Here’s what the pros think about Sociabble Discover what market experts, our clients and communication leaders say… Read more
1. Scope of the Data Processing Agreement This Data Processing Agreement (“DPA”) is applicable to any Processing of Personal Data conducted by Sociabble based on the Terms and Conditions and shall prevail on, or replace, the arrangements, rights and obligations specified in the Terms and Conditions. Customer is deemed to be the Controller and, Sociabble the Processor, with respect to the Processing of the Personal Data pursuant to the Terms and Conditions. Any Processing of Personal Data is therefore conducted by Sociabble under the instructions of Customer. Where Sociabble would determine the purposes and means of any processing activity, in breach of either this DPA or the applicable Data Protection Laws, Sociabble is treated as a Data Controller in respect of that Processing activity. 2. Definitions “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. “Data Processing Agreement” means this DPA including the Exhibits A to D. “Processor” means the entity which Processes Personal Data on behalf of the Controller. “Data Protection Laws” means all data privacy laws and regulations, including but not limited to the EU General Data Protection Regulation and California Consumer Privacy Act, that are applicable to the Processing of Personal Data under the Terms and Conditions. “Data Subject Request” means a request from an individual to either Party in which the individual exercises the rights given by the Data Protection Laws to individuals including without limitation the right to erasure, the right to restrict processing, the right to data portability. “Personnel” means professionals and support staff provided by the Parties and assigned to perform the Service or any part of the Terms and Conditions. “Personal Data Breach” means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. “Processing” or “Process” means any operation or set of operations which is performed upon data by automatic means, such as without limitation, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Sub-Processor” means a third-party’ subcontractor engaged by Sociabble which, as part of the subcontractor’s role of delivering the Service processes the Personal Data of Customer. “TOMs” means the technical and organisational security measures that might be required pursuant to a Data Protection Laws. 3. Compliance with laws The Processor shall process Personal Data pursuant to all Data Protection Laws. Addenda attached to this DPA (Exhibit C to E) provide terms specific to the Processing of Personal Data arising out of specific legal requirements from particular jurisdictions. In the event of a conflict or inconsistency between this DPA and an addendum, the addendum applicable to Personal Data from the relevant jurisdiction shall prevail with respect to Personal Data from that relevant jurisdiction, but solely with regard to the portion of the provision in conflict or that is inconsistent. 4. Processor’ obligations The Processor shall: process Personal Data in accordance with Controller’s written instructions; and in the event Processor considers that Controller’s instructions conflict with the applicable Data Protection Laws, Processor shall immediately inform Controller and may refuse to follow such instructions; keep the Personal Data strictly confidential and not transmit, disseminate or otherwise transfer Personal Data to third parties unless agreed to under Section 5 of the present DPA, in the event Processor is requested to disclose Personal Data by a supervisory authority, Processor shall inform Controller within 24 hours after being aware or should have known of that legal requirement; limit the access to Personal Data to its Personnel performing the Service in accordance with the Terms and Conditions and to take all reasonable steps to ensure the reliability of the Personnel engaged in the Processing of Personal Data; implement appropriate TOMs and procedures to adequately address Personal Data Breaches; notify Controller without undue delay upon becoming aware of a Personal Data Breach affecting Controller’s Personal Data, providing Controller with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws; to the extent the applicable Data Protection Laws require the appointment of a data protection officer (“DPO”), the Processor’s DPO can be reached via email at privacy@sociabble.com. 5. Sub-processing Controller authorizes Processor to resort to third parties already listed in Exhibit A. In the event of an addition of a Sub-processor to this list, Processor will notify Controller within a reasonable prior delay before this change and Controller will have the opportunity to object to this appointment on legitimate grounds relating to the protection of Personal Data within fifteen (15) days from the written notification. The updated list of Sociabble’s Sub-processors is available at Sociabble’s website (currently at: https://www.sociabble.com/legal/list-of-sub-processors). In case of sub-processing, Processor shall enter into written agreements with its Sub-processors containing data protection obligations not less protective than those in this DPA and shall include an obligation for the Sub-processor to allow either Party to verify that the Sub-processor has implemented the TOMs as set out under the Section 4 (4). Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA. 6. Security Processor shall implement any TOMs reasonably required to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation, the nature, the scope, the context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons involved. The applicable TOMs are specified in Exhibit B and available to Customer upon request at privacy@sociabble.com. 7. Audit Controller may audit the Processor’s compliance with the Terms and Conditions and this DPA, up to once per year. If a third party is to conduct the audit, the third party must be mutually agreed to by both Parties and must be bound by a written confidentiality agreement acceptable to Processor before conducting the audit. Upon four (4) weeks’ prior notice of an audit, Controller shall submit a detailed audit plan of the suggested audit, stating the scope, duration, and start date of the audit. Processor shall review the audit plan and may have the possibility to comment. The Controller agree that it shall bear the cost incurred by the audit and Sociabble will reasonably cooperate with such audit. However, any request for Sociabble to assist Controller can be considered a separate service if it requires the use of different or additional resources. Processor will seek Controller’s written approval and agreement to pay any related fees before performing such audit assistance. Audit reports are deemed to be Confidential Information. 8. Data Subject Request Considering the nature of the Processing, Processor shall reasonably assist Controller by appropriate TOMs, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to a Data Subject Request under applicable Data Protection Laws. If Processor receives a Data Subject Request it will, to the extent legally permitted, promptly forward such request to the Controller and except if required by a Data Protection Laws, Processor shall not respond to any such request without Controller’s instruction, other than to confirm receipt of the request, to inform the data subject that their request has been forwarded to Controller, and/or to refer them to Controller, except per reasonable instructions from Controller. Controller shall be responsible for any cost arising from Processor’ assistance. Processor will reasonably assist Controller with any data subject access, erasure or opt-out requests and objections. Processor will also reasonably assist Controller with the resolution of any request or inquiries that Controller receives from data protection authorities relating to Processor unless Processor elects to object such requests directly with such authorities. 9. Documentation requirement As the Controller, Customer is the one entitles to draft the privacy policy that will be displayed in the Platform used by the Users and that may be accessed by the latter while using the Service. Processor will be assisting Controller in the drafting of such policy and will be providing all the documentation needed at the onboarding stage. 10. Deletion and return of Personal Data Within thirty (30) days of termination or expiry of the Terms and Conditions and upon Controller’s request, Processor shall, at Controller’ choice, delete or return to Controller all Personal Data in its possession or control. Deletion. In the event Controller choose the option of deletion under Section 10.1, Processor shall promptly delete all Personal Data and any eventual copies within one (1) week from the request of deletion. Return. In the event Controller choose the option of return under the above Section 10.1, Processor shall (i) return a complete copy of all Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (ii) delete and procure the deletion of all other copies of Personal Data Processed. Processor shall comply with any such written request within one (1) week from the date of request. Retention. To the extent required by the applicable Data Protection Laws and for the period required under such applicable laws, Processor may retain a copy of Personal Data, providing that Processor shall keep such Personal Data in confidence and ensure that it is only Processed for the purpose(s) specified in the applicable laws requiring its storage and not otherwise. Certification. Processor shall provide written notification to Controller that it has fully complied with this Section 10 within thirty (30) days from the date Controller made its request of deletion or return. EXHIBIT A – DETAILS OF PROCESSING OF PERSONAL DATA 1. Details of the Processing of Personal Data Subject-matter of the Processing The provisioning of the Service by Processor to Controller. Nature