EFFECTIVE DATE: September 7, 2022
This Data Processing Addendum, including its annexes, exhibits, or appendices (“Addendum”) forms part of the Subscription Service Terms or any other agreement about the delivery of the contracted services (the “Agreement”) between ChurnZero, Inc. (“ChurnZero”) and the Customer named in such Agreement or identified below to reflect the parties’ agreement about the Processing of Customer Personal Data (as those terms are defined below).
In the event of a conflict between the terms and conditions of this Addendum, or the Agreement, an Order, or any other documentation, the terms and conditions of this Addendum shall prevail with respect to the subject matter of Processing of Customer Personal Data.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
1.1. “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this Addendum, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.
1.2. “Anonymized Data” means, having regard to the guidance published by the European Data Protection Board, Personal Data which does not relate to an identified or identifiable natural person or rendered anonymous in such a manner that the data subject is not or no longer identifiable.
1.3. “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons, in particular the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR“), the Swiss Federal Data Protection Act (“Swiss DPA“), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, and the California Consumer Privacy Act (“CCPA”) of 2018, the Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”), the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national implementing the Directive.
1.4. “Authorized Subprocessor” means a subprocessor engaged by ChurnZero to Process Customer Personal Data on behalf of the Customer per the Customer’s Instructions under the terms of the Agreement and this Addendum. Authorized Subprocessors may include ChurnZero Affiliates but shall exclude ChurnZero employees, contractors, and consultants.
1.5. “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data.
1.6. “Customer Personal Data” means the Personal Data, including but not limited to: (a) all text, sound, video, or image files that are part of profile and User information and/or exchanged between Users (including guest users participating in Customer-hosted meetings and webinars) and with ChurnZero via the Services; (b) name, screen name and email address; (c) Support Data (as defined in Annex I to the Standard Contractual Clauses); (d) Websites data (including cookies); and (e) data from applications (including browsers) installed on User devices, Services generated server logs (with for example meeting metadata and User settings) and ChurnZero internal security logs, that are generated by, or provided to, ChurnZero by, or on behalf of, Customer through use of the Services as further defined in Annex I of the Standard Contractual Clauses.
1.7. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.8. “Legitimate Business Purposes” means the exhaustive list of specific purposes for which ChurnZero is allowed to process Personal Data as Controller as specified in Section 2.4.
1.9. “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This includes any special categories of Personal Data defined in Art. 9 of the GDPR, data relating to criminal convictions and offences, or related security measures defined in Art. 10 of the GDPR and national security numbers defined in Art. 87 of the GDPR and national supplementing law.
1.10. “Processor” means the entity that processes Personal Data on behalf of the Controller.
1.11. “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by ChurnZero or ChurnZero’s Authorized Subprocessor.
1.12. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt: this includes processing of personal data to disclose, aggregate, pseudonymize, de-identify or anonymize Personal Data, and to combine personal data with other personal data, or to derive any data or information from such Personal Data.
1.13. “Services” means the Services as set forth in the Agreement or associated ChurnZero order form.
1.14. “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“). A current version of the Standard Contractual Clauses can be found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
1.15. “Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law, including the Processing of Personal Data covered by this Addendum.
1.16. “UK Addendum” means the addendum in Annex 4.
2. Processing of Personal Data: Roles, Scope and Responsibility
2.1. The Parties acknowledge and agree to the following: (a) Customer is the Controller of Customer Personal Data; (b) ChurnZero is the Processor of Customer Personal Data, except where ChurnZero or a ChurnZero Affiliate act as a Controller processing Customer Personal Data in accordance with the exhaustive list of Legitimate Business Purposes in Section 2.4.
