Data Processing Addendum
This Data Processing Addendum (“Addendum”), together with any Order Forms executed by Drift and Customer, form the Agreement between the Parties for Drift’s provision of Services to Customer (the “Agreement”).
This Addendum regulates only the Processing of Personal Data subject to EU Data Protection Law for the Purposes (as defined in Annex 2) by the Parties in the context of the Services. Annexes 1, 2, and 3 form an integral part of this Addendum.
- Definitions. The following terms have the meanings set out below for this Addendum:
- “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
- “Data Subject” means a natural person whose Personal Data are processed in the context of this Addendum.
- “EU Data Protection Law” means GDPR and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC, and as amended and replaced from time to time) and their national implementing legislations, if any.
- “GDPR” means the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time).
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- “Privacy Shield” means the EU-U.S. Privacy Shield framework created by the U.S. Department of Commerce (“DoC”) and the European Commission, and the Swiss-U.S. Privacy Shield framework created by the DoC and the Swiss government.
- “Processor” means the entity that processes Personal Data on behalf of a Controller.
- “Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Services” has the meaning in the Agreement.
- “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection set out in the European Commission’s decision (C(2010)593) of 5 February 2010.
- “Sub-Processor” means the entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of the Controller.
- “Supervisory Authority” means an independent public authority that has been established by a state for which EU Data Protection Law is the applicable law regarding the protection of Personal Data.
- “Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.
- Roles of the Parties. For purposes of this Addendum, Customer, as controller, appoints Drift as a Processor for the Processing of Personal Data (as defined in Annex 2) on Customer’s behalf for the Purposes (as defined in Annex 2).
- Obligations of Drift. When Processing Personal Data for the Purposes in connection with the Services, Drift:
- Will only Processes Personal Data on behalf of Customer in accordance with the Customer’s lawful written instructions and not for any other purposes than those specified in Annex 2 or as otherwise agreed by both Parties in writing.
- Will promptly inform Customer if, in its opinion, Customer’s instructions infringe EU Data Protection Law, or if Drift is unable to comply with Customer’s instructions.
- Will, taking into account the nature of the Processing and the information available to Drift, assist Customer in ensuring compliance with Customer’s obligations under EU Data Protection Law, including data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities.
- Will, taking into account the nature of the Processing, take appropriate technical and organizational measures to assist Customer in fulfilling Customer’s obligation to respond to Data Subjects’ requests to exercise their rights as provided under EU Data Protection Law. If Drift receives a request directly from a Data Subject, law enforcement agency or regulator. Drift shall, unless prohibited from doing so by applicable law (including binding terms of the request itself), notify Customer about such request and only take further action as instructed by Customer. To the extent legally permitted, Customer shall be responsible for all reasonable costs arising from Drift’s provision of such assistance or compliance with such requests.
- Will notify Customer when local laws prevent Drift from complying with the instructions received from Customer via this Addendum or is required to process Personal Data by law to which Drift is subject, except if such disclosure is prohibited by applicable law.
- Will, at the choice and direction of the Customer after the end of the provision of the Services, delete or return all Personal Data processed under this Addendum to the Customer after the end of the provision of the Services, and delete existing copies unless EU or member state law requires storage of the Personal Data.
- Will implement (and regularly test and review) internal Personal Data Breach identification, response and notification procedures in accordance with good industry practice. In the event of a Personal Data Breach relating to or affecting the Personal Data:
- Drift shall, at its own expense, notify such Personal Data Breach to Customer without undue delay after Drift becoming aware of such Personal Data Breach; and
- Drift shall, at its own expense: (i) co-operate with Customer’s reasonable requests; and (ii) provide all information reasonably requested by Customer, in each case, as required to enable Customer to comply with EU Data Protection Law and co-operate with the directions or guidance of any Supervisory Authority.
- Data Transfers. Drift shall not transfer any Personal Data to a Third Country unless the following conditions are fulfilled.
- Drift complies with reasonable instructions notified to it in advance by Customer with respect to the processing of the Personal Data.
- If the transfer is to Drift:
- In the US, Drift shall maintain its certification under Privacy Shield to process such Personal Data;
- Drift shall comply with the data importer obligations in the Standard Contractual Clauses which are hereby incorporated into and form part of this Addendum and Customer shall comply with the data exporter obligations.
If the transfer is to a Sub-Processor in a Third Country, Drift shall:
- if the transfer is to the US, ensure that the receiving party is certified to process such Personal Data under Privacy Shield; or
- ensure that the Sub-Processor shall comply with the data importer obligations in the Standard Contractual Clauses. For the purpose of this Section 4.3.2, Customer hereby grants Drift a mandate to execute the Standard Contractual Clauses with any relevant Sub-Processor it appoints on behalf of the Customer.
- Customer acknowledges and agrees that Drift may engage third-party Sub-Processors in connection with the performance of the Services. The Sub-Processors approved by Customer as at the date of the Agreement or this Addendum are listed in Annex 3 hereto. Drift has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
- Customer shall, within ten days of the effective date of this Addendum, sign up via https://goo.gl/forms/bV4t9DgcSGBHmwPH2 in order to receive notifications of new Sub-Processors (“Sub-Processor Notification Process”). Drift shall provide notification via the Sub-Processor Notification Process of a new Sub-Processor before authorizing any new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.
