This Data Protection Addendum (“Addendum”) is entered into as of the date of the last signature below, (the “Effective Date”), by and between the customer specified in the table below (“Customer”) and Revenue.io, Inc. (“Revenue.io”). This Addendum modifies, supplements, and is incorporated into the main agreement between the parties (the “Agreement”). All capitalized terms used in this Addendum but not defined herein shall have the meaning given to them in the Applicable Data Protection Law or the Agreement, unless otherwise stated. If there is any conflict between this Addendum and the Agreement regarding the parties’ respective privacy and security obligations, the provisions of this Addendum shall control.
Revenue.io, Inc. |
Customer: |
Signature:
Name:
Title:
Date Signed: ___________________ |
Signature:
Name: ________________________
Title: ________________________
Date Signed: ________________________ |
Address:
15000 Ventura Blvd
Suite 200
Sherman Oaks, CA 91403, USA |
Address: |
DPO/Contact for data protection inquiries
Privacy Team
privacy@revenue.io |
DPO/Contact for data protection enquiries
Name/Role: ________________________
Email: ________________________ |
How this DPA applies
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, Revenue.io is party to the Agreement and this DPA.
If the Customer entity signing this DPA has executed an Order Form with Revenue.io or its affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the Revenue.io entity that is party to such Order Form is party to this DPA.
If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such an entity should request that the Customer entity who is a party to the Agreement execute this DPA.
If the Customer entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with Revenue.io, but is instead a customer indirectly via an authorized reseller of Revenue.io services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.
This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in Customer’s Agreement (excluding any existing data processing addendum to the Agreement).
Data Processing Terms
In the course of providing the Services to Customer pursuant to the Agreement, Revenue.io may Process Personal Data on behalf of Customer and Revenue.io agrees to comply with the following provisions with respect to such Personal Data.
I. Introduction
-
- Definitions.
- “controller”, “processor”, “data subject”, “Personal Data” and “Processing” (and “Process”) shall have the meanings given in Applicable Data Protection Law;
“Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
- “Customer Account Data” shall mean Personal Data that relates to Customer’s relationship with Revenue.io, including the names and/or contact information of individuals authorized by Customer to access Customer’s Revenue.io account and billing information of individuals that Customer has associated with its Revenue.io account;
- “Customer Usage Data” shall mean data processed by Revenue.io for the purposes of transmitting, distributing or exchanging Customer Content; including data used to trace and identify the source and destination of a communication, such as individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Revenue.io Services, and the date, time, duration and the type of communication.
- “Customer Content” shall mean content exchanged by means of use of the Revenue.io Services, such as text, message bodies, voice and video media, images, and sound.
- “Customer Personal Data” shall mean any Personal Data that is processed by Revenue.io on behalf of Customer pursuant to, or in connection with, the Agreement and this Addendum.
- “GDPR” shall mean the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council and associated national legislation.
- “Revenue.io Services” shall have the same meaning as in the Agreement.
- “Restricted Transfer” shall mean a transfer or an onward transfer of Personal Data where such transfer would be prohibited by Applicable Data Protection Law in the absence of additional safeguards.
- “SCCs” shall mean, as applicable to the relevant data transfer: (i) Module 2 (Controller-to-Processor, applicable when Customer is the controller of the transferred Personal Data), or Module 3 (Processor-to Processor, applicable when Customer is a processor of its customers’ Personal Data) of the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”), (ii) the UK IDTA, or (iii) such other terms intended to provide adequate protection to Revenue.io pursuant to Applicable Data Protection Law; in each case, as amended or replaced from time to time under the Applicable Data Protection Law.
- “Third Country” means: (i) with respect to GDPR, a country other than the Member States; (ii) with respect to the UK Data Protection Law, any country outside of the UK; and (iii) with respect to any other country, as provided in Applicable Data Protection Law.
- “UK Data Protection Law” shall mean the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), and other data protection or privacy legislation in force from time to time in the United Kingdom.
- “UK IDTA” shall mean the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws.
- Relationship of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Content, Customer is a controller or processor, as applicable, and Revenue.io is a processor. With regard to the processing of Customer Account Data and Customer Usage Data, Customer is a controller or processor, as applicable, and Revenue.io is an independent controller, not a joint controller with Customer. Each party shall comply with its respective obligations under Applicable Data Protection Law, and this Addendum, when processing Personal Data.
II. Processor Obligations (Customer Content)
-
- Details of the processing.
- Subject Matter: Revenue.io’s provision of the Revenue.io Services to Customer.
- Purpose of the Processing: The purpose of the data processing under this Addendum is the provision of the Revenue.io Services as initiated by Customer from time to time.