2.2. Only to the extent necessary and proportionate, Customer as Controller instructs ChurnZero to perform the following activities as Processor on behalf of Customer: (a) provide and update the Services as licensed, configured, and used by Customer and its Users, including through Customer’s use of ChurnZero settings, administrator controls or other Services functionality; (b) secure and real-time monitor the Services; (c) resolve issues, bugs, and errors; (d) provide Customer requested support, including applying knowledge gained from individual customer support requests to benefit all ChurnZero customers but only to the extent such knowledge is anonymized; and (e) process Customer Personal Data as set out in the Agreement and Annex I to the Standard Contractual Clauses (subject matter, nature, purpose, and duration of Personal Data Processing in the controller to processor capacity and any other documented instruction provided by Customer and acknowledged by ChurnZero as constituting instructions for purposes of this Addendum (collectively, the “Instructions”).
2.3. ChurnZero shall immediately notify the Customer, if, in ChurnZero’s opinion, an Instruction of the Customer infringes Applicable Data Protection Law and request that Customer withdraw, amend, or confirm the relevant Instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant Instruction, ChurnZero shall be entitled to suspend the implementation of the relevant Instruction.
2.4. ChurnZero may Process some Customer Personal Data for its own Legitimate Business Purposes, as an independent Controller, solely when the Processing is strictly necessary and proportionate, and if the Processing is for one of the following exhaustive list of purposes: (a) directly identifiable data (name, screen name, profile picture and email address and all Customer Personal Data directly connected to such directly identifiable data) may be Processed for: (i) billing, account, and Customer relationship management (marketing communication with procurement/sales officials), and related Customer correspondence (mailings about for example necessary updates); (ii) complying with and resolving legal obligations, including responding to Data Subject Requests for Personal Data processed by ChurnZero as data Controller (for example Websites data), tax requirements, agreements and disputes; (iii) abuse detection prevention and protection (such as automatic scanning for matches with identifiers of known Child Sexual Abuse Material (“CSAM”), virus scanning and scanning to detect violations of terms of service (such as copyright infringement, SPAM, and actions not permitted under ChurnZero’s User Terms (also known as an acceptable use policy); (b) pseudonymized and/or aggregated data (ChurnZero will pseudonymize and/or aggregate as much as possible and pseudonymized and/or aggregated data will not be processed on a per-Customer level); for: (i) improving and optimizing the performance and core functionalities of accessibility, privacy, security, and the IT infrastructure efficiency of the Services and Websites; (ii) internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy); (iii) receiving and using Feedback for ChurnZero’s overall service improvement; and (iv) when acting as an independent Controller, ChurnZero will not process Customer Personal Data for any purposes other than the above list of Legitimate Business Purposes.
2.5. Regardless of its role as Processor or Controller, ChurnZero shall process all Customer Personal Data in compliance with Applicable Data Protection Laws, the “Security Measures” referenced in Section 6 of this Addendum and Annex I to the Standard Contractual Clauses. ChurnZero will follow European Data Protection Board guidance on completing a data transfer impact assessment (“DTIA”) and maintain an up-to-date DTIA applicable to the Services.
2.6. Customer shall ensure that its Instructions to ChurnZero comply with all laws, rules, and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Instructions will not cause ChurnZero to be in breach of Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to ChurnZero by or on behalf of Customer; (ii) how Customer acquired any such Customer Personal Data; and (iii) the Instructions it provides to ChurnZero regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to ChurnZero any Customer Personal Data in violation of the Agreement or this Addendum, or otherwise in violation of ChurnZero’s Subscription Service Terms (currently published at https://churnzero.com/subscription-service-terms/, as updated from time to time) and shall indemnify ChurnZero from all claims and losses in connection therewith.
2.7. Following the completion of the Services, at Customer’s choice, to the extent that ChurnZero is a Processor, ChurnZero shall either enable Customer to delete some of Customer’s Personal Data (for example an User’s personal data) or all of Customer’s Personal Data, shall return to Customer the specified Customer Personal Data, or shall delete the specified Customer Personal Data, and delete any existing copies in compliance with its data retention and deletion policy. If return or destruction is impracticable or incidentally prohibited by a valid legal order law, ChurnZero shall take measures to inform the Customer and block such Customer Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by applicable law) and shall continue to appropriately protect the Customer Personal Data remaining in its possession, custody, or control and, where any Authorized Subprocessor continues to possess Customer Personal Data, require the Authorized Subprocessor to take the same measures that would be required of ChurnZero.
