Skip to main content

Data Processing Addendum

Effective Date: June 1, 2022


Addendum to Main Agreement between:

  • Company”, the legal entity that executes one or more Order Forms and/or Statements of Work in connection with providing Services to Client; and
  • Client”, the legal entity that executes one or more Order Forms and/or Statements of Work in connection with receiving Services from Company.Client and Company may be referred to individually as a “Party” and collectively as the “Parties”.

    WHEREAS

  • Client and Company have entered into an agreement, which is made up of executed Order Forms and Statements of Work, including all exhibits and attachments referenced in such Order Forms and Statements of Work, including but not limited to the Company Terms of Use, under which Client has engaged Company to provide Services and related services (collectively, the “Services”) (collectively, all executed Order Forms and Statements of Work, including all exhibits and attachments shall be referred to as the “Main Agreement”), which include Processing Personal Data received from Client (“Client Personal Data”) for the purpose[s] set forth in the Main Agreement and Exhibit A to this Addendum;
  • Under applicable data protection laws and regulations, including but not limited to the European Union (“EU”) General Data Protection Regulation 2016/679 and the legislation implementing the GDPR into law in the United Kingdom (“UK”), including the Data Protection Act 2018 as amended (“GDPR”) and the California Consumer Privacy Act, as amended (“CCPA”), certain data protection and privacy obligations either must or should be addressed in contracts between companies and their service providers (“Applicable Law”);
  • To help ensure compliance with legal developments relating to lawful mechanisms for cross-border data transfers, Company is incorporating certain standard contractual clauses into its data processing contracts; and
  • To meet their respective obligations to each other under applicable data protection and privacy laws, the Parties are entering into this Data Protection Addendum to the Main Agreement (“Addendum”).

Therefore, the Parties agree as follows:

