Last Modified: October 24, 2023
This Data Processing Agreement, including its schedules (“DPA”) reflects the parties’ agreement with respect to the Processing of Customer Personal Data by us on behalf of you in connection with the Subscription Service under our Subscription Service Terms or such other written agreement (the “Agreement”) between you and us.
This DPA is supplemental to, and forms an integral part of, the Agreement. In the event of a conflict with the terms and conditions of the Agreement, an Order, or any other documentation, the terms and conditions of this DPA will take precedence over the terms of which the Agreement, Order, or other documentation to the extent of such conflict.
This DPA applies only to Customer Personal Data in circumstances where the Processing of that Customer Personal Data is subject to Applicable Data Protection Law. The term of this DPA will follow the term of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
1.1. “Anonymized Data” means any data Processed by ChurnZero under the Agreement (including Customer Data) that have been aggregated, deidentified, or anonymized in such a manner that neither Customer or any of your Users, or any other individual can be identified from the data.
1.2. “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons that may apply to the Processing of Customer Personal Data under the Agreement and this DPA. Such examples include the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR“), the Swiss Federal Data Protection Act (“Swiss DPA“), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, and the California Consumer Privacy Act (“CCPA”) of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), the Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”), the Israeli Privacy Protection Law, 1981, and the ePrivacy Directive 2002/58/EC, together with any European Union Member national implementing the Directive (the “Directive”).
1.3. “Authorized Subprocessor” means a subprocessor engaged by ChurnZero to Process Customer Personal Data on behalf of the Customer per the Customer’s Instructions. Authorized Subprocessors may include ChurnZero Affiliates but shall exclude ChurnZero employees, contractors, and consultants.
1.4. “Controller” means the entity that determines, as a legal person alone or jointly with others, the purposes and means of the Processing of Customer Personal Data.
1.5. “Customer Personal Data” means any Customer Data that includes Personal Data.
1.6. “Data Subject” means the identified or identifiable person to whom Customer Personal Data relates.
1.7. “Legitimate Business Purposes” means the exhaustive list of specific purposes for which ChurnZero is allowed to process Customer Personal Data as Controller as specified in Section 2.5.
1.8. “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This includes any special categories of Personal Data defined in Art. 9 of the GDPR, data relating to criminal convictions and offences, or related security measures defined in Art. 10 of the GDPR and national security numbers defined in Art. 87 of the GDPR and national supplementing law.
1.9. “Processor” means the entity that processes Customer Personal Data on behalf of the Controller.
1.10. “Personal Data Breach” means a breach of security arising from or relating to ChurnZero’s failure to implement or maintain the Security Measures where such act or omission results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.11. “Process” or “Processing” means any operation or set of operations which is performed upon Customer Personal Data or sets of Customer Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.12. “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) (the “Swiss SCCs“). A current version of the Standard Contractual Clauses can be found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
1.13. “Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law, including the Processing of Customer Personal Data covered by this DPA.
2. Roles; Processing of Customer Personal Data.
2.1. Roles of the Parties. The Parties acknowledge and agree to the following: (i) Customer is the Controller of Customer Personal Data; and (ii) ChurnZero is the Processor of Customer Personal Data, except where ChurnZero or a ChurnZero Affiliate act as a Controller processing Customer Personal Data in accordance with the exhaustive list of Legitimate Business Purposes in Section 2.4.
2.2. Customer’s Processing of Customer Personal Data. Customer shall, in its use of the Subscription Service, Process Customer Personal Data in accordance with Applicable Data Protection Law. For the avoidance of doubt, Customer shall (i) ensure that its Instructions (as detailed in Section 2.3.1 below) to ChurnZero comply with all Applicable Data Protection Law, and that the Processing of Customer Personal Data per Customer’s Instructions will not cause ChurnZero to be in breach of Applicable Data Protection Law; (ii) be solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data that it places (or is placed on its behalf) into the Subscription Service; and (b) how Customer acquired any such Customer Personal Data; and (iii) not provide or make available to ChurnZero any Customer Personal Data in violation of the Agreement or this DPA.
2.3. ChurnZero’s Processing of Customer Personal Data.
2.3.1. ChurnZero shall Process all Customer Personal Data: (i) in compliance with Applicable Data Protection Law; and (ii) to perform the following activities on behalf of Customer (a) provide and update the Subscription Service as licensed, configured, and used by Customer and its Users; (b) secure and real-time monitor the Subscription Service; (c) resolve issues, bugs, and errors; (d) provide Customer requested support; and (v) otherwise Process the Customer Personal Data as set out in the Agreement and this DPA, or pursuant to any other documented instruction provided by Customer and acknowledged by ChurnZero as constituting instructions for purposes of this DPA (collectively, the “Instructions”).