3. Privacy by design and by default. ChurnZero will comply with the privacy by design and data minimization principles from the GDPR, and ChurnZero agrees to minimize Processing to the extent necessary to meet its obligations and rights under the Agreement. This includes minimization of data retention periods and offering end to end encryption when technically feasible.
4. Authorized Persons. ChurnZero shall ensure that all persons authorized to Process Customer Personal Data and Customer Content are made aware of the confidential nature of Customer Personal Data and Customer Content and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
5. Authorized Subprocessors. To the extent that ChurnZero is a Processor:
5.1. The Customer hereby generally authorizes ChurnZero to engage subprocessors in accordance with this Section 5.
5.2. Customer approves the Authorized Subprocessors listed in Annex 3 to this Addendum.
5.3. ChurnZero may remove, replace, or appoint suitable and reliable further subprocessors in accordance with this Section 5.3: (a) ChurnZero shall at least thirty (30) days before the new subprocessor starts processing any Customer Personal Data notify Customer of the intended engagement (including the name and location of the relevant subprocessor, and the activities it will perform and a description of the Personal Data it will process). To enable such notifications, Customer shall enter the email address to which ChurnZero shall send such notifications into the relevant submission field in Customer’s account; (b) in an emergency concerning Services availability or security, ChurnZero is not required to provide prior notification to Customer but shall provide notification within seven (7) business days following the change in subprocessor. In either case, the Customer may object to such an engagement in writing within fifteen (15) business of receipt of the aforementioned notice by ChurnZero.
5.4. If the Customer objects to the engagement of a new subprocessor, ChurnZero shall have the right to cure the objection through one of the following options (to be selected at ChurnZero’s sole discretion): (a) ChurnZero cancels its plans to use the subprocessor with regard to Customer Personal Data; (b) ChurnZero will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the subprocessor with regard to Customer Personal Data; (c) ChurnZero may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such subprocessor with regard to Customer Personal Data. ChurnZero provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If ChurnZero, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, ChurnZero and Customer may terminate the Agreement including the Addendum with prior written notice. Termination shall not relieve Customer of any fees or charges owed to ChurnZero for Services provided up to the effective date of the termination under the Agreement. If Customer does not object to a new subprocessor’s engagement within 15 days of notice issuance from ChurnZero, that new subprocessor shall be deemed accepted.
5.5. ChurnZero shall ensure that Authorized Subprocessors have executed confidentiality agreements that prevent them from unauthorized Processing of Customer Personal Data and Customer Content both during and after their engagement by ChurnZero.
5.6. ChurnZero shall, by way of contract or other legal act, impose on the Authorized Subprocessor the equivalent data protection obligations as set out in this Addendum and detailed in the GDPR. The Parties acknowledge and agree that notice periods shall be deemed equivalent regardless of disparate notification periods. If personal data are transferred to an Authorized Subprocessor in a third country, ChurnZero will ensure the transferred data are processed with the same GDPR transfer guarantees as agreed with Customer (such as Standard Contractual Clauses). ChurnZero will also perform a case by case assessment if supplementary measures are required in cases of onward transfers to third countries in order to bring the level of protection of the transferred data up to the EU standard of essential equivalence.
5.7. ChurnZero shall be fully liable to Customer where that Authorized Subprocessor fails to fulfil its data protection obligations for the performance of that Authorized Subprocessor’s obligations to the same extent that ChurnZero would itself be liable under this Addendum had it conducted such acts or omissions.
6. Security of Personal Data
6.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ChurnZero shall maintain appropriate technical and organizational measures with regard to Customer Personal Data and to ensure a level of security appropriate to the risk, including, but not limited to, the “Security Measures” set out in Annex II to the Standard Contractual Clauses (attached here as Annex 2).
