ReviewInc. Data Processing Agreement (DPA)
Data Privacy
ReviewInc. Data Processing Agreement (DPA)
The provision of Services to Client pursuant to, and limited to, the Agreement
Duration
Coterminous with the Agreement
Type of Personal Data to be Processed
Account Information, Contact Information, addresses and limited geo-location data for check-in, Personal Information contained within non-publicly available reviews drafted by customers of Client
Categories of Data Subjects
Reviewers/customers of Client, reviewers/customers of Client’s customers.
This Data Processing Agreement (this “DPA”) is entered into between Company and Client where, and only where, such an DPA is required by applicable Data Protection Law and incorporates all terms and definitions of the Terms and Conditions and Privacy Policy of Company (the “Agreement”). This DPA is co-extensive and co-terminus with any agreement for Services between Company and Client. Capitalized terms that are not defined in this DPA have the meanings ascribed to them in the Agreement or in applicable Data Protection Laws. In the event of any conflict between the provisions of the Agreement and this DPA, the provisions of this DPA will prevail.
1. Definitions.
1.1. “Data Protection Laws” means, where and only as applicable to the Services provided by Company to Client, (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”); (ii) the General Data Protection Regulation as it forms part of UK domestic law by virtue of the UK Data Protection Act 2018 and Section 3 of the European Union (Withdrawal) Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended) (“UK GDPR”); and (iii) the California Consumer Privacy Act of 2018, as modified or amended by the California Privacy Rights Act (“CCPA”). Unless otherwise stated, “GDPR” means both the EU GDPR and UK GDPR.
1.2. “Personal Data” means any information relating to an identifiable or identified Data Subject or customer of Client that (i) Company processes as a Processor while providing Client with the Services under the Agreement, and (ii) either (x) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject, individual or household, or (y) would be considered personal information or personal data as such terms/concepts are defined by applicable law; provided, however, that Personal Data excludes any such information that has been aggregated or anonymized in a manner that is not (1) identifiable as having originated from the Data Subject, or (2) capable of allowing a recipient to infer the Data Subject’s information.
1.3. “Sell”, “Share”, “Business”, “Controller”, “Data Subject”, “Consumer”, “Processor”, “Subprocessor”, “Service Provider” and “Processing” have the meanings ascribed to them in applicable Data Protection Law and their cognate terms will be construed accordingly.
3. Subprocessing. Company may use Subprocessors to process the Personal Data in compliance with Data Protection Laws. Company’ Subprocessors, as of the Effective Date are: (: Microsoft and Rackspace Technology.
3.1. Additions; Replacement. This DPA is Client’s general written authorization for Company to engage Subprocessors; provided, however, that Company will provide notice to Client of any intended changes concerning the addition or replacement of Subprocessors by updating the list of Subprocessors found above in this DPA. It is Client’s responsibility to ensure it is regularly reviewing Company’ list of Subprocessors. If, within 14 days of receiving such notice, Client does not provide written notice to Company of any reasonable objections that detail why the proposed Subprocessor would not adequately support Client’s obligations under the Data Protection Laws, Client will be deemed to have consented to the proposed engagement. If the parties are not able to resolve a reasonable objection and Company continues to appoint such Subprocessor, then Client will be entitled to terminate any agreements with respect to the processing of Personal Data under the Data Protection Laws by the new Subprocessor without any liability as a result of such termination (such termination, a “Subprocessor Objection Termination”). For the avoidance of doubt, Company shall have no liability for a Subprocessor Objection Termination under this Section 3.1 and such Subprocessor Objection Termination shall not constitute a termination for breach under the Agreement.
3.2. Liability. Company will enter written agreements with any Subprocessor requiring the Subprocessor to provide the level of data protection compliance and information security to Client Data required by Data Protection Laws. Company will remain liable for any Subprocessor’s compliance with its obligations and for any acts or omissions of a Subprocessor that cause a Subprocessor to fail to fulfill such obligations or that cause Company to breach any Company obligations under this DPA. These terms, or anything else in this DPA, shall not supersede any limitations on liability in the Agreement or any other related Agreements.