- Categories of Data: Data relating to individuals provided to Revenue.io via the Revenue.io Services, by (or at the direction of) Customer of Customer’s end users.
- Categories of Data Subjects: Data subjects may include Customer’s customers, employees, suppliers and end users about whom data is provided to Revenue.io via the Revenue.io Services by (or at the direction of) Customer or by Customer’s end users.
- Duration of the Processing: As between Revenue.io and Customer, the duration of the data processing of Customer Content under this Addendum is necessarily determined by Customer.
- Customer Instructions. Customer appoints Revenue.io as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions as set out in the Agreement and this Addendum, as otherwise necessary to provide the Revenue.io Services, or as otherwise agreed in writing (“Permitted Purposes”). Additional instructions outside the scope of the Agreement, this Addendum, or as otherwise needed to provide the Revenue.io Services may result in additional fees payable by Customer to Revenue.io for carrying out those instructions. Customer shall ensure that its instructions comply with all laws, regulations and rules applicable to the Customer Content, and that Revenue.io’s processing of the Customer Content in accordance with Customer’s instructions will not cause Revenue.io to violate any applicable law, regulation or rule, including Applicable Data Protection Law. Revenue.io agrees not to access or use Customer Content, except as necessary to maintain or provide the Revenue.io Services, or as necessary to comply with the law or other binding governmental order.
- Confidentiality of Customer Content and Responding to Third Party Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory or third party is made directly to Revenue.io in connection with Revenue.io’s processing of Customer Content, Revenue.io shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Revenue.io shall not respond to any such request, inquiry or complaint without Customer’s prior consent except to confirm that the request relates to Customer to which Customer hereby agrees.
- Confidentiality Obligations of Revenue.io Personnel. Revenue.io will ensure that any person it authorizes to process the Customer Content shall protect the Customer Content in accordance with Revenue.io’s confidentiality obligations under the Agreement.
- Subcontracting. Customer consents to Revenue.io engaging third party sub-processors to process Customer Content for Permitted Purposes provided that:
- Revenue.io maintains an up-to-date list of its sub-processors at www.Revenue.io/legal/subprocessors. Customer can be notified of subprocessor changes by sending a request to privacy@Revenue.io. Revenue.io shall provide details of any change in sub-processors as soon as reasonably practicable but not less than ten (10) days prior to any such change;
- Revenue.io imposes data protection terms on any sub-processor it appoints that require it to protect the Customer Content to the standard required by Applicable Data Protection Law; and
- Revenue.io remains liable for any breach of this Addendum that is caused by an act, error or omission of its sub-processor. Customer may object to Revenue.io’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercial reasonably alternative solutions in good faith. If the parties cannot reach resolution, Revenue.io will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the portion of Agreement dependent on the objected to sub-processor (without prejudice to any fees incurred by Customer prior to suspension or termination).
- Data Subject Rights. As part of the Revenue.io Services, Revenue.io provides Customer with a number of self service features, including the ability to delete, retrieve, or restrict use of Customer Content, which may be used by Customer to assist in its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects. In addition, Revenue.io will provide reasonable additional and timely assistance (at Customer’s expense) to the extent the self-service features of the Revenue.io Services do not sufficiently enable Customer to comply with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.
- Impact Assessments and Consultations. If requested, Revenue.io shall provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment or consultations with supervisory authorities that may be required under Applicable Data Protection Law.
- Deletion of Customer Content. The Revenue.io Services provide Customer with the capability to delete its Customer Content by way of the Admin Console. Accordingly, following termination or expiry of the Agreement, Revenue.io will provide a reasonable opportunity for Customer to obtain ad-hoc reports of Customer Content and delete the same. This requirement shall not apply to the extent that Revenue.io is required by law to retain some or all of the Customer Content, or to Customer Content it has archived on back-up systems, which Revenue.io shall securely isolate and protect from any further processing except to the extent required by law.
- Audit Obligations. The parties acknowledge that Customer must be able to assess Revenue.io’s compliance with its obligations under Applicable Data Protection Law, insofar as Revenue.io is acting as a processor on behalf of Customer. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls including that Customer (or Customer’s independent third-party auditor is not a competitor of Revenue.io), Revenue.io shall make available to Customer information regarding Revenue.io’s compliance with the obligations set forth in this DPA. Customer further agrees that any such audit reports meet Customer’s audit requirements, and Customer agrees to exercise any right it may have to conduct an inspection or audit (including under Standard Contractual Clauses, as applicable) by instruction to Revenue.io to carry out the audit. If Customer wishes to conduct an on-site audit of Revenue.io’s security program with regard to the processing of Customer Content under the Agreement, such audit shall (i) be subject to a mutually agreed audit plan; (ii) be carried out during regular business hours in a way not to be disruptive to normal business operations; (iii) be billed to Customer at Revenue.io’s then-current rates, but no less than $3,000/day; and (iv) occur no more than once annually or following notice of a Security Incident. If the Standard Contractual Clauses apply, nothing in this Section 11 (Audit Obligations) varies or modifies the Standard Contractual Clauses nor affects the supervisory authorities’ or data subjects’ rights under the Standard Contractual Clauses.