and purposes of the Processing Nature of the Processing: access, reading, organisation, structuring, consultation, collection, adaptation or alteration, retrieval, use and storage of the Personal Data. Purposes of the Processing: Implementing a single internal communication Platform and content-sharing feature on/from the Platform towards Users’ social media Analyzing the potential impact of the publications and being able to evaluate the return on investment of the Platform implementation/facilitating the use of the Platform and managing its administration Types of Personal Data Identification data (first name, last name, photo), professional life information and contact details (professional email address, professional phone number, job title, office location); and potential connection to Users’ social media. Data subjects Users. Duration of the Processing The term of the Service and an additional period of thirty (30) days for data reversibility. 2. List of the approved Sub-processors To access Sociabble’s Sup-processors list, please click here. EXHIBIT B – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES Sociabble’s documentation related to the technical and organizational security measures (TOMs) is deemed to be part integral of the DPA by reference. The TOMs might be shared with Customer upon request at legal@sociabble.com. EXHIBIT C – EUROPEAN ECONOMIC AREA ADDENDUM The Parties acknowledge and agree that with regard to the processing of Customer Personal Data performed solely on behalf of Customer, Sociabble is a Data Importer and receives Customer Personal Data pursuant to the business purpose of providing the Service to Customer in accordance with the Terms and Conditions. 1. Definitions “EEA” means the European Economic Area. “GDPR” means the European Union General Data Protection Regulation of the European Parliament and of the Council of 27 April 2016 (Regulation (EU) 2016/679). “Model Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Protected Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. “Supervisor Authority” means a Data Protection Authority which is concerned by the processing of personal data and is an independent public authority which is established by an EU member state pursuant to the GDPR. 2. Data protection impact assessment A data protection impact assessment refers to the assessment by Data Exporter of the impact of the purported processing on the protection of Personal Data. Upon Data Exporter’s request, Data Importer shall provide Data Exporter with reasonable assistance needed to fulfill Data Exporter’s obligations under the GDPR to carry out a data protection impact assessment, related to Data Exporter’s use of the Service to the extent such information is available to Data Importer. Data Importer shall provide reasonable assistance to Data Exporter in cooperation or prior consultation with the Supervisory Authorities. 3. International transfers Data Exporter’s Personal Data may be processed and/or transferred outside of the EEA to third countries, to countries not deemed by the European Commission to provide an adequate level of data protection. By sharing Personal Data with the Data Importer, the Data Exporter consents to the transfer of these Personal Data to such third countries. To the applicable extent and in the absence of a decision of adequacy, Data Importer has adopted appropriate transfer mechanisms to safeguard the transfer of Personal Data in accordance with applicable laws and, the Parties agree to enter into and comply with the following EU Model Clauses: Module Two of the Model Clauses Module Two (Controller to Processor) is incorporated by reference hereinto and will apply in those instances where Customer acts as a Data Exporter and Sociabble acts as a Data Importer. Signatures applied to the Quote will be taken as equally signing and effectuating the Model Clauses: In respect to Clause 9(a) (Sub-processors) of Module Two of the Model Clauses, the Parties agree that Option 2 shall apply, and the time period will be 30 days. In respect to Clause 17 (Governing Law) of Module Two of the Model Clauses: Option 1 is selected, and the governing law is that of France. In respect to Clause 18 (Choice of forum and jurisdiction) of Module Two of the Model Clauses: The courts of Paris (France) shall resolve any disputes arising from the Model Clauses. Description of the Processing/data transfers In addition to the information contained in Exhibit A and B of the present DPA, see below the relevant information related to the Model Clauses: Sensitive Personal Data: Data Exporter shall not transfer any sensitive Personal Data (as specified in the GDPR) to Data Importer. Frequency of the transfer: The transfer of Personal Data between the Parties will occur on a continuous basis. 