Skip to main content

Data Processing Addendum (Archived)

Effective Date: May 25, 2018


Except where otherwise negotiated in writing, this Data Processing Addendum (“DPA”) forms part of the Agreement  found at Terms of Use for the use of WildApricot’s online membership management service (“Service”) for the Processing of Personal Data, including EU Personal Data.

In consideration of the mutual obligations set out herein, WildApricot and Customer, collectively (“the Parties”) hereby agree that the terms and conditions set forth below shall be added as an addendum to the Agreement to govern processing by WildApricot of any EU Personal Data that is subject to the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and similar laws, which require certain data protection and privacy obligations to be covered contractually.

To the extent that any terms or conditions set forth in any other agreement between the Parties, including agreements entered into after the date of this DPA, conflict with any terms or conditions of this DPA, it is expressly understood and agreed that the terms and conditions set forth in this DPA will apply rather than the conflicting terms and conditions in any other written agreement, unless the Parties explicitly agree otherwise in writing.  The Parties will not agree, under any circumstance, to providing less protection to EU Personal Data than is required by all applicable laws, regulations, directives, rules, standards, and frameworks.

  1. Effective Period.  This DPA will be effective beginning May 25, 2018, and will remain effective for as long as WildApricot and any Sub-Processor to which WildApricot has disclosed any EU Personal Data retains any EU Personal Data received from Customer.
  2. Definitions.  
    1. For purposes of this DPA, the following terms will have the following meanings:
      1. Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
      2. Customer:  The legal entity or individual who accepted WildApricot’s Agreement, which includes this DPA.
      3. Data Protection Impact Assessment (“DPIA”): A process designed to describe the Processing, to assess the necessity and proportionality of the Processing, and to help manage the risks to the rights and freedoms of natural persons resulting from the Processing of Personal Data (by assessing them and determining measures to address them).
      4. Data Subject: An identified or identifiable natural person whose Personal Data is being Processed.
      5. EU Personal Data:  Any information relating to an identified or identifiable natural person located in the EU.
      6. Personal Data: Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
      7. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
      8. Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
      9. Processor: A natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
      10. Sub-Processor: A Sub-Processor retained by a Processor to assist with Processing activities.
    2. Any Capitalized, data protection terms used in this DPA, which are not specifically defined in this DPA, will have the meaning ascribed to them in the GDPR.
  3. EU Personal Data Protection Compliance.
    1. The Parties’ General Compliance Obligations.  In connection with the Services covered by the Agreement and this DPA, WildApricot and Customer will comply with all applicable provisions of the GDPR on and after May 25, 2018, as well as all applicable Member State laws and regulations.
    2. Details of Processing.  Pursuant to Article 28 of the GDPR, the details of the processing covered by the Agreement and this DPA are set forth in the Appendix (“Appendix: Details of Processing”) attached to this DPA.
    3. Customer Obligations and Authorization of Processing.
      1. The Parties agree that Customer is the Controller, and WildApricot is the Processor.  Customer is and shall remain responsible for compliance with all requirements imposed on Controllers, including but not limited to confirming the lawful basis for all processing activities conducted by WildApricot on Customer’s behalf and obtaining consent from data subjects, where required.
      2. Customer authorizes WildApricot to collect and process the EU Personal Data needed to perform the Services for which Customer is contracting with WildApricot in the Agreement.
      3. Customer agrees to limit any EU Personal Data it transfers to WildApricot or to which WildApricot is otherwise given access for processing to only EU Personal Data needed by WildApricot to fulfill its obligations under the Agreement.
      4. Customer authorizes the transfer, processing and storage of EU Personal Data outside the European Economic Area (EEA) in order to fulfill the purpose of the Services.
      5. Customer grants a general authorization to WildApricot to engage or replace Sub-Processors to perform part of the Service, provided that WildApricot respects all requirements set forth in the GDPR for the appointment of Sub-Processors.
      6. Customer hereby consents to WildApricot’s engagement of Sub-Processors in connection with the processing of the Personal  Data.  Upon  written  request,  WildApricot will  make  the  list  of  applicable  Sub-Processors  available to Customer.   Customer  may  reasonably  object  to  any  new  Sub-Processor,  in  which  case  WildApricot will  use reasonable  efforts  to  make  a change  in  the  Service  or  recommend  a  commercially  reasonable change  to  avoid processing by such Sub-Processor.  If WildApricot is unable to provide an alternative, Customer may terminate the affected  Services.  WildApricot  will  enter  into  written  agreements  with  each  Sub-Processor containing  reasonable provisions relating to the implementation of technical and organizational measures in compliance with the GDPR. WildApricot will remain liable  for acts and  omissions  of  its  Sub-Processors  in connection with the provision of  the Services.