- Customer may object to Drift’s use of a new Sub-Processor by notifying Drift promptly in writing to firstname.lastname@example.org within ten (10) business days after receipt of Drift’s notice in accordance with the Sub-Processor Notification Process. In the event Customer objects to a new Sub-Processor, as permitted in the preceding sentence, Drift will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening the Customer. If Drift is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to the Services that cannot be provided by Drift without the use of the objected-to new Sub-Processor by providing written notice to Drift. Drift will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Service, without imposing a penalty for such termination on Customer.
- Where a Sub-Processor fails to fulfill its data protection obligations, Drift shall remain fully liable to Customer for the performance of the Sub-Processor’s obligations.
- Customer acknowledges and expressly agrees that Drift may engage new Sub-Processors as described in Sections 5.1 to 5.3 of this Addendum.
Security of the Processing; Confidentiality.
- Drift will, taking into account the nature of the processing, implement and maintain a comprehensive written information security program with appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the security measures listed in Annex 1 and as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Drift must take steps to ensure that any person acting under its authority who has access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation and will not process the Personal Data except on instructions from Customer.
Data Protection Audit.
- Customer, acting by itself or through its appointed representative (acting pursuant to an NDA approved by Drift), shall have the right during the term of the Agreement and for as long thereafter as Drift processes Personal Data regarding which Customer is a Controller, to assess compliance by Drift with the applicable requirements of the EU Data Protection Law and/or this Addendum, and to review the technical and organizational measures taken by Drift against the unauthorized or unlawful processing of Personal Data and against the unauthorized access to, accidental loss or destruction of, or damage to, Personal Data, on at least thirty (30) days’ advance notice to Drift. Before the commencement of any audit, Customer and Drift shall mutually agree upon the scope, timing, and duration of the audit, and Customer shall take all reasonable measures to limit any adverse impact thereof on Drift.
- To the extent permitted by applicable law, Customer shall bear the costs and expenses incurred in respect of the parties’ compliance with their obligations under this clause, unless the audit identifies that the Drift is not in compliance with the applicable requirements of the EU Data Protection Law and/or this Addendum, in which case Drift shall reimburse Customer for all reasonable costs and expenses incurred by Customer and Drift in connection with the audit.
- Invalidity and Severability; Conflict. In the event of any inconsistency between this Addendum and Standard Contractual Clauses entered into by the parties, if any, the Standard Contractual Clauses shall prevail.
Drift will, as a minimum, implement the following types of security measures:
- When Processing Personal Data on behalf of Customer in connection with the Services, Drift has implemented and will maintain appropriate technical and organizational security measures for the Processing of such data, including the measures specified in this Section to the extent applicable to Drift’s Processing of Personal Data. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.
- Physical Access Control. Drift employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Personal Data is processed, such as the use of security personnel, secured buildings and data center premises.
- System Access Control. The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and the logging of access on several levels. For Services: (i) log-ins to Services Environments by Drift employees (ii) logical access to data centers is restricted and protected by firewall/VLAN.
- Transmission Control. All messages and files sent through Drift are encrypted. Except as otherwise specified for the Services, transfers of data outside the Service environment are also encrypted.
- Input Control. The Personal Data source is under the control of the Customer and is managed by secured file transfer (i.e., via web services or entered into the application) from the Customer. Note that some Services permit Customers to use unencrypted file transfer protocols. In such cases, Customer is solely responsible for its decision to use such unencrypted field transfer protocols.
- Data Backup. Back-ups are taken on a regular basis; back- ups are secured using a combination of technical and physical controls, depending on the particular Service.
- Data Segregation. Personal Data from different Drift customers’ environments is logically segregated on Drift’s systems.
ANNEX 2 – Description of the Processing Activities
This Annex 2 describes the Processing by Drift under the Addendum.
Subject-matter of the Processing
The performance of the Services pursuant to the Agreement.
Nature and Purpose of the Processing
Processing Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Data Subjects as required under EU Data Protection Law; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Types of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Title, work department, and manager/supervisor name
- Contact information (company, email, phone, physical business address)
- Biographical and directory information, including linked social media profile or posts
- IDs and login credentials for use of the Services
- Identifiers related to work or personal devices used to access data exporter’s IT systems
- Log information generated through the use of data exporter’s IT systems
- Actions performed by the employee while accessing or using the Services
- IP address
- localization data
Categories of Data Subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Customer’s end-user customers, prospects, and partners, including employees, contractors, collaborators, and advisors of such end-user customers, prospects, and partners (who are natural persons).
Duration of the Processing
Until directed by Customer to end Processing.
||Nature of Processing
|Message Systems, Inc. (DBA Sparkpost)
9130 Guilford Road
Columbia, MD 21046
|Provision of email delivery services.
Amazon Web Services, Inc.
P.O. Box 81226
Seattle, WA 98108-1226
1801 California Street, Suite 500
Denver, Colorado 80202
|Provision of email delivery services.
3030A 16th St.
San Francisco, California, 94103