  1. Amendment to Main Agreement/Order of Precedence.This Addendum is an amendment to, not in substitution of, the Main Agreement. All provisions set forth in the Main Agreement will remain in full force and effect as long as they do not conflict with this Addendum. To the extent that any terms set forth in this Addendum conflict with any other agreement, including but not limited to the Main Agreement or any prior-entered Data Processing/Protection Agreement/Addendum, the terms of this Addendum shall take precedence over any conflicting terms in any other agreement, unless the Parties explicitly agree otherwise in writing.
  2. Effective Period. This Addendum will be effective beginning on the date of signing by the Parties, and will remain effective for as long as the Main Agreement is in effect and Company and any Sub-Processor to which Company has disclosed any Client Personal Data retains any Client Personal Data. Additionally, as further addressed in the Survival provision in this Addendum, certain provisions of this Addendum will remain in effect even after the Main Agreement is no longer in effect.
  3. Definitions.
    1. For purposes of this Addendum, the following terms will have the following meanings:
      1. Client: The legal entity that contracts to receive Services from Company by entering into the Main Agreement.
      2. Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
      3. Data Subject: An identified or identifiable natural person whose Personal Data is being Processed. The term “Data Subject” includes “consumers”, as that term is defined under the CCPA.
      4. Personal Data: Any information relating to an identified or identifiable natural person ; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Data includes “personal information”, as that term is defined under the CCPA. Under the CCPA, personal information broadly includes any information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.
      5. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
      6. Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
      7. Processor: A natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
      8. Restricted Transfer: means a transfer of Personal Data to a country other than the country of origin which is not subject to an adequacy determination by the authorities competent for the country of origin.
      9. Standard Contractual Clauses (EU/EEA) means the standard contractual clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection the Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91.
      10. Standard Contractual Clauses (UK IDTA) means the Standard Contractual Clauses (EU/EEA) as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (“UK IDTA”), as amended or replaced from time to time, pursuant to Article 46 of the GDPR.
      11. Sub-Processor: A Sub-Processor retained by a Processor to assist with Processing activities.
    2. Any capitalized data protection terms used but not defined in this Addendum will have the meaning ascribed to them by applicable data protection law.
  4. Personal Data Protection and Privacy.
    1. General Data Protection and Privacy Obligations.
      1. Legal Obligations. In connection with fulfilling their respective obligations under the Main Agreement (the “Services”), Company and Client agree to comply with all applicable provisions of the GDPR, the CCPA, and the Swiss data protection law, and also with all applicable provisions of all other applicable data protection laws and regulations. The Parties will not, under any circumstances, provide less protection to Personal Data than is required by all Applicable Laws.
      2. Details of Processing. Pursuant to Article 28 of the GDPR, the details of the processing including the subject matter and duration of Processing, nature and purpose of Processing, categories of Data Subjects, and categories of Personal Data are incorporated into this Addendum and attached hereto as Exhibit A to this Addendum.
    2. Client’s Obligations and Authorization.
      1. Controller Responsibilities. Client is the Controller of all Personal Data provided to Company, and Company is the Processor of such Personal Data. Client is and shall remain responsible for compliance with all requirements imposed on Controllers, including but not limited to (a) confirming the lawful basis for all processing activities conducted by Company on Client’s behalf; and (b) obtaining consent from data subjects, where required.
      2. Data Minimization. Client agrees to limit any Personal Data it transfers to Company, or to which Company is otherwise given access for processing to only the Personal Data needed by Company to fulfill its obligations under the Main Agreement and this Addendum
      3. Authorization to Process and Transfer. Client authorizes Company to collect and process the Personal Data needed to perform the Services for which Client is contracting with Company in the Main Agreement. Where required, Client authorizes the transfer, processing and storage of Personal Data outside the UK and/or European Economic Area (EEA) in order to fulfill the purpose of the Services.
      4. Authorization to Engage Sub-Processors. Client agrees that Company may engage third-party Sub-Processors to Process Personal Data on Company’s behalf to fulfill the purpose of the Services. Client authorizes Company to engage all Sub-Processors appearing on Company’s Sub-Processor List link: https://www.wildapricot.com/subprocessors as of the Effective Date of the Main Agreement (“Sub-Processor List”). Client agrees that Personify may inform Client of its intent to engage new Sub-Processors. Client further agrees that Personify may engage such new Sub-Processors unless Client chooses to exercise its right to object to any such new Sub-Processors by providing Personify with a written notice of Client’s objection. Such notice should include an explanation of the grounds for objecting to the use of such new Sub-Processor so Personify has an opportunity to re-evaluate any such new Sub-Processor based on Client’s asserted concerns. In the event that Client objects to such Sub-Processor and Personify is unable to address Client’s concerns in a manner acceptable to Client, Client may terminate the affected Services in accordance with the procedure for termination set forth in the Main Agreement.
    3. Personify’s Personal Data Obligations and Restrictions.
      1. Processing Restrictions. Personify will process Personal Data on Client’s behalf only for the limited and specified purposes set forth in the Main Agreement, the Exhibits and Appendices to this Addendum, and/or as set forth in any other written instructions received from Client.Personify will promptly inform Client if, in Personify’s opinion, an instruction from Client violates the GDPR or other Member State data protection provisions.