6.2. Customer acknowledges that the Security Measures are subject to technical progress and development and that ChurnZero may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.
7. International Transfers of Personal Data
7.1. Customer acknowledges and agrees that ChurnZero may transfer and process Customer Personal Data to and in the United States and the United Kingdom of Great Britain and Ireland. ChurnZero may transfer Customer Personal Data to third countries (including those outside of the EEA without an adequacy statement from the European Commission) to Affiliates, its professional advisors or its Authorized Subprocessors when a User knowingly connects to data processing operations supporting the Services from such locations (such as when the User travels outside of the territory of the EU). ChurnZero shall ensure that such transfers are made in compliance with Applicable Data Protection Law and this Addendum.
7.2. Any transfer of Customer’s Personal Data made subject to this Addendum from member states of the European Union, the European Economic Area (Iceland, Liechtenstein, Norway), Switzerland or the United Kingdom to any countries where the European Commission, the FDIPC or the UK Information Commissioner’s Office has not decided that this third country or more specified sectors within that third country in question ensures an adequate level of protection, shall be undertaken, in particular, through the Standard Contractual Clauses, in connection with which the Parties agree the following:
(a) EU SCCs (Controller to Controller Transfers). In relation to Personal Data that is protected by the GDPR and processed in accordance with Section 2.4 of this Addendum, the EU SCCs shall apply, completed as follows: (i) Module One will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Section C of Annex 1 to this Addendum; (v) in Clause 18(b), disputes shall be resolved in accordance with Section C of Annex 1 to this Addendum; (vi) Annex I of the New EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and (vii) subject to Section 6.2 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum;
(b) EU SCCs (Controller to Processor/Processor to Processor Transfers). In relation to Personal Data that is protected by the EU GDPR and processed in accordance with Sections 2.2 of this Addendum, the EU SCCs shall apply, completed as follows: (i) Module Two or Module Three will apply (as applicable); (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.3 of this Addendum; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Section C of Annex 1 to this Addendum; (v) in Clause 18(b), disputes shall be resolved in accordance with Section C of Annex 1 to this Addendum; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and (viii) subject to Section 6.2 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum.
(c) Transfers from the UK. In relation to Personal Data that is originating from the United Kingdom or otherwise protected by the UK GDPR, the EU SCCs will apply in accordance with the UK Addendum, attached hereto as Annex 4, and with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR; (ii) references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales; (iii) Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” (iv) Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”.
(d) Transfers from Switzerland. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply in accordance with Sections 7.3(a)-(b), with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Annex 1 and Annex 2.
7.3. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum) the Standard Contractual Clauses shall prevail to the extent of such conflict.
7.4. ChurnZero may adopt a replacement data export mechanism (including any new version of or successor to the Standard Contractual Clauses or alternative mechanisms adopted pursuant to Applicable Data Protection Law) (“Alternative Transfer Mechanism”), so long as the Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which Customer Personal Data is transferred on behalf of the Customer. Customer agrees to execute documents and take other reasonably necessary actions to give legal effect to such Alternative Transfer Mechanism.
8. Rights of Data Subjects. To the extent that ChurnZero is a Processor:
8.1. ChurnZero shall promptly notify Customer upon receipt of a request by a Data Subject to exercise Data Subject rights under Applicable Data Protection Law. ChurnZero will advise the Data Subject to submit his or her request to Customer, and Customer will be responsible for responding to such request.
8.2. ChurnZero shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights (regarding information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making) under Applicable Data Protection Law.
9. Disclosure of Personal Data
9.1. ChurnZero will not disclose or provide access to any Customer Personal Data except: (a) as Customer directs; (b) as described in this Addendum; or (c) as required by law.