4. Effect of this Exhibit C In the event of any conflict or inconsistency between the terms of this exhibit and the Terms and Conditions with respect to the subject matter hereof and solely where the GDPR applies, the terms of this Addendum shall control. EXHIBIT D – CALIFORNIA CONSUMER PRIVACY ACT ADDENDUM 1. Definition “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations. “Customer Personal Information” means any Customer Data maintained by Customer and processed by Sociabble solely on Customer’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under applicable U.S. Data Protection Laws. “U.S. Data Protection Laws” means all laws and regulations of the United States of America, including the CCPA, applicable to the processing of personal information (or an analogous variation of such term). “Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA. 2. Roles and obligations Roles. The Parties acknowledge and agree that with regard to the processing of Customer Personal Information performed solely on behalf of Customer, Sociabble is a Service Provider and receives Customer Personal Information pursuant to the business purpose of providing the Service to Customer in accordance with the Terms and Conditions. No Sale of Customer Personal Information to Sociabble. Customer and Sociabble hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to Sociabble pursuant to the DPA, and Terms and Conditions, constitute a sale of information to Sociabble, and that nothing in the DPA and/or Terms and Conditions shall be construed as providing for the sale of Customer Personal Information to Sociabble. Limitations on Use and Disclosure. Sociabble is prohibited from using or disclosing Customer Personal Information for any purpose other than the specific purpose of performing the Service specified in the Terms and Conditions, the permitted business purposes set under applicable law, and as required under applicable law. Sociabble hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of applicable U.S. Data Protection Laws. Effect of this Exhibit D. In the event of any conflict or inconsistency between the terms of this exhibit and the terms of the Terms and Conditions with respect to the subject matter hereof and solely where U.S. Data Protection Laws apply, the terms of this Addendum shall control. EXHIBIT E – INDIA’S DIGITAL PERSONAL DATA PROTECTION ACT 1. Definitions “DPDP Act” means the Indian Digital Personal Data Protection Act dated August 11th, 2023. “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. “Data Principal” means the individuals whose personal data are collected and processed. “Data Principal Rights” means the right for a Data Principal to access, correct, rectify, erase, complete, nominate and grievance redressal their personal data. “Data Processor” has the meaning ascribed to it in Sec.2(k) of the DPDP Act. “Data Protection Board of India” means the Indian data protection supervisory authority. 2. Roles The Parties acknowledge and agree that with regard to the processing of Customer Personal Data performed solely on behalf of Customer (i) Sociabble is a Data Processor and Customer is a Data Fiduciary; and (ii) Sociabble receives Customer Personal Data pursuant to the business purpose of providing the Service to Customer in accordance with the Terms and Conditions. 3. Obligations Data breach. The Data Processor shall notify the Data Fiduciary without undue delay upon becoming aware of a Personal Data Breach affecting the Data Fiduciary’s Personal Data, providing Data Fiduciary with sufficient information to allow it to meet any obligations to report or inform Data Principal of the Personal Data Breach under the DPDP Laws. Data Principal request. Considering the nature of the Processing, Processor shall reasonably assist Data Fiduciary by appropriate TOMs, insofar as this is possible, for the fulfilment of Data Fiduciary’s obligation to respond to a Data Principal request under DPDP Act. If Processor receives a Data Principal request it will, to the extent legally permitted, promptly forward such request to the Data Fiduciary and except if required by the DPDP Act, the Processor shall not respond to any such request without the Data Fiduciary’s instruction, other than to confirm receipt of the request, to inform the Data Principal that their request has been forwarded to the Data Fiduciary, and/or to refer them to the Data Fiduciary, except per reasonable instructions from Data Fiduciary. The Data Fiduciary shall be responsible for any cost arising from Data Processor’ assistance and Data Processor will reasonably assist the Data Fiduciary with (i) any Data Principal Right and (ii) the resolution of any request or inquiries that Data Fiduciary receives from Data Protection Board of India relating to Data Processor unless Data Processor elects to object such requests directly with such authority. 4. Effect of Exhibit E. In the event of any conflict or inconsistency between the terms of this exhibit and the terms of the Terms and Conditions with respect to the subject matter hereof and solely where Indian Data Protection Laws apply, the terms of this Addendum shall control. To consult the previous version of our DPA, click here