      2. Access Limitations and Confidentiality Obligations. Personify will limit access to Personal Data to only those individuals with a need to know and have access to such Personal Data for purposes of fulfilling the Main Agreement and complying with Applicable Laws. Personify will take reasonable steps to ensure the reliability of all such individuals, and will impose confidentiality obligations upon any employee, agent, or Sub-Processors that is authorized to access or otherwise Process Personal Data.
      3. Notification Obligations. After becoming aware of any Personal Data Breach involving Personal Data received from Client or collected on Client’s behalf, Personify will notify Client without undue delay.
      4. Data Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Personify has implemented and shall maintain appropriate technical and organizational security measures to help ensure a level of security that is appropriate in light of the risks presented by the processing, in particular risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed in accordance with Article 32 of the GDPR.
      5. Restrictions on Engaging Sub-Processors. Personify will abide by the requirements set forth in the GDPR for the appointment of Sub-Processors, including entering into written agreements with each Sub-Processor that contain reasonable provisions relating to the implementation of appropriate technical and organizational measures in compliance with the GDPR.Personify has provided Client with a list of its current Sub-Processors, and Client has provided Personify with general authorization to engage such Sub-Processors.Personify will provide Client with advance notice of any intended changes to the Sub-Processor List that involve the addition or replacement of any Sub-Processors. If Client reasonably objects to any new Sub-Processor in accordance with any instructions set forth in such notice, Personify will seek to address Client’s concerns with such Sub-Processor. If Personify is unable to address Client’s concerns in a manner acceptable to Client and Client continues to object to such Sub-Processor, Personify agrees that Client may terminate the affected Services in accordance with the procedure for termination set forth in the Main Agreement. If any Personify Sub-Processor fails to fulfill its data protection obligations, Personify will remain liable to Client for the performance of such Sub-Processor’s obligations in connection with providing Services under the Main Agreement.
      6. Responding to Data Subject Requests.
        1. Taking into account the nature of the Processing, Personify will implement appropriate technical and organizational measures to assist Client in responding to Data Subject requests to exercise their Data Subject rights with respect to Personal Data being Processed by Personify.
        2. The Parties agree that Client (as the Controller) has the obligation to respond to Data Subject requests in compliance with the GDPR (i.e., in an appropriate and timely fashion).If Client wishes and directs Personify to respond to a Data Subject request, Client agrees to provide such direction within three (3) business days after receiving the Data Subject request.
      7. Obligations in Event of Personal Data Breach. Should either Party become aware of any Personal Data Breach involving Personal Data received from Client or collected on Client’s behalf, that Party will notify the other Party without undue delay.
      8. Assistance with Client’s GDPR Obligations. Upon Client’s written request, Personify will assist Client in complying with its GDPR obligations, including the security of processing, notification of a Personal Data Breach, data protection impact assessments, and prior consultations.
      9. Verification of Processor’s Compliance. Upon Client’s written request, Personify will provide Client with information needed to demonstrate compliance with the obligations of Article 28 of the GDPR, and will permit and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client. Personify reserves the right to charge reasonable fees for any excessive amount of the time that may be required to participate in audits and inspections required by the Client.
      10. Disposition or Return of Personal Data. Unless Client has provided a written request to return Client Personal Data, Personify will (and will take steps to help ensure that any and all Sub-Processors will) delete all copies of Personal Data after the end of the provision of Services unless law requires storage of Personal Data.
    4. Cross Border Data Transfers.
      1. Necessary Transfers. To provide the Services outlined in the Main Agreement, it may be necessary for Client to transfer Personal Data from the EU, UK and/or Switzerland to Personify in the United States and/or for Personify to transfer Personal Data to locations that have not been deemed by the European Commission to provide an adequate level of data protection (collectively, “Necessary Transfers”).
      2. Transfer Authorization. Client hereby authorizes Personify to make Necessary Transfers of Personal Data.This Addendum constitutes Client’s written authorization of such Necessary Transfers.
      3. Adequate Safeguards. To provide adequate safeguards for Necessary Transfers of Personal Data, the Parties agree to rely on the lawful transfer mechanisms.
      4. EU GDPR Transfers. With respect to Restricted Transfers from the EEA, Switzerland, or similar countries, effective from the commencement of the relevant Restricted Transfer, Client and Personify hereby enter into, and incorporate into this Data Processing Addendum by reference, the Standard Contractual Clauses (EU/EEA) in respect of any Restricted Transfer (or onward transfer) or Personal Data by or on behalf of the Client to Personify from: (1) the EEA, (2) Switzerland, or (3) any country in which the competent authorities have approved the use of the Standard Contractual Clauses (EU/EEA) and where such Restricted Transfer (or onward transfer) would otherwise be prohibited by Applicable Laws (or by the terms of data transfer agreements put in place to address Applicable Laws).In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses (EU/EEA) shall be deemed complete as follows:
        1. In Clause 7, the optional docking clause will not apply;
        2. In Clause 9(a), Option 2 will apply, and the time period for prior notice of additions or replacements of Personify Sub-Processors shall be thirty (30) days;
        3. In Clause 11, the optional language will not apply;