2.3.2. To the extent that ChurnZero cannot comply with an Instruction or other request relating to the Processing of Customer Personal Data (to include where ChurnZero considers such request unlawful), ChurnZero shall immediately notify the Customer of any such objection and request that Customer withdraw, amend, or confirm the relevant Instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant Instruction, ChurnZero shall be entitled to suspend the implementation of the relevant Instruction.
2.4. ChurnZero as a Controller. ChurnZero may Process Customer Personal Data for its own Legitimate Business Purposes, as an independent Controller, solely when the Processing is for one of the following exhaustive list of purposes: (i) directly identifiable data (name, screen name, profile picture and email address and all Customer Personal Data directly connected to such directly identifiable data) may be Processed for: (a) billing, account, and Customer relationship management (marketing communication with procurement/sales officials), and related Customer correspondence (mailings about for example necessary updates); (b) complying with and resolving legal obligations; (c) abuse detection prevention and protection (such as virus scanning and scanning to detect violations of terms of service (such as copyright infringement); (ii) creation of Anonymized Data; for: (a) improving and optimizing the performance and core functionalities of accessibility, privacy, security, and the IT infrastructure efficiency of the Subscription Service; (b) internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy); and (c) receiving and using Feedback. For clarity, when acting as an independent Controller, ChurnZero will not process Customer Personal Data for any purposes other than the above list of Legitimate Business Purposes.
2.5. Customer Personal Data Retention. Following the completion of the Services, at Customer’s choice, to the extent that ChurnZero is a Processor, ChurnZero shall either enable Customer to delete some of Customer’s Personal Data (for example an User’s personal data) or all of Customer’s Personal Data, shall return to Customer the specified Customer Personal Data, or shall delete the specified Customer Personal Data, and delete any existing copies in compliance with its data retention and deletion policy. If return or destruction is impracticable or incidentally prohibited by a valid legal order law, ChurnZero shall take measures to inform the Customer and block such Customer Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by applicable law) and shall continue to appropriately protect the Customer Personal Data remaining in its possession, custody, or control and, where any Authorized Subprocessor continues to possess Customer Personal Data, require the Authorized Subprocessor to take the same measures that would be required of ChurnZero.
2.6. Details of the Processing. The duration of the Processing, the nature and purpose of the Processing, and the types of Customer Personal Data Processed and the categories of Data Subjects under this DPA are further specified in Schedule I to this DPA.
2.7. Cooperation. ChurnZero shall provide the Controller with all required assistance and cooperation in enforcing the obligations of the Parties under Applicable Data Protection Law. To the extent that such assistance relates to the Processing of Customer Personal Data for the purpose of the performance of the Agreement, the Processor shall in any event provide the Controller with such assistance relating to: (i) the security of Customer Personal Data; (ii) performing checks and audits; (iii) performing Data Protection Impact Assessments (“DPIA”); (iv) prior consultation with the Supervisory Authority; (v) responding to requests from the Supervisory Authority or another government body; (vi) responding to requests from Data Subjects; and (vii) reporting Personal Data Breaches.
3. Rights of Data Subjects. To the extent that ChurnZero is a Processor:
3.1. ChurnZero shall promptly notify Customer upon receipt of a request by a Data Subject to exercise Data Subject rights under Applicable Data Protection Law. ChurnZero will advise the Data Subject to submit his or her request to Customer, and Customer will be responsible for responding to such request.
3.2. ChurnZero shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights (regarding information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making) under Applicable Data Protection Law.
4. Authorized Persons. ChurnZero shall ensure that all persons authorized to Process Customer Personal Data (including Authorized Subprocessors) are made aware of the confidential nature of Customer Personal Data and have committed themselves to confidentiality (g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
5. Authorized Subprocessors. To the extent that ChurnZero is a Processor,
5.1. Customer hereby (i) generally authorizes ChurnZero to engage subprocessors in accordance with this Section 4; and (ii) approves the Authorized Subprocessors listed in Schedule 2 to this DPA.