9.2. If a court, law enforcement authority or intelligence agency contacts ChurnZero with a demand for Customer Personal Data, ChurnZero will first assess if it is a legitimate order consistent with ChurnZero’s internal processes and applicable law. If so, ChurnZero will attempt to redirect this third party to request those data directly from Customer. If compelled to disclose or provide access to any Customer Personal Data to law enforcement, ChurnZero will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so, for example, through a so-called “gag order”. If ChurnZero is prohibited by law from fulfilling its obligations under Section 9.2, ChurnZero shall represent the reasonable interests of the Controller. This is in all cases understood to mean:
(a) ChurnZero shall document a legal assessment of the extent to which: (i) ChurnZero is legally obliged to comply with the request or order; and (ii) ChurnZero is effectively prohibited from complying with its obligations in respect of the Controller under this Addendum.
(b) ChurnZero shall only cooperate with the US issued request or order if legally obliged to do so and, where possible, ChurnZero shall judicially object to the request or order or the prohibition to inform the Controller about this or to follow the instructions of the Controller.
(c) ChurnZero shall not provide more Customer Personal Data than is strictly necessary for complying with the request or order.
(d) If ChurnZero becomes aware of a situation where it has reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by ChurnZero, its Affiliates and Authorized Subprocessors, including any requirements to disclose personal data or measures authorizing access by public authorities, will prevent ChurnZero from fulfilling its obligations under this Addendum, ChurnZero will inform Customer without undue delay after ChurnZero becomes aware of such a situation.
10. Compliance Auditing
10.1. ChurnZero will: (a) conduct at least one audit annually; (b) audits will be performed according to the standards and rules of the regulatory or accreditation body for the applicable control standard or framework; and (c) audits will be performed by qualified security auditors at ChurnZero’s selection and expense.
10.2. Each audit will result in the generation of an audit report (“ChurnZero Audit Report”), which ChurnZero will make available to Customer upon request, which will be ChurnZero’s Confidential Information and subject to a separately executed nondisclosure agreement or the Agreement’s confidential information provisions. ChurnZero will promptly remediate issues raised in any ChurnZero Audit Report in accordance with industry best practices.
10.3. Nothing in this Addendum will require ChurnZero to provide Personal Data of other ChurnZero customers or access to any ChurnZero systems or facilities that are not involved in the provision of the contracted Services.
11. Cooperation. ChurnZero shall provide the Controller with all required assistance and cooperation in enforcing the obligations of the Parties under Applicable Data Protection Law. To the extent that such assistance relates to the Processing of Customer Personal Data for the purpose of the performance of the Agreement, the Processor shall in any event provide the Controller with such assistance relating to: (a) the security of Customer Personal Data; (b) performing checks and audits; (c) performing Data Protection Impact Assessments (“DPIA”); (d) prior consultation with the Supervisory Authority; (e) responding to requests from the Supervisory Authority or another government body; (f) responding to requests from Data Subjects; and (g) reporting Customer Personal Data Breaches.
12. Security incidents and data breaches
12.1. In the event of a confirmed Personal Data Breach (at ChurnZero or at a subprocessor of ChurnZero), ChurnZero shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as ChurnZero in its sole discretion deems necessary and reasonable to remediate such violation. In the event of such a Personal Data Breach, ChurnZero shall, taking into account the nature of the Processing and the information available to ChurnZero, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority and/or (ii) Data Subjects affected by such Personal Data Breach without undue delay.
12.2. In the event of a large scale, as determined by ChurnZero, confirmed Personal Data Breach (with ChurnZero or an Authorized Subprocessor of ChurnZero), Customer allows ChurnZero to independently alert and consult the relevant Supervisory Authorities in order to better inform Customer what steps the Supervisory expect.
12.3. The obligations described in Sections 12.1 and 12.2 shall not apply if a Personal Data Breach results from the actions or omissions of Customer, except where required by Applicable Data Protection Law. ChurnZero’s obligation to report or respond to a Personal Data Breach under Sections 12.1 and 12.2 will not be construed as an acknowledgement by ChurnZero of any fault or liability with respect to the Personal Data Breach.