- Violations of Applicable Data Protection Law. Revenue.io will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.
III. Controller Obligations (Customer Account and Usage Data)
-
- Purpose Limitation. Revenue.io shall process Customer Account Data and Customer Usage Data in accordance with Applicable Data Protection Law and consistent with its Privacy Notices as posted on its publicly-available website and/or the Agreement.
- Cooperation and Data Subject Rights. In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Account Data and Customer Usage Data; (collectively, “Correspondence”) then, where such Correspondence relates (or also relates) to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Data Protection Law.
- Transparency. The parties acknowledge that Revenue.io does not have a direct relationship with Customer’s end users whose personal data Revenue.io may process in connection with Customer’s use of the Revenue.io Services. Customer shall be responsible for ensuring its end users are provided adequate notice of Revenue.io’s processing activities, including with respect to Customer end user data for which Revenue.io acts as a controller, and shall make available to end users a privacy notice that fulfills the requirements of Applicable Data Protection Law. Revenue.io agrees to provide Customer with sufficient information regarding its processing activities to allow Customer to provide such notice.
IV. Security
-
- Security Measures. Revenue.io has implemented and will maintain appropriate technical and organizational measures to protect Customer Account Data, Customer Usage Data, and Customer Content (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the such data (a “Security Incident”) as set forth in the Security, Privacy and Architecture Documentation applicable to the specific Services purchased by data exporter and accessible via https://www.revenue.io or otherwise made reasonably available by the data importer. Revenue.io regularly monitors compliance with these measures. Revenue.io will not materially decrease the overall security of the Services during a subscription term.
- Determination of Security Requirements: Customer acknowledges that the Revenue.io Services include certain features and functionalities that Customer may elect to use that impact the security of the data processed by Customer’s use of the Revenue.io Services, such as, but not limited to, encryption of voice recordings on Customer’s Revenue.io account. Customer is responsible for making an independent determination as to whether the Revenue.io Services meet the Customer’s requirements and legal obligations, including its obligations under this Addendum. Customer is further responsible for properly configuring the Revenue.io Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Revenue.io Services.
- Security Incident Notification – Customer Content: Revenue.io shall, to the extent permitted by law, promptly notify Customer of any Security Incident of which Revenue.io becomes aware. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by Revenue.io, Revenue.io shall make reasonable efforts to identify and remediate the cause of such Security Incident. Revenue.io shall provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a supervisory authority or any data subjects of the Security Incident.
- Security Incident Notification – Customer Usage Data: If Revenue.io becomes aware of a confirmed Security Incident involving Customer Usage Data containing the personal data of data subjects with whom Revenue.io does not have a direct relationship, for example Customer’s end users, and Revenue.io determines that the incident must be reported to a regulatory authority, Revenue.io will notify the Customer of the incident and of its obligation and intent to notify the regulatory authority. If the impacted data subjects are required to be notified of the Security Incident, Customer will provide reasonable assistance to Revenue.io to effectuate appropriate notice to the impacted data subjects.
V. Restricted Transfers
-
- Restricted Transfers. Revenue.io (as “data importer”) and Customer (as “data exporter”), with effect from the commencement of the relevant Restricted Transfer, hereby enter into: (i) the EU SCCs, which are expressly incorporated by reference herein, in respect of any Restricted Transfer subject to the GDPR (subject to Section 18 below); and (ii) the UK IDTA, which is expressly incorporated by reference herein, in respect of any Restricted Transfer subject to UK Data Protection Law (subject to Section 19 below). Further, until such time as the relevant jurisdiction(s) issue their own standard contractual clauses, the EU SCCs shall apply in respect of any Restricted Transfer subject to any other Applicable Data Protection Law that regulates cross-border transfers of Personal Data.
- EU Restricted Transfers. The parties agree that with respect to the EU SCCs:
- Clause 7 – Docking clause shall not apply;
- In Clause 9 – Use of subprocessors, Option 2 shall apply and the “time period” shall be thirty (30) days; 18.3 In Clause 11(a) – Redress, the optional language shall not apply;
- In Clause 13(a) – Supervision, the following shall be inserted: the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex 1.C, shall act as competent supervisory authority.