5.2. ChurnZero may remove, replace, or appoint subprocessors by providing Customer at least thirty (30) days prior written notice to the intended engagement of a subprocessor (including the name and location of the relevant subprocessor, and the activities it will perform and a description of the Customer Personal Data it will process). Any such notifications will be sent to Customer’s account administrator’s email address contained in the relevant submission field in Customer’s account. Notwithstanding the above, in an emergency concerning the Subscription Service’s availability or security, ChurnZero is not required to provide prior notification to Customer but shall provide notification within five (5) business days following the change in subprocessor.
5.3. Customer may object to the engagement of a proposed subprocessor in writing to ChurnZero by providing written objection to ChurnZero within fifteen (15) business days of receipt of the notice by ChurnZero referenced in Section 4.2. If the Customer so objects, ChurnZero shall have the right to cure the objection through one of the following options (to be selected at ChurnZero’s sole discretion): (i) cancelling the use the subprocessor with regard to Customer Personal Data; (ii) taking the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the subprocessor with regard to Customer Personal Data; or (iii) ceasing to provide the particular aspect of the Subscription Service affected. If ChurnZero, cannot provide such alternative(s), or if Customer does not agree to any such alternative(s) if provided, ChurnZero and Customer may terminate the Agreement including the DPA with prior written notice as to the affected portion of the Subscription Service. If Customer does not object to a new subprocessor’s engagement within 15 days of notice issuance from ChurnZero, that new subprocessor shall be deemed accepted.
5.4 ChurnZero shall, by way of contract or other legal act, impose on the Authorized Subprocessor the equivalent data protection obligations as set out in this DPA and detailed in the GDPR. The Parties acknowledge and agree that notice periods shall be deemed equivalent regardless of disparate notification periods. If personal data are transferred to an Authorized Subprocessor in a third country, ChurnZero will ensure the transferred data are processed with the same transfer guarantees as agreed with Customer (such as Standard Contractual Clauses). ChurnZero will also perform a case by case assessment if supplementary measures are required in cases of onward transfers to third countries in order to bring the level of protection of the transferred data up to the EU standard of essential equivalence.
5.5. ChurnZero shall be fully liable to Customer where that Authorized Subprocessor fails to fulfil its data protection obligations for the performance of that Authorized Subprocessor’s obligations to the same extent that ChurnZero would itself be liable under this DPA had it conducted such acts or omissions.
6. Security of Personal Data
6.1. Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ChurnZero shall maintain appropriate technical and organizational measures with regard to Customer Personal Data and to ensure a level of security appropriate to the risk, including, but not limited to, the “Security Measures” set out in Schedule 3. Customer acknowledges that the Security Measures are subject to technical progress and development and that ChurnZero may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.
6.2. Third-Party Certifications and Audits. ChurnZero will: (i) conduct at least one audit annually; (ii) audits will be performed according to the standards and rules of the regulatory or accreditation body for the applicable control standard or framework; and (iii) audits will be performed by qualified security auditors at ChurnZero’s selection and expense. Each audit will result in the generation of an audit report (“ChurnZero Audit Report”), which ChurnZero will make available to Customer upon request, which will be ChurnZero’s Confidential Information and subject to a separately executed nondisclosure agreement or the Agreement’s confidential information provisions. ChurnZero will promptly remediate issues raised in any ChurnZero Audit Report in accordance with industry best practices. Nothing in this DPA will require ChurnZero to provide Personal Data of other ChurnZero customers or access to any ChurnZero systems or facilities that are not involved in the provision of the Subscription Service.
7. Person Data Breaches. In the event of a confirmed Personal Data Breach (at ChurnZero or at a subprocessor of ChurnZero), ChurnZero shall, without undue delay, inform Customer of the Personal Data Breach and take such remediation and mitigation steps as ChurnZero deems reasonable and appropriate under the circumstances. In the event of such a Personal Data Breach, ChurnZero shall, taking into account the nature of the Processing and the information available to ChurnZero, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority and/or (ii) Data Subjects affected by such Personal Data Breach without undue delay. The obligations described herein shall not apply if a Personal Data Breach results from the actions or omissions of Customer except where required by Applicable Data Protection Law. ChurnZero’s obligation to report or respond to a Personal Data Breach under this Section will not be construed as an acknowledgement by ChurnZero of any fault or liability with respect to the Personal Data Breach.
