOMER.
"EEA" means the European Economic Area (including the United Kingdom).
"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data ("Directive"); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR").
"Personal Data" means information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes personally identifiable information.
"Security Incident" means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to data (including Personal Data).
"Subcontractor" means any third party (including any Switchboard affiliates) engaged directly or indirectly by Switchboard to process any Personal Data relating to this DPA and/or the Contracts. The term "Subcontractor" shall also include any third party appointed by a Subcontractor to process any Personal Data relating to this DPA and/or the Contracts.
The terms "Controller", "Processor", and "Processing", have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.
2. Role and Scope of Processing
2.1. Switchboard shall process Personal Data under the Contract(s) only as a Processor acting on behalf of CUSTOMER (whether as Controller or itself a Processor on behalf of third party Controllers). Switchboard agrees that it will process Personal Data as described at Annex A, which forms an integral part of this DPA.
2.2. Switchboard will at all times: (i) process the Personal Data only for the purpose of providing the Services to 2.3. CUSTOMER under the Contract(s) and in accordance with CUSTOMER's documented instructions; and (ii) not process the Personal Data for its own purposes or those of any third party.
Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Personal Data it Processes under this DPA.
3.1 CUSTOMER consents to Switchboard engaging Subcontractors to process the Personal Data provided that:
(a) Switchboard provides at least 30 days’ prior written notice to CUSTOMER of the engagement of any new Subcontractor (including details of the processing and location) and Switchboard shall update the list of all Subcontractors engaged to process Personal Data under this Agreement at Annex C and send such updated version to CUSTOMER prior to the engagement of the Subcontractor;
(b) Switchboard imposes the same protection terms on any Subcontractor it engages as contained in this DPA (including the Model Clauses) and other data transfer provisions, where applicable); and
(c) Switchboard remains fully liable for any breach of this DPA or the Contract(s) that is caused by an act, error or omission of such Subcontractor.
3.2 If CUSTOMER objects to the engagement of any Subcontractor on data protection grounds, then CUSTOMER may elect to suspend or terminate the processing of Personal Data under the Contract(s) without penalty.
4.1 Switchboard shall reasonably cooperate with CUSTOMER to enable CUSTOMER (or its third party Controller) to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Contract(s), including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to Switchboard, Switchboard shall promptly pass this onto CUSTOMER and shall not respond to such communication without CUSTOMER's express authorization.
4.2 If Switchboard receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Switchboard shall not disclose any information but shall immediately notify CUSTOMER in writing of such request, and reasonably cooperate with CUSTOMER if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
4.3 To the extent Switchboard is required under Applicable Privacy Laws, Switchboard will assist CUSTOMER (or its third party Controller) to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.
5. Data Access & Security Measures
5.1 Switchboard shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Services under the Contract(s) to CUSTOMER.
5.2 Switchboard will implement and maintain all appropriate technical and organizational security measures to protect from Security Incidents and to preserve the security, integrity and confidentiality of Personal Data ("Security Measures"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, Switchboard agrees to the Security Measures identified at Annex B.
6. Security Incidents
6.1 In the event of a Security Incident, Switchboard shall promptly (and in no event later than 48 hours of becoming aware of such Security Incident) inform CUSTOMER and provide written details of the Security Incident, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Switchboard.
6.2 Furthermore, in the event of a Security Incident, Switchboard shall:
(a) provide timely information and cooperation as CUSTOMER may require to fulfill CUSTOMER's data breach reporting obligations under Applicable Privacy Laws; and
(b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep CUSTOMER up-to-date about all developments in connection with the Security Incident.
6.3 The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident shall be solely at CUSTOMER’s discretion, except as otherwise required by applicable laws.
7. Security Reports & Inspections
7.1 Switchboard shall maintain records in accordance with ISO 27001 or similar Information Security Management System ("ISMS") standards. Upon request, Switchboard shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by CUSTOMER to verify Switchboard’s compliance with this DPA.
7.2 While it is the parties' intention ordinarily to rely on Switchboard’s obligations set forth in Section 7.1 to verify Switchboard’s compliance with this DPA, CUSTOMER (or its appointed representatives) may carry out an inspection of Switchboard’s operations and facilities during normal business hours and subject to reasonable prior notice where CUSTOMER considers it necessary or appropriate (for example, without limitation, where CUSTOMER has reasonable concerns about Switchboard’s data protection compliance, following a Security Incident or following instruction from a data protection authority).
8. International Transfers
8.1 Switchboard will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Applicable Privacy Laws.
8.2 Switchboard shall not process or transfer any Personal Data in or to a territory other than the territory in which the Personal Data was first collected (nor permit the Personal Data to be so processed or transferred) unless: (i) it has first obtained CUSTOMER's prior written consent; and (ii) it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by CUSTOMER to Switchboard).