13.1. This Addendum may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
13.2. Customer and ChurnZero acknowledge that the other party may disclose the Standard Contractual Clauses, this Addendum, and any privacy-related provisions in the Agreement to any Supervisory Authority upon request.
13.3. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, an Order Form, or any other documentation, with regard to the subject matter of this Addendum, this Addendum shall prevail to the extent of that conflict.
13.4. In the event of a change in Applicable Data Protection Law or a determination or order by a Supervisory Authority or competent court affecting this Addendum or the lawfulness of any Processing activities under this Addendum, ChurnZero may propose amendments to this Addendum. Customer will determine if the amendments are reasonably necessary to ensure continued compliance with Applicable Data Protection Law and/or the Processing instructions herein. In that case Parties will agree the proposed amendments in writing.
13.5. The provisions of this Addendum are severable. If any phrase, clause or provision or Exhibit (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Addendum or the remainder of the Exhibit, shall remain in full force and effect.
13.6. This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
ANNEX 1 – Details of Processing
A. List of Parties
The individual or entity that has entered into the Primary Agreement with data importer for the provision of the products and services as described in the Primary Agreement and/or applicable order form.
Activities relevant to the data transferred under these Clauses: Uploading, transmiting, and otherwise processing the data through products or services of processor.
Role (controller/processor): Controller
Name: ChurnZero, Inc.
Address: 1100 15th Street, NW, Floor 4, Washington, DC 20005
Contact: Data Protection Officer, firstname.lastname@example.org, +1-202-780-9601
Activities relevant to the data transferred under these Clauses: …
Role (controller/processor): Processor
B. Description of Transfer
Categories of data subjects whose personal data is transferred
You may submit Personal Data while using the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
- Your Contacts
- Other end users including your employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.
- Other individuals attempting to communicate with or transfer Personal Data to your end users.
Categories of personal data transferred
You may submit Personal Data to the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
- Contact Information (as defined in the Master Terms).
- Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.
Sensitive data transferred (if applicable) and applied restrictions or safeguards
The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Services.
Period for which Personal Data will be retained
Subject to this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
C. Competent Supervisory Authority
For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer’s compliance with the GDPR; (ii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer’s representative is established; or (iii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).
ANNEX 2 – Security Measures
See Section 6 of the DPA and https://churnzero.com/security/.
ANNEX 3 – Subprocessors
|Entity Name||Entity Type/Purpose||Entity Country|
|Amazon Web Services||Provides instances of the ChurnZero application||USA, Ireland (depending on where Customer decides to host its ChurnZero data)|
|Datadog||Server / Platform monitoring as well as log ingestion||USA|
|Loggly||Provides centralized Logging||USA|
|SendGrid||Provides SMTP services||USA|
ANNEX 4 – UK Addendum
International Data Transfer Addendum to the EU SCCs
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Table 1: Parties
|Start date||The Effective Date as set out in the DPA|
|The Parties||Exporter (who sends the Restricted Transfer)||Importer (who receives the Restricted Transfer)|
|Parties’ details||As set out at the top of the Addendum and Annex 1||As set out at the top of the Addendum and Annex 1|
Table 2: Selected SCCs, Modules and Selected Clauses
|Addendum EU SCCs||Means the EU SCCs as defined in the Addendum|
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|Annex 1A: List of Parties:||As set out at the top of the Addendum and Annex 1|
|Annex 1B: Description of Transfer:||Annex 1 of the Addendum|
|Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:||Annex 2 of the Addendum|
|Annex III: List of Sub processors (Modules 2 and 3 only):||Annex 3 of the Addendum|
Table 4: Ending this Addendum when the Approved Addendum Changes
|Ending this Addendum when the Approved Addendum changes||Which Parties may end this Addendum as set out in Section 19: |
Part 2: Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0, in force 21 March 2022, issued by the ICO, as it is revised under Section 18 of those Mandatory Clauses, are hereby incorporated.