UPDATED ON NOVEMBER 29TH, 2018
This Data Protection Addendum (the “Addendum”) forms part of and is incorporated by reference into the Attendify Terms of Service (the “Agreement”). This Addendum will only apply to the extent that the Applicable Data Protection Laws govern the Processing of Personal Data, and shall be effective as of the date Client agrees to the Agreement.
Except as modified below, the terms of the Agreement shall remain in full force and effect. With respect to provisions regarding Processing of Personal Data, in the event of a conflict between this Addendum and the Agreement, or any other agreement between the Parties, the provisions of this Addendum shall control.
Unless elsewhere defined herein, the capitalized terms used in this Addendum shall have the meaning specified in this Section 1 or otherwise as set forth in the Agreement.
“Applicable Data Protection Laws” shall mean, as applicable, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Attendify” means KitApps, Inc., d/b/a Attendify.
“Client” has the meaning ascribed to it in the Agreement, and shall include the individual signing up for the Services and/or agreeing to the Agreement on behalf of Client.
“Client Data” means Personal Data that is Processed by Company on behalf of Client in Company’s provision of the Services.
“Data Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Client Data transmitted, stored or otherwise Processed.
“Party” means each of Attendify and Client.
“Privacy Shield Principles” means the EU-US Privacy Shield Principles and the Swiss-US Privacy Shield Principles.
“Services” means the “Services” provided by Company to Client as defined in the Agreement.
“Subprocessor” means any third party (excluding any employee or subcontractor of Company) retained by or on behalf of Company to Process Client Data in connection with the Agreement.
“Technical and Organizational Measures” means security measures implemented by Company appropriate to the type of Personal Data being Processed and the Services being provided by Company to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
Additionally, as used in this Addendum, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Processing” and “Personal Data” shall have the meanings ascribed to them in the Applicable Data Protection Laws.
In respect of the Applicable Data Protection Laws, Client is the Data Controller, and Company is the Data Processor, for the purpose of making the Services available to Client in connection with one or more events hosted or attended by Client (each, an “Event”). In such circumstances, Client agrees to Process Client Data in accordance with Client’s obligations as Data Controller under Applicable Data Protection Laws, and Section 3 of this Addendum shall apply. However, when Company is acting as a Data Controller of Data Subjects’ Personal Data for Company’s Uses (as defined in Section 2.2 below), Section 3 of this Addendum shall not be applicable.
In respect of some Processing of Personal Data beyond making the Services available to Client in connection with one or more Events, Company acts as an independent Data Controller under Applicable Data Protection Laws. Specifically, Company may collect and Process Personal Data for the purposes of providing various aspects of the Services to Data Subjects beyond those relating to Client’s Event(s) (such as enabling Data Subjects to attend events of other clients of Company), conducting research and analysis to enable Company to improve its products and features, and communicating with Data Subjects for Company’s marketing purposes (collectively, “Company’s Uses”). Client acknowledges and agrees that Company is the Data Controller for the purposes of Company’s Uses.
For purposes of Company’s Uses, Company will individually determine the purposes and means of Processing Personal Data to the extent not explicitly prohibited under the Agreement, and will comply with the obligations applicable to it under Applicable Data Protection Laws with respect to the Processing of Personal Data.
Consent and Use of Personal Data by Client
Company shall be responsible for obtaining consent from Data Subjects for Processing Personal Data in connection with Client’s Event(s) and for Company’s Uses, except in the event that Client directly provides Personal Data to Company in connection with one or more Events, in which case Client shall be responsible for obtaining consent from Data Subjects for such Processing.
To the extent that Company provides Client with Client Data, Client agrees that it shall only Process such Client Data for the lawful bases permitted by Article 6(1) of the GDPR. Insofar as Client relies on consent as a lawful basis under Article 6(1)(a) of the GDPR for Processing, Client shall only Process Client Data for the purpose of using the Services in connection with Client’s Event(s) and for Client’s direct marketing purposes, unless Client obtains independent consent from Data Subjects to such other Processing.
To the extent that Company provides Client with Client Data, Client will provide a level of protection for such Client Data that is at least equivalent to that required under the Privacy Shield Principles, and if Client determines that it cannot do so, it will notify Company in writing and either cease Processing the Client Data or take reasonable and appropriate steps to remedy such non-compliance.
Exercise of Data Subjects’ Rights.
In the event that a Data Subject submits a request to either Party (the “Recipient”) exercising any of his, her or its rights under Applicable Data Protection Laws (including, without limitation, under Chapter III of the GDPR), the other Party shall take all reasonably necessary measures to assist the Recipient in responding to and complying with such request as required by Applicable Data Protection Laws.
Processing of Personal Data shall occur as follows:
Nature, purpose and subject-matter of Processing: to provide the Services.
Duration of Processing: as long as necessary to provide the Services.
Type of Personal Data: name, email address, phone number, IP address, Unique Device Identifier, information related to Events registered for and attended, relationship to Client, employment and biographical information, User Content (as defined in the Agreement), and any other Personal Data that Client requests in connection with Client’s Event(s).
Categories of Data Subjects: End Users (as defined in the Agreement).
Company shall Process Client Data only on documented instructions from Client, unless required to do so by applicable law; in such a case, Company shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. For the avoidance of doubt, Client specifically instructs Company to Process Client Data as necessary for the purpose of making the Services available to Client in connection with Client’s Event(s), to perform Company’s obligations under the Agreement and as further documented in any other written instructions given by Client and acknowledged by Company as constituting instructions for purposes of this Addendum. Company shall immediately inform Client if, in its opinion, an instruction by Client infringes Applicable Data Protection Laws.