4. Confidentiality. Company will treat all Personal Data as strictly confidential and it will inform all its employees, agents and/or approved Subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. Company will ensure that these entities have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5. Security. Company will implement the measures set forth in Exhibit A and not less than appropriate technical and organizational measures to ensure security of the processing of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6. Inspections. At Client’s written request, and no more than once annually, Company will make relevant information necessary to demonstrate compliance with applicable Data Protection Law reasonably available to Client. To the extent required by Data Protection Laws and subject to reasonable notice, scope, reimbursement, and confidentiality requirements, Company will allow for audits, including inspections, conducted by the Client or another auditor mandated by the Client as outlined in Exhibit A.
7. Data Subject Requests. To the extent possible and commercially reasonable, Company will assist Client by appropriate measures to fulfill Client’s obligation to respond to a Data Subject request under applicable Data Protection Law, taking into account the nature of the processing. Company will assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the processor.
8. Notifications. If Company is otherwise required to comply with a legal obligation, Company will inform Client of that legal obligation, unless Company is prohibited from doing so. Company will inform Client if, to its knowledge, an instruction from Client would infringe Data Protection Laws.
9. Incident Management. If Company becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Company while providing the Services (a “Security Incident”) under the Agreement, it will, within the time frame noted in Exhibit A, notify Client and provide Client a description of the Security Incident as well as periodic updates to information about the Security Incident. Company will investigate the Security Incident and take reasonable steps to prevent or mitigate the effects of the Security Incident.
10. Acceptable Data. The Services are also not intended to process cardholder data of Data Subjects regulated by the Payment Card Industry (PCI) Data Security Standards. Client acknowledges that the Services are not intended to process PCI data. The Services are, unless explicitly stated in a written agreement including this DPA, also not intended to store or use any Sensitive Personal Information as defined by Data Protection Laws; using the Services with respect to Sensitive Personal Information may not be compliant with Client’s obligations. Client warrants the data they share with Company will not include any Sensitive Personal Information as defined by Data Protection Laws, unless explicitly stated in a written agreement including this DPA. Client further warrants that the data they share with Company for purposes of the Services will not include the PCI data of Data Subjects.
11. Data Transfer. Company may transfer, process and store Personal Data in regions in which Company or its Subprocessors operate, subject to compliance with Data Protection Laws.
11.1. If and to the extent that any processing of Personal Data subject to the EU GDPR by Company takes place in any country outside the EEA (except if in a country whose laws provide an adequate level of data protection), or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:
a) the parties will cooperate in good faith to terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer; and
b) the mandatory clauses of the Standard Contractual Clauses approved by the EU authorities under EU Data Protection Laws, Controller-to-Processor Clauses (Module Two) or Processor-to-Processor Clauses (Module Three) (“EU SCCs”) (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) will apply in respect of that processing:
i. for the purposes of Annex I of the Appendix to the SCCs, Company will comply with the obligations of the “data importer” in the SCCs and the Client will comply with the obligations of “data exporter”;
ii. the activities of Client as data exporter, of Company as data importer, and the details of the data subjects, types of data, special categories of data (if appropriate) and processing operations are all as set out in the table on page 1 of this DPA;
iii. Clause 3 of this DPA (Subprocessing) shall apply for purposes of general written authorization of sub-processors under Clause 9(a) of the SCCs (Use of sub-processors);
iv. the parties agree that the laws of the Republic of Ireland will govern the SCCs (Clause 17) and that the choice of forum and jurisdiction shall be the courts of the Republic of Ireland (Clause 18(b));
v. the parties agree that for the purposes of Annex I.C. (Competent Supervisory Authority), the competent supervisory authority is Data Protection Commission, Ireland; and
vi. Exhibit A of this DPA shall apply for the purposes of Annex II of the Appendix to the SCCs (Technical and Organizational Measures).
11.2. If and to the extent that any processing of Personal Data subject to the UK GDPR by Company takes place in any country outside the UK (except if in a country whose laws provide an adequate level of data protection), or either party relies on a statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, then:
a) the parties will cooperate in good faith to terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer; and
b) the mandatory clauses of the International Data Transfer Agreement issued by the Information Commissioner under S119A(1) Data Protection Act 2018 on 21 March 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK SCCs”) will apply in respect to that processing
i. for the purposes of Part 1 of the UK SCCs, Company will comply with the obligations of the “data importer” in the SCCs and the Client will comply with the obligations of “data exporter”;
ii. the activities of Client as data exporter, of Company as data importer, and the details of the data subjects, types of data, special categories of data (if appropriate) and processing operations are all as set out in the table on page 1 of this DPA;
iii. Exhibit A of this DPA shall apply for the purposes of Part 4 of the UK SCCs.