        4. In Clause 17, Option 1 will apply, and the Standard Contractual Clauses (EU/EEA) will be governed by the law of the Member State in which the data exporter is established.
        5. As per Clause 18(b), disputes shall be resolved before the courts of the Member State in which the data exporter is established.
        6. Annex 1 to Standard Contractual (EU/EEA) shall be deemed to be pre-populated with the Processing Details in Exhibit A and Appendix 1 hereto; and
        7. Annex 2 to the Standard Contractual Clauses (EU/EEA) shall be deemed to be pre-populated with the Security Measures set forth in Appendix 2 hereto.
      5. Restricted Transfers from the United Kingdom.With respect to Restricted Transfers from the UK, effective from the commencement of the relevant Restricted Transfer, Client and Personify hereby enter into, and incorporate into this Data Processing Addendum by reference, the Standard Contractual Clauses (UK IDTA) in respect of any Restricted Transfer (or onward transfer) of Personal Data by or on behalf of Client to Personify from the UK.In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses (UK IDTA) shall be deemed complete as follows: In respect of any UK Restricted Transfer, the Controller to Processor SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the Standard Contractual Clauses (UK IDTA), and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in this Agreement.
      6. The provisions of the Standard Contractual Clauses (EU/EEA) shall apply in place of the Standard Contractual Clauses (UK IDTA), subject to the terms set forth in section 4.4.4. shall apply, as applicable, and any modifications to the Standard Contractual Clauses (EU/EEA) required by the UK privacy laws (and subject to the governing law being English law, the competent courts being the English courts and the competent supervisory authority being the Information Commissioner’s Office).
      7. In the event of a conflict between (i) the Agreement, and (ii) the Standard Contractual Clauses (EU/EEA) or the Standard Contractual Clauses (UK IDTA), the latter shall prevail.
      8. If, at any point during the Term, changes in applicable laws require amendments to this Data Processing Addendum in order to ensure the lawful transfer of Personal Data, Client and Personify will cooperate in good faith to implement such amendments without undue delay.
  5. CCPA Compliance.
    1. For purposes of this Section, the terms “Service Provider”, “Business Purpose”, “Commercial Purpose”, “Collect”, and “Sell” shall have the meanings set forth in the California Consumer Privacy Act (“CCPA”).
    2. Service Provider Obligations and Restrictions. The Parties agree that Personify is a Service Provider to Client with respect to Personal Data Processed by Personify.
      1. As a Service Provider, Personify will:
        1. Implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it Processes as set forth in the Data Security Obligations Section of this Addendum.
        2. Apply its obligations regarding Data Subject requests, as set forth in the Responding to Data Subject Requests Section of this Addendum, to Data Subject requests submitted under the CCPA.
      2. As a Service Provider, Company will not retain, use, sell, or disclose Personal Data outside of the direct business relationship between the Parties except under the following limited circumstances:
        1. To perform Services on behalf of Client for a Business Purpose as specified in the Main Agreement, the Exhibits and Appendices to this Addendum, and any other written agreements into which the Parties enter.
        2. To retain and employ a Sub-Processor that meets the requirements for a Service Provider under the CCPA.
        3. For internal use by Company to build or improve the quality of its Services, provided that the use does not include building or modifying household or consumer profiles, or correcting or augmenting data acquired from another source.
        4. To detect data security incidents, or protect against fraudulent or illegal activity.
        5. To collect, use, retain, sell, or disclose Personal Data that is deidentified or aggregated information.
        6. As otherwise required by applicable law, including: (a) compliance with federal, state, or local laws; (b) compliance with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (c) cooperating with law enforcement agencies concerning conduct or activity that Company reasonably and in good faith believes may violate federal, state, or local law; (d) exercising or defending legal claims and as otherwise permitted by applicable law.
  6. Compliance with Other Applicable Data Protection and Privacy Laws and Regulations. The Parties agree to comply with all Applicable Laws from the effective date of this Addendum until all Processing activities covered by the Main Agreement and this Addendum have ceased and until all Client Personal Data has either been completely, permanently, and securely disposed of or securely transferred back to Client.
  7. Right to Terminate Agreement. In the event of any breach of this Addendum by Client, Company has the right to terminate the Main Agreement without penalty to Company upon written notice to Client.
  8. Severability. If any provision of this Addendum is, to any extent, invalid or unenforceable, all other provisions of the Addendum will remain in full force and effect.To the extent permitted and possible, the invalid or unenforceable provision will be deemed replaced by a term that is valid and enforceable and that comes closest to expressing the intention of such invalid or unenforceable term.If this is not permissible or not possible, then the Addendum will be construed as if the invalid or unenforceable provision were not included in the Addendum.
  9. No Limitation on Company’s Rights or Remedies. Nothing in this Addendum will limit Company’s rights or remedies under the Main Agreement or at law.
  10. Governing Laws/Jurisdiction. The Parties to this Addendum submit to the choice of jurisdiction set forth in the Main Agreement with respect to any disputes or claims arising under this Addendum unless otherwise required under Applicable Law.The Parties further stipulate that any and all disputes concerning the construction and interpretation of this Addendum and/or the Parties’ obligations under this Addendum will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Main Agreement.
  11. Incorporation into Main Agreement. This Addendum, after being duly executed by the Parties, is incorporated into the Main Agreement between Company and Client, and made an integral part thereof.
  12. Survival. All provisions of this Addendum, that by their own express terms or nature and context are intended to survive the termination or expiration of the Main Agreement shall survive.

