This Data Processing Agreement (“Agreement”) supplements the Terms of Service, located at https://www.deadlinefunnel.com/legal/tos (the “Terms”), between you (“Client”) and CyberPanda s.r.o. (“Company”), is effective as of the date Client accepts this Agreement, and is hereby incorporated by reference into the Terms. All capitalized terms not otherwise defined in this Agreement will have the meaning given to them in the Terms. In the event of any inconsistency or conflict between this Agreement and the Terms, this Agreement will govern. Client and Company agree as follows:
1. Processing of Personal Information
In connection with providing the Services, Company will be Processing Personal Information on behalf of Client. “Personal Information” means information that relates, directly or indirectly, to an identified or identifiable person (a “Data Subject”), which may include names, email addresses, postal addresses, or online identifiers, that Client provides or submits in connection with using the Services. Where required by Applicable Law, any specific categories of Personal Information that Company will Process in connection with the Agreement are set forth in Schedule 1 (Scope of Processing). As between Client and Company, all Personal Information is the sole and exclusive property of Client.
2. Company and Client Responsibilities
The parties acknowledge and agree that: (a) Company is a processor and/or service provider, as applicable, with respect to Personal Information under Applicable Law (defined below); (b) Client is a controller and/or business with respect to Personal Information under Applicable Law; and (c) each party will comply with the obligations applicable to it under Applicable Law with respect to the Processing of Personal Information.
3. Company Responsibilities
“Process” or “Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Personal Information. As a part of the Services, Company will:
(a) Process Personal Information solely in accordance with Client’s documented instructions. Without limiting the foregoing, Company will not: (i) collect, retain, use, or disclose Personal Information for any purpose other than as necessary for the specific purpose of performing the Service as described in the Agreement, including use of the Personal Information for a commercial purpose other than providing the Service; and (ii) sell the Personal Information;
(b) Process Personal Information in accordance with laws, rules, and regulations that apply to Company’s provision, and Client’s use, of the Services, including the General Data Protection Regulation (EU) 2016/679 (“GDPR,”) (collectively, “Applicable Law”);
(c) not disclose Personal Information to any third party without first, except to the extent prohibited by Applicable Law, (i) notifying Client of the anticipated disclosure (so as to provide Client the opportunity to oppose the disclosure); (ii) obtaining Client’s prior consent to the disclosure; or (iii) imposing contractual obligations on the third party recipient that are at least equivalent to those obligations imposed on Company under this Agreement;
(d) amend, correct, or erase Personal Information at Client’s written request and provide a means for Client to update and make accurate Personal Information Processed by Company;
(e) notify Client of any third party request (by a Data Subject or otherwise) to (i) restrict the Processing of Personal Information; (ii) port Personal Information to a third party; or (iii) access, rectify, or erase Personal Information. Company will use commercially reasonable efforts to assist Client, at Client’s reasonable written request, in complying with Client’s obligations to respond to requests and complaints directed to Client with respect to Personal Information Processed by Company;
(f) at the reasonable written request of Client, cooperate and assist Client in conducting a data protection impact assessment, where required by Applicable Law;
(g) ensure that Company personnel Processing Personal Information are subject to obligations of confidentiality; and
(h) keep all Personal Information compartmentalized or otherwise logically distinct from other information of Company or its personnel, suppliers, customers or other third parties.
Company will use commercially reasonable efforts to inform Client if Company becomes aware or reasonably suspects that Client’s instructions regarding the Processing of Personal Information may breach any Applicable Law.
4. Subcontractors
Company will not engage another processor to process Client’s Personal Information without authorization from Client. Company will be responsible to Client for any material failure of such processor to fulfill Company’s data protection obligations as set forth in this Agreement. Client hereby provides its general written authorization for Company’s use of subcontractors to Process Personal Information on behalf of Client.
5. Data Transfers
Where required by Applicable Law, Company will use commercially reasonable efforts not to transfer any Personal Information from one country to another without Client’s prior written consent, which Client shall not unreasonably withhold, and which Client hereby provides as required for Company’s provision of Services under the Agreement. Where Client consents to such transfer, the transfer will be in accordance with Applicable Law and with the following:
(a) Any regulated data transfer will be conducted pursuant to the EU Standard Contract Clauses, incorporated as Schedule 2 to this Agreement. The following terms will apply:
i. Client will be referred to as the “Data Exporter” and Company will be referred to as the “Data Importer” in such clauses;
ii. Details in Schedule 1 of this Agreement will be used to complete Appendix 1 of those Standard Contract Clauses;
iii. Details of Section 6 of this Agreement will apply in addition to those in Appendix 2 of those Standard Contract Clauses; and
iv. If there is any conflict between this Agreement or the Terms and the Standard Contract Clauses, the Standard Contract Clauses will prevail.
(b) For clarity, the EU Standard Contract Clauses will be deemed executed and binding upon Client’s acceptance of this Agreement.