11.3. Company will notify Client if it can no longer meet its obligation to provide the level of protection required by the Data Protection Laws.
12. CCPA Compliance. If Company Processes Personal Data of California residents, Company shall comply with the CCPA as amended by the California Privacy Rights Act. Specifically, Company agrees that:
12.1. Company acts solely as a Service Provider in relation to Personal Data of California residents (“Service Provider” shall have the meaning ascribed to in the CCPA) and Client alone determines the purposes and means of the processing of Personal Data.
12.2. The purpose of processing of Personal Data on Client’s behalf is the provision of Services to Client pursuant to, and limited to, the Agreement.
12.3. Company will not Sell or Share Personal Data of California residents, and the parties acknowledge and agree that Client does not sell Personal Data to Company in connection with the Services (“Sell” and “Share” shall have the meaning ascribed to in the CCPA). Company will not use, disclose, retain, update, or perform targeted marketing except pursuant to the business purpose and within the direct business relationship unless explicitly authorized to do so by the CCPA.
12.4. For the purposes of CCPA compliance, Company certifies that it understands and will comply with the requirements and restrictions set forth in the Agreement and Exhibit A of this DPA and with respect to any Personal Data subject to the CCPA will not retain, use or disclose the Personal Data (1) for any purpose other than for the specific purpose of performing the Services specified in the Agreement, or (2) outside of the direct business relationship between the parties.
13. Termination. Upon termination of the Agreement, subject to Data Protection Laws, Company will delete or anonymize Personal Data in its possession and control within 30 days. If Client requests a copy of such Personal Data prior to deletion, Company will make a copy of such Personal Data reasonably available to Client.
Exhibit A
Security Procedures
1. Security Controls. Company will maintain security measures appropriate to the nature of the Confidential Information including reasonable administrative, physical and electronic measures designed to safeguard and protect your information from unauthorized access or disclosure. This includes utilizing software, which encrypts the personal information you input, and storing your information in encrypted form behind a firewall designed to block access from outside our network. Security is regularly audited and certified by qualified third-parties.
2. Company Personnel and Subcontractors. Company will require applicable employees to abide by obligations substantially similar to Company’ confidentiality and security obligations under this DPA as required by applicable law. Company will be liable for the reckless actions and omissions of personnel and Subcontractors.
3. Verification of Security Controls.
3.1. Security Audits. No more than once annually and only on written request of Client, Company will make relevant information necessary to demonstrate compliance with applicable Data Protection Law reasonably available to Client. Where Company reasonably believes such information is not sufficient to demonstrate compliance with applicable Data Protection Law, no more than once annually and on written request of Client, Company will at Client’s sole cost and expense retain an independent, appropriately-qualified auditor to undertake an assessment of and prepare a report of Company’ information security management system and information security controls.
4. Security Incidents.
4.1. Notification. Upon Company’ discovery of a Security Incident and unless prohibited by applicable law, Company will notify, by phone call or in writing (including email), the contacts provided by Client not later than 48 hours following its confirmation of a Security Incident, and provide the following information:
a) a summary of the Security Incident,
b) an expected resolution time (if known), except that if the resolution path is unknown at the time of notification, Company will advise Client that the path is unknown, and
c) the name and phone number of Company contacts for Client to obtain incident updates.
4.1. Security Incident Procedures. In the event of a Security Incident, Company will (a) reasonably cooperate with any investigation concerning the Security Incident by Client, regulators and/or law enforcement, and (b) reasonably cooperate with Client to comply with applicable law concerning such Security Incident, including any notification to data subjects.
4.2. Client Reporting. Client may report Security Incidents to affected persons and/or any governmental authority or agency having supervisory or oversight authority over Client or Security Incidents.
4.3. Corrective Measures. Company will undertake a procedural review and audit to determine measures to avoid occurrence of a similar situation, notify Client of the corrective measures undertaken, and take additional measures reasonably deemed appropriate by Company.