8. Transfers of Personal Data
8.1. We will store Customer Personal Data in the service region selected by Customer and will not transfer Customer Personal Data to Other Countries (as defined below), except to the Subprocessors or at Customer’s or a User’s direction, or as required by law. For purposes of this section, “transfer” shall not include (i) any transfer of Customer Personal Data in or through the Subscription Service in accordance with the digital instructions of the Customer or a User, and/or (ii) use of the Subscription Service by a User outside the service region.
8.2. Transfers to Countries that Offer Adequate Level of Data Protection: Customer Personal Data may be transferred from the European Union Member States, the three European Economic Area member countries (Norway, Liechtenstein, and Iceland), (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant Supervisory Authority of the EEA, the European Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
8.3. Transfers to Other Countries. Any transfer of Customer’s Personal Data made subject to this DPA from member states of the European Union, the European Economic Area (Iceland, Liechtenstein, Norway), Switzerland or the United Kingdom to any countries where the European Commission, the FDIPC or the UK Information Commissioner’s Office has not decided that this third country or more specified sectors within that third country in question ensures an adequate level of protection, shall be undertaken, in particular, through the Standard Contractual Clauses, in connection with which the Parties agree the following: (i) in relation to Customer Personal Data that is protected by the GDPR and where Customer (as the data exporter) and ChurnZero (as a data importer) as set forth in Schedule 4 (the EU SCCs); and (ii) in relation to Customer Personal Data that is originating from the United Kingdom or otherwise protected by the UK GDPR where Customer (as the data exporter) and ChurnZero (as a data importer) as set forth in Schedule 4 (the UK SCCs).
8.4. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
8.5. ChurnZero may adopt a replacement data export mechanism (including any new version of or successor to the Standard Contractual Clauses or alternative mechanisms adopted pursuant to Applicable Data Protection Law) (“Alternative Transfer Mechanism”), so long as the Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which Customer Personal Data is transferred on behalf of the Customer. Customer agrees to execute documents and take other reasonably necessary actions to give legal effect to such Alternative Transfer Mechanism.
9.1. To the extent that the Customer Personal Data is subject to the CCPA/CPRA, we shall not sell or share Customer’s Personal Data. ChurnZero acknowledges that when processing Customer Personal Data in the context of the provision of the Subscription Service, Customer is not selling or sharing Customer Personal Data to ChurnZero. We agree not to retain, use or disclose Customer Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between ChurnZero and Customer.
9.2. Notwithstanding the foregoing, we may use, disclose, or retain Customer Personal Data to: (i) transfer the Customer Personal Data to our Affiliates, service providers, third parties and vendors, in order to provide the Subscription Service to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (iv) for internal use by ChurnZero to build or improve the quality of its services and/or for any other purpose permitted under the CCPA/CPRA; (v) to detect data security incidents, or protect against fraudulent or illegal activity; and (vi) collect and analyze anonymous information.
9.3. We shall use commercially reasonable efforts to comply with its obligations under CCPA/CPRA. If we become aware of any material applicable requirement (to us as a service provider) under CCPA/CPRA that we cannot comply with, we shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, we shall use commercial reasonable and appropriate steps to stop and remediate our alleged unauthorized use of Customer Personal Data; provided that Customer must explain and demonstrate in the written notice which Processing activity of Customer Personal Data it considers to be unauthorized and the applicable reasons.
9.4. We shall use commercially reasonable efforts to enable Customer to comply with consumer requests made pursuant CCPA/CPRA. Notwithstanding anything to the contrary, Customer shall be fully and solely responsible for complying with its own requirements under CCPA/CPRA.
9.5. “Business purpose” means the Processing activities that we will perform to provide Subscription Service (as described in the Agreement), this DPA and any other instruction from Customer, as otherwise permitted by applicable law, including, CCPA/CPRA and the applicable regulations, or as otherwise necessary to provide the Subscription Service to Customer.
10. General. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Customer and ChurnZero acknowledge that the other party may disclose the Standard Contractual Clauses, this DPA, and any privacy-related provisions in the Agreement to any Supervisory Authority upon request. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, an Order Form, or any other documentation, with regard to the subject matter of this DPA, this DPA shall prevail to the extent of that conflict. In the event of a change in Applicable Data Protection Law or a determination or order by a Supervisory Authority or competent court affecting this DPA or the lawfulness of any Processing activities under this DPA, ChurnZero may propose amendments to this DPA. Customer will determine if the amendments are reasonably necessary to ensure continued compliance with Applicable Data Protection Law and/or the Instructions herein. In that case Parties will agree to any proposed amendments in writing. The provisions of this DPA are severable. If any phrase, clause or provision or Exhibit (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA or the remainder of the Exhibit, shall remain in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
SCHEDULE 1 – Details of Processing
A. List of Parties
The individual or entity that has entered into the Primary Agreement with data importer for the provision of the products and services as described in the Primary Agreement and/or applicable order form.