6. Security Safeguards
Company will use commercially reasonable efforts to implement and maintain appropriate technical and organizational measures consistent with industry standards to protect and ensure the confidentiality, integrity, and availability of Personal Information.
7. Records and Audits
Company will keep at its normal place of business records of its Processing of Client Personal Information. Where required by Applicable Law, at Client’s reasonable request and with advance written notice, Company will use commercially reasonable efforts to make available to Client such records and information as is necessary to demonstrate its compliance with Applicable Law with respect to Personal Information and allow an independent third party to conduct an audit to verify such compliance on behalf of Client. Any such audit will be conducted (a) on reasonable advance written notice to Company; (b) no more than once per year; (c) during Company’s standard business hours; and (d) in such a manner to minimize disruption to Company’s operations. Any information provided by Company in connection with such audit must be protected as Company’s confidential information subject to a separate non-disclosure agreement entered into between Company and the recipient of such information before such audit. To request an audit, Client must submit a detailed audit plan at least 90 days in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Client will bear the costs of such audit. Such audits shall be limited to materials strictly necessary to assess Company’s compliance with this Agreement and Applicable Law, and shall not include access to trade secrets, financial records, or information pertaining to other clients.
8. Security Breach
If Company becomes aware of any actual Security Breach (defined below), Company will take commercially reasonable efforts to, without undue delay: (a) notify Client of the Security Breach and any third-party legal processes relating to the Security Breach; and (b) help Client investigate, remediate, and take any action required under Applicable Law regarding the Security Breach. “Security Breach” means any unlawful or accidental loss, destruction, alteration, or unauthorized Processing of Personal Information under Company’s possession or control. The obligations in this Section do not apply to incidents that are caused by Client or Client’s personnel or users.
9. Return or Destruction of Personal Information
Upon written request by Client or when Company no longer is required to Process Personal Information to fulfill its obligations under the Agreement, Company will use commercially reasonable efforts to (a) cease all use of Personal Information; and (b) return all Personal Information to Client or, at Client’s option, destroy all Personal Information and all copies thereof, except to the extent that Company is required under Applicable Law to keep a copy of Personal Information for a specified period of time.
10. DISCLAIMER
COMPANY MAKES NO REPRESENTATION OR WARRANTY THAT THIS AGREEMENT IS LEGALLY SUFFICIENT TO MEET CLIENT’S NEEDS UNDER APPLICABLE LAW, INCLUDING THE GDPR. COMPANY EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, THROUGH A COURSE OF DEALING, OR OTHERWISE THAT THIS AGREEMENT WILL COMPLY WITH OR SATISFY ANY OF CLIENT’S OBLIGATIONS UNDER APPLICABLE LAW, INCLUDING THE GDPR. CLIENT FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS AGREEMENT WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.
Limitation of Liability
The total aggregate liability of Company under this Agreement shall not exceed the limitations set forth in the Terms of Service. In no event shall Company be liable for indirect, incidental, special, or consequential damages, even if it has been advised of the possibility of such damages.
SCHEDULE 1
Scope of Processing
Subject Matter of Processing: The context for the Processing of Personal Information is Company’s provision of Services under the Agreement.
Duration of Processing: The Processing will begin on the effective date of the Agreement and will end upon expiration or termination of the Agreement.
Nature and Purpose of Processing: Company specializes in the development of email marketing, marketing automation, sales, CRM, contact management, and business marketing services. Client, as a client of Company, uses the Services to process Personal Information of its customers or contacts for marketing and related customer relationship management purposes. Company stores the Personal Information on its servers and processes such Personal Information only for the purposes of, and in accordance with, the instructions of Client and does not make any decisions itself as to the use, updating, or deletion of Personal Information.
Types of Personal Information: The Personal Information concern the following categories of data: contact details including name, address, telephone or mobile number, fax number and email address; date of birth; personal bank account details; details of goods and/or services which customers/potential customer have purchased or inquired about; IP address; place of employment; occupation; personal interests; age; and other Personal Information collected and provided by Client in connection with Client’s use of the Services.
Categories of Data Subjects: The Personal Information transferred concerns the following categories of data subjects: customers and prospective customers of Client and other marketing contacts determined by Client in connection with Client’s use of the Services.
SCHEDULE 2
1. Incorporation of 2021 SCCs
For transfers of personal data under this Data Processing Agreement from the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland to the data importer located in a third country which does not ensure an adequate level of data protection (within the meaning of the GDPR or equivalent laws), the parties agree to enter into the Standard Contractual Clauses issued by the European Commission under Decision 2021/914/EU (the “EU SCCs”) as follows:
- Module: Module 2 (Controller to Processor) shall apply.
- Clause 7 (Docking Clause): Included.
- Clause 9 (Use of subprocessors): Option 2 (General Authorization) shall apply. The data importer shall give the data exporter a minimum of ten (10) days’ notice of any intended changes.
- Clause 11 (Redress): Not included.