- In Clause 17 – Governing law, Option 2 shall apply and the “Member State” shall be ; 18.6 In Clause 18 – Choice of forum and jurisdiction, the Member State shall be ; 18.7 Annex I shall be deemed completed with the relevant sections of Annex 1 to this DPA; 18.8 Annex II shall be deemed completed with the relevant sections of Annex 2 to this DPA; and 18.9 Annex III shall be deemed completed with the relevant sections of Annex 3 to this DPA.
- UK Restricted Transfers. In respect of restricted transfers from the UK, the EU SCCs (as incorporated by reference) shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is as set forth below:
- Table 1 – the Parties are Customer and Revenue.io, with contact details as set forth in Annex 1 to this DPA.
- Table 2 – the Approved EU Standard Contractual Clauses with optional provisions as set forth in Section 18 hereabove.
- Table 3 – the Annexes are deemed completed with the relevant information contained in the Annexes to this DPA.
- Table 4 – neither Party has the right of termination set forth in Section 19 of the UK IDTA.
- Swiss Restricted Transfers. The parties agree that, with respect to Swiss Personal Data, the EU SCCs will apply amended and adapted as follows:
- the Swiss Federal Data Protection and Information Commissioner is the exclusive supervisory authority;
- the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18; and
- references to the GDPR in the EU SCCs shall also include the reference to the equivalent provisions of the Swiss Federal Act on Data Protection (as amended or replaced).
VI. Miscellaneous
- Entire Agreement; Conflict. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Revenue.io and Customer. If there is any conflict between this Addendum and any agreement, including the Agreement, the terms of this Addendum shall control.
- GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party shall be responsible for any GDPR fees or fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
- Limitation of Liability. The Customer and each of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between authorized affiliates and Revenue.io, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of Customer means the aggregate liability of that Customer and all of its affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Revenue.io’s and its affiliates’ total liability for all claims from the Customer and all of its authorized affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all authorized affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any authorized affiliate that is a contractual party to any such DPA. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.
ANNEX 1 – DESCRIPTION OF THE PROCESSING
A. LIST OF PARTIES
Data exporter(s):
1) |
Name: |
CUSTOMER |
Address: |
CUSTOMER ADDRESS |
Contact person’s name, position, and contact details: |
CUSTOMER CONTACT |
Activities relevant to the data transferred under these Clauses: |
Use of Revenue.io’s Services as described in the Agreement. |
Role (controller/processor): |
Controller (or Processor, if processing Personal Data on behalf of another controller) |
Data exporter(s):
1) |
Name: |
Revenue.io, Inc. |
Address: |
15000 Ventura Blvd Ste 201, Sherman Oaks, California, 91403, United States |
Contact person’s name, position, and contact details: |
Kanwar Saluja (Chief Operating Officer) Kanwar@revenue.io |
Activities relevant to the data transferred under these Clauses: |
Providing and supporting the Services as described in the Agreement. |
Role (controller/processor): |
Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred / processed (delete or add as necessary)
- Prospects, customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Customer’s Users authorized by Customer to use the Services
Categories of personal data transferred / processed (delete or add as necessary)
First and last name
- Title
- Position
- Employer
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Connection data
- Localisation data
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Data exporter may submit special categories of data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Revenue.io does not intentionally collect or process any special categories of data in the provision of its products and/or services.
However, special categories of data may from time to time be inadvertently processed by Revenue.io where the data exporter or its end users choose to include this type of data within the communications it transmits using Revenue.io’s products and/or services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using Revenue.io’s products and/or services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Transfers will be made on (select one):
- ☒ continuous basis.
- ☐ a one-off basis commencing on DATE and terminating on DATE.
Nature of the processing
- The nature of the processing (i.e., the Services provided) is as described in the Agreement.
Purpose(s) of the data transfer and further processing
- To provide the Services as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- The data exporter’s Personal Data will be retained for the duration of the Agreement, after which point Revenue.io will delete the data exporter’s Personal Data unless otherwise required under applicable law.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing
- The subject matter and duration of the processing is as outlined above within this Annex. The nature of the specific subprocessing services is as further described in Annex 3
C. COMPETENT SUPERVISORY AUTHORITY
- The competent supervisory authority is as determined in accordance with Clause 13 of the Standard Contractual Clauses.
ANNEX 2 – TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons:
For information and details regarding technical and organisational measures implemented by Revenue.io, see Security, Privacy and Architecture Documentation applicable to the specific Services purchased by data exporter and accessible via https://www.revenue.io or otherwise made reasonably available by the data importer. Revenue.io regularly monitors compliance with these measures. Revenue.IO will not materially decrease the overall security of the Services during a subscription term.
ANNEX 3 – SUBPROCESSORS
Revenue.io maintains an up-to-date list of its sub-processors at https://www.revenue.io/subprocessors.