Activities relevant to the data transferred under these Clauses: Uploading, transmiting, and otherwise processing the data through products or services of processor.
Role (controller/processor): Controller
Name: ChurnZero, Inc.
Address: 717 D Street, NW, 2nd Floor, Washington, DC 20004
Contact: Data Protection Officer, firstname.lastname@example.org, +1-202-780-9601
Activities relevant to the data transferred under these Clauses: …
Role (controller/processor): Processor
B. Description of Transfer
Categories of data subjects whose personal data is transferred
You may submit Personal Data while using the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
- Your Contacts
- Other end users including your employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.
- Other individuals attempting to communicate with or transfer Personal Data to your end users.
Categories of personal data transferred
You may submit Personal Data to the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
- Contact Information (as defined in the Master Terms).
- Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.
Sensitive data transferred (if applicable) and applied restrictions or safeguards
The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Services.
Period for which Personal Data will be retained
Subject to this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
C. Competent Supervisory Authority
For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is stated in Schedule 4, Section (i)(e), except to the extent the supervisory authority of the EU Member State in which the Data Subjects are predominantly located applies. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).
SCHEDULE 2 – Subprocessors
A list of Authorized Subprocessors may be found at https://compliance.churnzero.com/.
SCHEDULE 3 – Security Measures
A detailed description of the Security Measures may be found in our Information Security Addendum available at https://churnzero.com/information-security-policy/.
SCHEDULE 4 – STANDARD CONTRACTUAL CLAUSES
(i) EU SCCs. In furtherance of Section 8.3(i) to this DPA, the Parties hereby agree to execute the EU SCCs as follows:
a. The Standard Contractual Clauses (Controller-to-Processor and/or Processor to Processor), as applicable, will apply, with respect to restricted transfers between Customer and ChurnZero that are subject to the GDPR.
b. The Parties agree that for the purpose of transfer of Customer Personal Data between Customer (as Data Exporter) and ChurnZero (as Data Importer), the following shall apply: (1) Clause 7 of the Standard Contractual Clauses shall be applicable; (2) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA shall apply; (3) Clause 11 of the Standard Contractual Clauses shall be not applicable; (4) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to ChurnZero; (5) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (6) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
c. Annex I.A: With respect to Module Two: (1) Data Exporter is Customer as a data controller and (2) the Data Importer is ChurnZero as a data processor. With respect to Module Three: (A) Data Exporter is Customer as a data processor and (B) the Data Importer is ChurnZero as a data processor (subprocessor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d. Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e. Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Ireland supervisory authority.
f. Annex II of the Standard Contractual Clauses shall be completed as follows:
We are committed to support industry leading security practices, to ensure our customers’ information is kept safe. ChurnZero has based our security management practices on the ISO 270001 standard for information as further described at https://compliance.churnzero.com.
g. Annex III of the Standard Contractual Clauses shall be completed with the authorized subprocessors detailed in Schedule 2 (Sub-Processor List) of this DPA.
(ii) UK SCCs. In furtherance of Section 8.3(ii) to this DPA, the Parties hereby agree to execute the UK SCCs as follows:
a. The UK Standard Contractual Clauses (Controller-to-Processor and Processor to Processor), as applicable, will apply with respect to restricted transfers between Customer and ChurnZero that are subject to the UK GDPR.
b. The Parties agree that for the purpose of transfer of Customer Personal Data between Customer (as Data Exporter) and ChurnZero (as Data Importer), the following shall apply: (1) Clause 7 of the Standard Contractual Clauses shall be applicable; (2) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA shall apply; (3) Clause 11 of the Standard Contractual Clauses shall be not applicable; (4) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (5) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
c. Annex I.A: With respect to Module Two: Data Exporter is Customer as a data controller and the Data Importer is ChurnZero as a data processor. With respect to Module Three: Data Exporter is Customer as a data processor and the Data Importer is ChurnZero as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d. Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e. Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.
f. Annex II of the UK Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.
g. Annex III of the UK Standard Contractual Clauses shall be completed with the Authorized Subprocessors detailed in Schedule 2 (Subprocessor list) of this DPA.