- Clause 17 (Governing law): The law of the Slovak Republic shall apply.
- Clause 18 (Choice of forum and jurisdiction): The courts of the Slovak Republic shall have jurisdiction.
- Annex I–III: Completed as attached to this Agreement (see below).
2. Transfers from the United Kingdom
To the extent that the data exporter is subject to the UK GDPR, the EU SCCs shall apply as modified by the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office (version B.1.0, in force as of March 21, 2022), which is incorporated herein by reference.
- The EU SCCs as set out above shall be deemed amended as specified by the UK Addendum.
- In case of conflict, the UK Addendum shall prevail with respect to transfers governed by UK data protection law.
3. Transfers from Switzerland
To the extent that the data exporter is subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs shall apply with the following modifications:
- References to the “GDPR” shall be deemed to include the FADP.
- References to “Member State” shall include Switzerland.
- Clause 17 (Governing law): The governing law shall be the laws of Switzerland.
- Clause 18 (Jurisdiction): The courts of Zurich, Switzerland shall have jurisdiction.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Please see details set forth in Schedule 1 to the Deadline Funnel Data Processing Agreement.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
In addition to the security measures set forth in Section 6 of the Deadline Funnel Data Processing Agreement, data importer will implement technical and organizational security measures intended to secure the processing of Client Personal Information and to preserve the security, availability, integrity and confidentiality of Personal Information (“Security Measures”), in accordance with its obligations under Applicable Law including, as applicable:
(a) the pseudonymization and encryption of Personal Information;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing Personal Information.
Appendix 3 to the Standard Contractual Clauses
Where the EU Controller-to-Processor Model Clauses (“Clauses”) apply pursuant to Section 5 of this Agreement, then this Appendix 3 sets out the parties’ interpretations of their respective obligations under specific provisions within the Clauses, as identified below. Where a party complies with the interpretations set out in this Appendix 3, that party shall be deemed by the other party to have complied with its commitments under the Clauses. When used below, the terms “data exporter” and “data importer” shall have the meaning given to them in the Clauses.
Nothing in the interpretations below is intended to vary or modify the Clauses or conflict with either party’s rights or responsibilities under the Clauses and, in the event of any conflict between the interpretations below and the Clauses, the Clauses shall prevail to the extent of such conflict. Notwithstanding this, the parties expressly agree that any claims brought under the Clauses shall be exclusively governed by the limitations on liability set out in the Agreement. For the avoidance of any doubt, in no event shall any party limit its liability with respect to any data subject rights under the Clauses.
Clause 4(h): Obligations of the data exporter regarding non-disclosure requirements
Data exporter agrees that the terms of these Clauses, as executed, constitute data importer’s confidential information and may not be disclosed by data exporter to any third party without data importer’s prior agreement (other than to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8, with the exception of any confidential or commercial information as consistent with the parties’ respective obligations in Sections 4(h) and 5(g), respectively).
Clause 5(a): Suspension of data transfers and termination:
- The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
- The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data.
- If the data exporter intends to suspend the transfer of personal data, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
- If after the Cure Period, the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.
Clause 5(b): Supplementary Measures:
- The parties acknowledge that it is the responsibility of the data exporter to verify whether the safeguards employed by data importer are sufficient to meet its obligations under Applicable Law, including with respect to the provision of adequate safeguards necessary to secure the transfer of personal data through these clauses.
- Data importer has not, to its knowledge, received any requests for the personal data of EU residents processed within the provision of the Services, under Section 702 of the U.S. Foreign Intelligence Surveillance Act.
- The parties acknowledge that personal data transmitted between data exporter and data importer within the course of the Services is encrypted in transit.
Clause 6: Liability
Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement in effect as of the date of execution of these Clauses or other written or electronic agreement for data exporter’s use and purchase of data importer’s products and services. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.
Clause 11: Onward subprocessing
a. Data exporter specifically authorizes data importer to use its Affiliates as Subprocessors, and generally authorizes data importer to engage Subprocessors to Process Customer Data. In such instances, data importer:
(i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Agreement; and
(ii) remains liable for compliance with the obligations of this Agreement and for any acts or omissions of the Subprocessor that cause data importer to breach any of its obligations under this Agreement.
b. A list of data importer’s Subprocessors, including their functions and locations, is available at https://www.deadlinefunnel.com/legal/subprocessors or such other website as data importer may designate (“Subprocessor Page”), and may be updated by data importer from time to time in accordance with this Agreement.
c. When any new Subprocessor is engaged, data importer will notify data exporter of the engagement, which notice may be given by updating the Subprocessor Page and via email. Data importer will give such notice at least ten (10) calendar days before the new Subprocessor Processes any personal data, except that if data importer reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the personal data or avoid material disruption to the Services, data importer will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, data exporter notifies data importer in writing that data exporter objects to data importer’s appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, data exporter, as its sole and exclusive remedy, may terminate the Agreement for convenience.