 

List of Schedules to this Addendum:

  • Exhibit A to Data Protection Addendum (Details of Processing)
  • Appendix 1 to Standard Contractual Clauses
  • Appendix 2 to Standard Contractual Clauses

 

Exhibit A to Data Protection Addendum2

(Details of Processing)

 

Subject Matter and Duration of Processing:

The subject matter and duration of the Processing of Personal Data are set forth in the Main Agreement and the Exhibits and Appendices to this Addendum.

Nature and Purpose of Processing:

Company may obtain Personal Data during its provision of the Services and in the development, testing, hosting, and maintenance of software and related services, which include the following tools:

  • Member and contact management
  • Event registration
  • Online payments
  • Email and contact database
  • Website builder
  • Mobile solutions

Categories of Data Subjects:

  • Client Staff
  • Client Members and/or Client Customers or Constituents
  • Employees, consultants, independent contractors, agents, and non-employee workers

Categories of Personal Data:

  • Contact Information (e.g., name, organization and title, phone number, email address, physical address)
  • Communication Information (e.g., discussion board posts, comments, and other communications sent between parties through the services)
  • Site Usage and Location Information (e.g., IP address, geographic location of device, browser type and language, device model, hardware and operating system, user behavior (e.g., time of visits, page views (e.g., links clicked), features used, frequency of use))
  • Special Categories of Personal Data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation): None

 

Appendix 1

to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is:

The legal entity identified as “Client” in the Main Agreement

Data importer

The data importer is:

The legal entity identified as “Company” in the Main Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects:

The categories of data subjects are listed in Exhibit A to this Addendum.

Categories of data

The personal data transferred concern the following categories of data:

The categories of personal data transferred are listed in Exhibit A to this Addendum.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

The categories of personal data transferred are listed in Exhibit A to this Addendum.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

The data importer will process personal data as necessary to perform the Services described in the Main Agreement and in the Exhibits and Appendices to this Addendum.

 

Appendix 2

to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses.

Description of the technical and organizational measures implemented by the Contracted Processors (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The undersigned data importer implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among other things, as appropriate:

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and
  • The ability to enable:
    • measures of pseudonymisation and encryption of personal data;
    • measures for user identification and authorization
    • measures for the protection of data during transmission
    • measures for the protection of data during storage
    • measures for ensuring physical security of locations at which personal data are processed
    • measures for ensuring events logging.