Company shall ensure that persons authorized to Process Client Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Technical and Organizational Measures
Company shall take all measures required pursuant to Article 32 of the GDPR, including, without limitation, implementing appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk. Such Technical and Organizational Measures shall take into account: (i) the state of the art, (i) the costs of implementation, (iii) the nature, scope, context and purposes of Processing and (iv) the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.
Taking into account the nature of the Processing, Company shall assist Client by appropriate Technical and Organizational Measures, to the extent possible, for the fulfilment of Client’s obligation to respond to requests for exercising Data Subjects’ rights laid down in Chapter III of the GDPR.
Client specifically authorizes and instructs Company to engage the Subprocessors listed on Company’s website: http://help.attendify.com/gdpr/attendify-data-subprocessors in connection with the provision of the Services.
Client also generally authorizes Company to engage, from time to time, any other Subprocessors in connection with the provision of the Services, provided that Company shall inform Client of any intended changes concerning the addition or replacement of any Subprocessors by updating Company’s website. It is specifically agreed that Client shall be responsible for monitoring the list of Subprocessors disclosed on Company’s website. If Client objects to Company engaging any additional or replacement Subprocessor, Client may, within ten (10) days of being informed of such intended change, indicate its objection by contacting Company at firstname.lastname@example.org. Such notice shall state, in sufficient specificity, the reasonable and documented grounds relating to a Subprocessor’s non-compliance with Applicable Data Protection Laws. In the event that Company is unwilling or unable to provide a reasonably acceptable substitute, Client may terminate the Agreement and its use of the Services as provided in the Agreement. This termination right is Client’s sole and exclusive remedy if Client objects to any additional or replacement Subprocessor.
Where Company engages a Subprocessor that will have access to Personal Data, Company shall ensure that the same as or equivalent to data protection obligations set out in this Section 3 shall be imposed on that Subprocessor by way of a contract. Such contract shall provide sufficient guarantees to implement appropriate Technical and Organizational Measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws. Where such Subprocessor fails to fulfil its data protection obligations, Company shall remain fully liable to Client for the performance of the Subprocessor’s obligations.
Assistance to Client.
Taking into account the nature of Processing of Personal Data and the information available to Company, Company shall assist Client in ensuring compliance with the obligations laid out in Articles 32 to 36 of the GDPR. In addition to any other obligation of Company under this Addendum, such assistance shall include notifying Client, without undue delay, after becoming aware of a Data Security Breach.
Except for that Personal Data with respect to which Company acts as a Data Controller (as more fully set forth in Section 2), and unless prohibited by applicable law, Company shall, at the choice of Client: (i) delete or return all Client Data to Client after such Client Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Client Data. Company reserves the right to charge Client a fee (based on Company’s reasonable costs) for the deletion of any Client Data pursuant to this paragraph. Company will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.
In the event that a Data Subject submits a Client Data deletion request to Company, Client hereby instructs and authorizes Company to delete or anonymize the Data Subject’s Personal Data on Client’s behalf.
Information and Audits
Company shall make available to Client all information necessary to demonstrate compliance with its obligations as a Processor laid out in this Section 3 and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.
Any audit pursuant to Section 3.6.1 shall be permitted only on reasonable advance notice to Company and subject to appropriate confidentiality undertakings (including, without limitation, redacting any information relating to another customer of Company, Company’s internal accounting or financial information, and Company’s trade secrets).
Company may charge a fee (based on Company’s reasonable costs) for any audit under Section 3.6.1. Company will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Client will be solely responsible for any fees charged by any third party auditor appointed by Client to execute any such audit.
Company may object to any third party auditor appointed by Client to conduct any audit under Section 3.6.1 if the auditor is, in Company’s reasonable opinion, not suitably qualified or independent, a competitor of Company or otherwise manifestly unsuitable. Any such objection by Company will require Client to appoint another auditor or conduct the audit itself.
Subject to Company’s obligations under Section 3.7.2, Client authorizes and instructs Company to store and Process Client Data in the United States of America.
Company confirms that it is certified under the Privacy Shield Principles. Company agrees to maintain its adherence to the Privacy Shield Principles throughout the duration of the Agreement or implement another alternative data transfer mechanism which lawfully permits the transfer of Personal Data outside of the European Economic Area and the United Kingdom.
To the extent permitted under applicable law, and notwithstanding anything else in the Agreement, the total liability of either Party towards the other Party under or in connection with this Addendum shall not exceed the aggregate sum of all amounts paid by Client to Company in the twelve (12) months immediately prior to the action or event forming the basis for such claim.
Company may modify the terms of this Addendum if, as reasonably determined by Company, such modification is (i) reasonably necessary to comply with Applicable Data Protection Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency; and (ii) does not: (a) result in a degradation of the overall security of the Services, (b) expand the scope of, or remove any restrictions on, Company’s processing of Client Data, and (c) otherwise have a material adverse impact on Client’s rights under this Addendum.
Any other modification to this Addendum shall require the signed written consent of both Parties.
In the event of any modification pursuant to Section 5.1, Company shall notify Client of such modification by email at least 30 days (or such shorter period as may be required to comply with Applicable Data Protection Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency) before the change will take effect.
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.