8.3 Where Switchboard processes Personal Data under this DPA that originates from the EEA and/or Switzerland, Switchboard shall:
(a) provide at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles and/or as CUSTOMER may otherwise reasonably require to ensure an adequate level of protection for such Personal Data in accordance with the requirements of Applicable Privacy Laws;
(b) promptly notify CUSTOMER if it makes a determination that it can no longer meet its obligations under Section 8.3(a) above, and in such event, to work with CUSTOMER and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by Section 8.3(a); and
(c) immediately cease (and procure all Subcontractors immediately cease) processing such Personal Data if in CUSTOMER's sole discretion, CUSTOMER determines that Switchboard has not or cannot correct any non-compliance with Section 8.3(a) above in accordance with Section 8.3(b) within a reasonable time frame.
8.4 Where Switchboard processes Personal Data under this DPA that originates from the EEA and/or Switzerland, any such consent shall be conditional on Switchboard complying with (and procuring any Subcontractor comply with) the Model Clauses, which shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Model Clauses and only as between Switchboard and CUSTOMER, Switchboard agrees that it is a "data importer" and CUSTOMER is the "data exporter" under the Model Clauses (notwithstanding that CUSTOMER is located outside the EEA and may itself be a Processor acting on behalf of third party Controllers). Further, Annexes A and B of this DPA will take the place of Appendices 1 and 2 of the Model Clauses respectively.
8.5 It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
8.6 Switchboard acknowledges that CUSTOMER may disclose this DPA and any relevant privacy provisions in the Contract(s) to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
9. Deletion & Return
9.1 Upon CUSTOMER's request, or upon termination or expiry of this DPA, Switchboard shall destroy or return to CUSTOMER all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Subcontractors). This requirement shall not apply to the extent that Switchboard is required by any applicable law to retain some or all of the Personal Data, in which event Switchboard shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
10.1 Except for the changes made by this DPA, the Contract(s) remain unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Contract(s), this DPA controls and takes precedence. With effect from the effective date, this DPA is part of, and incorporated into the Contract(s).
10.2 The obligations placed upon Switchboard under this DPA shall survive so long as Switchboard and/or its Subcontractors processes Personal Data on behalf of CUSTOMER.
10.3 Notwithstanding anything else to the contrary in the Contract(s) Switchboard acknowledges and agrees that it shall be liable for any loss of data (including Personal Data) arising under or in connection with the Contract(s) and this DPA to the extent such loss results from any failure of Switchboard (or its Subcontractors) to comply with its obligations under this DPA and/or Applicable Privacy Laws.
10.4 This DPA may not be modified except by a subsequent written instrument signed by both parties.
10.5 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
Annex A- Details of the Processing
Description of Controller:
CUSTOMER and/or its respective customers shall be the data controller of certain Personal Data provided to Switchboard to provide the Services.
Nature of Services provided by Switchboard:
Switchboard will offer its people analytics software platform, which provides people leaders with analytics and insights around its workforce, recruiting processes, and other key business indicators. Switchboard will host, manage, operate and maintain the software for remote electronic access and will incorporate mutually agreeable modifications into the software based on feedback from CUSTOMER.
Type(s) of Personal Data processed:
• Identification and contact data (name, title, address, phone number, email address)
• Employment details (employer, current and historical job information, academic and professional qualifications, geographic location, area of responsibility, affiliated organization, area of responsibility and industry, employment application, current and historical compensation information)
Special categories of data (if applicable):
This type of data is not intentionally processed but there may be occasions where such information is stored on CUSTOMER's systems without CUSTOMER's express knowledge.
Categories of Data Subjects:
Prospects, customers, business partners and vendors of CUSTOMER's customers (who are natural persons);
Employees or contact persons of CUSTOMER's prospects, customers, business partners and vendors;
Employees, agents, advisors, freelancers (past, potential, present and future) of CUSTOMER's customers (who are natural persons);
CUSTOMER's customers' end-users authorized to use the Services.
Nature of Processing Operations:
The Personal Data processed by Switchboard and/or its Subcontractors will be subject to the processing activities described in the Contract(s) or purchase orders for the services subject to this DPA. Personal data may be processed only to comply with CUSTOMER's instructions issued in accordance with the DPA.
Such Processing activities include providing support and maintenance to CUSTOMER, CUSTOMER Subsidiaries, and/or their respective customers.
Duration of processing: Until the end of the Support Period (as defined in the Contract(s)).