    4. WildApricot’s EU Personal Data Protection Obligations.
      1. WildApricot’s Processing of EU Personal Data on Customer’s behalf will be conducted in accordance with documented instructions received from Customer.  WildApricot will promptly inform Customer if, in WildApricot’s opinion, an instruction from Customer infringes on the GDPR or other Member State data protection provisions.
      2. WildApricot will only provide access rights to EU Personal Data to associates who have committed themselves to confidentiality.
      3. WildApricot has implemented appropriate technical and organizational measures in accordance with Article 32 of the GDPR.
      4. WildApricot will abide by the requirements set forth in the GDPR for the appointment of Sub-Processors.
      5. WildApricot has implemented measures to assist Customer in responding to data subject requests to exercise their data subject rights.
      6. After becoming aware of any Personal Data Breach involving EU Personal Data received from Customer or collected on Customer’s behalf, WildApricot will notify Customer without undue delay.
      7. WildApricot will assist Customer in complying with its GDPR obligations relating to the Services concerning the security of processing, notification of an EU Personal Data Breach, Data Protection Impact Assessments (DPIAs), and prior consultations.
      8. Depending on Customer’s asserted choice, WildApricot will either delete or return all EU Personal Data to Customer after the end of the provision of Services unless EU or Member State law requires storage of the EU Personal Data.
      9. Upon written request, WildApricot will provide Customer with information needed to demonstrate compliance with the obligations of Article 28 of the GDPR, and will permit and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
  4. Right to Terminate Agreement.  In the event of any breach of this DPA by Customer, WildApricot has the right to terminate the Services and Agreement without penalty to WildApricot upon written notice to Customer.
  5. Indemnification. Customer will fully indemnify, hold harmless and defend WildApricot, its affiliates, and their respective officers, directors, employees, agents and contractors (collectively, “Indemnified Parties”) from and against any and all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, regulatory investigations, enforcement actions, administrative penalties, fees, fines, costs, and expenses (including but not limited to reasonable attorney’s fees and costs) (each a “Claim”) any of them suffer as a result of a breach by Customer or its employees, representatives, agents, or contractors of any of Customer’s obligations set forth in this DPA; a Personal Data Breach caused by any act, omission or negligence of Customer or its employees, representatives, agents, or contractors; or Customer’s, or its employees’, representatives’, agents’, or contractors’ violation or breach of the GDPR or any other applicable data protection or privacy law, regulation, directive, rule, standard, or framework, including but not limited to violation or breach of the rights of a data subject and violations relating to Customer’s use of WildApricot’s products and/or services.  WildApricot reserves the right to assume the exclusive defense and control of any matter subject to indemnification at the expense of Customer, and in such case, Customer agrees to cooperate with WildApricot in the defense of any such Claim.
  6. Severability.  If any provision of this DPA is, to any extent, invalid or unenforceable, all other provisions of the DPA will remain in full force and effect.  To the extent permitted and possible, the invalid or unenforceable provision will be deemed replaced by a term that is valid and enforceable and that comes closest to expressing the intention of such invalid or unenforceable term.  If this is not permissible or not possible, then the DPA will be construed as if the invalid or unenforceable provision were not included in the DPA.
  7. No Limitation on WildApricot’s Rights or Remedies.  Nothing in this DPA will limit WildApricot’s rights or remedies under the Agreement or at law.
  8. Governing Laws/Jurisdiction.  The Parties to this DPA submit to the choice of jurisdiction set forth in the Agreement with respect to any disputes or claims arising under this DPA.  The Parties further stipulate that any and all disputes concerning the construction and interpretation of this DPA and/or the Parties’ obligations under this DPA will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Agreement.

 

Appendix: Details of Processing

Subject Matter and Duration of Processing:

The subject matter and duration of the Processing of EU Personal Data are set forth in the Agreement and this DPA.

Nature and Purpose of Processing:

  • Membership management
  • Event registration
  • Online payments
  • Email and contact database
  • Website builder
  • Mobile solutions

Categories of Data Subjects:

  • Customers
  • Customers’ members
  • Customers’ contacts

Categories of Personal Data:

  • Contact information (e.g., name, organization name, phone number, email address)
  • Payment information (e.g. billing address, billing contact)