This Data Processing Agreement (‘DPA’) is an addendum to and forms part of the Terms of Service, as applicable (‘Main Agreement’), under which Unleash provides services (‘Services’) to Customer.
Capitalized terms used in this DPA have the meaning set forth herein. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Main Agreement. Terms that are not capitalized are interpreted in accordance with applicable data protection and privacy laws.
This DPA does not change the terms of the Main Agreement but only supplements the Main Agreement for purposes of personal data processing.
Schedule 1: Data Processing Agreement
1 For the purposes of this Data Processing Agreement (‘DPA’), the terms controller, processor, data subject, personal data, personal data breach, and processing shall have the meaning given to them in the EU GDPR.
2 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This DPA is in addition to and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.
3 The parties have determined that for the purposes of Applicable Data Protection Laws:
3.1 Unleash shall process the personal data as described in Schedule 2 as processor on behalf of the Customer; and
3.2 Unleash shall act as controller of the personal data ancillary to the Services, such as personal data processed in connection with its sales, marketing or administration activities.
4 Should the determination in section 3 change or the type of data processed during the course of the agreement change, the parties shall use all reasonable endeavours to make any changes that are necessary to this DPA and Schedule 2.
5 Customer is not permitted to process sensitive personal data nor data which attracts elevated processing risks such as children’s data, national ID numbers, payment card data etc, without prior notification to Unleash and Customer’s provision of an updated Schedule 2 to Unleash which describes the processing. Unleash disclaims all responsibility for any processing of such personal data which occurs where Unleash has not been notified.
6 If Customer is processing the personal data described in section 5, Unleash may choose to suspend the Services or terminate this agreement with no further liability nor obligation to Customer.
7 Unleash is under no obligation to provide the Services where the Customer’s use of the Services is not in compliance with Applicable Data Protection Laws.
8 Without prejudice to the generality of section 2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Unleash Personal Data and Customer Personal Data to Unleash and, where relevant, its affiliates and lawful collection of the same by Unleash for the duration and purposes of this agreement.
9 In relation to the Customer Personal Data, Schedule 2 sets out the scope, nature and purpose of processing by Unleash, the duration of the processing and the types of personal data and categories of data subject.
10 Without prejudice to the generality of section 2, Unleash shall, in relation to Customer Personal Data:
10.1 process that Customer Personal Data only on the documented instructions of the Customer unless Unleash is required by applicable laws to otherwise process that Customer Personal Data (Purpose). Where Unleash is relying on applicable laws as the basis for processing Customer Personal Data, Unleash shall notify the Customer of this before performing the processing required by the applicable laws unless those applicable laws prohibit Unleash from so notifying the Customer on important grounds of public interest. Unleash shall inform the Customer if, in the opinion of Unleash, the instructions of the Customer infringe Applicable Data Protection Laws;
10.2 implement the technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
10.3 ensure that any personnel engaged and authorised by Unleash to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
10.4 assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Unleash), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
10.5 notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
10.6 at the written direction of the Customer provided within 30 days of termination of the agreement, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless Unleash is required by Applicable Law to continue to process that Customer Personal Data. If no direction is provided by Customer within 30 days of termination of the agreement, the Customer Personal Data shall be deleted. For the purposes of this clause, Customer Personal Data shall be considered deleted where it is put beyond further use by Unleash; and
10.7 maintain records to demonstrate its compliance with this DPA, and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice.
10.8 The Customer provides its prior, general authorisation for Unleash to appoint processors to process the Customer Personal Data, provided that Unleash:
(a) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Unleash in this DPA;
(b) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Unleash; and
(c) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes.If the Customer objects to the changes and Unleash determines its sole discretion that it cannot amend the Services or its commercial practices to resolve the issue causing the Customer’s objection, Unleash may terminate the agreement without liability to Customer.
11 Unleash will not transfer Customer personal data outside the EEA or UK unless Customer is contracted with Unleash’s US affiliate or Customer or its Users are located outside the EEA or UK. Unleash will comply with any reasonable request of Customer relating to such transfers, including any request to enter into the standard clauses for the transfer of personal data from time to time (where the EU GDPR applies to the transfer) or adopted by the Commissioner from time to time (where the UK GDPR applies to the transfer). It is Customer’s responsibility to ensure the correct transfer documents are in place for any transfers of personal data outside the EEA or UK.
12 Third Party Solutions appointed by Customer:
12.1 Customer may elect to subscribe to third party services that may integrate with the Services (Third Party Solutions).
12.2 Where Customer chooses to integrate with a Third Party Solution, this may entail providing Unleash with access to Personal Data held by such Third Party Solution, and may require the providers of such Third Party Solution to have access to Customer Personal Data. Unleash will only transfer Customer Personal Data to a Third Party Solution or other third parties appointed by Customer on written instructions from Customer. Customer must notify Unleash and update Schedule 2 relating to any extra categories of Customer Personal Data that Unleash will process on behalf of Customer due to such integration.
12.3 With regard to Third Party Solutions, Customer acknowledges and agrees that:
(a) Unleash has no contractual relationship with such third parties, and no responsibility for Customer Personal Data once such a transfer commences, nor for the duration such third party holds the relevant data. Unleash does not audit the adequacy or otherwise confirm the security or organizational measures employed by such third parties, which is Customer’s sole responsibility.
(b) Customer is responsible for ensuring that Customer’s and Unleash’s use of the Services and integration with a Third Party Solution complies with any service terms of the applicable Third Party Solution. Unleash is not required to maintain Customer Personal Data collected in breach of any relevant data protection or other Applicable Laws.
(c) Unleash makes no representations as to the appropriateness or legality of Customer’s choice to permit such third parties to have access to Customer Personal Data, and Customer is responsible for ensuring that it has all requisite consents and has provided any required notices to data subjects with respect to this processing of their data. Unleash is not responsible for the processing of Personal Data by Third Party Solutions or other third parties appointed by Customer.
(d) Unleash hereby disclaims all responsibility for the actions of such third parties or for loss, damages or claims arising because of deploying integration code facilitating transfer of Customer Personal Data or making a transfer of Customer Personal Data on Customer’s behalf. Unleash makes no representations or warranties as to the suitability of such third party for receipt of Customer Personal Data nor of the suitability of the Third Party Solutions to process Personal Data.
Schedule 2: Processing, personal data and data subjects
1 Particulars of processing
1.1 Scope: Customer Data on the Unleash Platform that is personal data.
1.2 Nature: Activities of Users on the Unleash Platform.
1.3 Purpose of processing: The customer PII is needed in order to contact our users while solving incidents on their service and collecting feedback on their user experience. Both situations are critical to help Unleash improve customer satisfaction.
1.4 Duration of the processing: Duration of this agreement plus period during which Customer may elect to have Customer Personal Data deleted or returned by Unleash.
1.5 Types of personal data: Platform: User, Authentication successful, log information, audit trail, IP address,
(a) Authentication of Users accessing Unleash’s service management web interface, where User emails are used to authorize access throughout the lifetime of the User session
(b) Evaluation of end-user user session information that may contain personal data, e.g. user ids or any other personal data, explicitly provided by Customer end-user web or mobile applications via Unleash integration points, where the personal data, if any, may be a requirement for Unleash Services to work as configured by the Company.
(c) Only the configuration is exposed to the Services, and evaluations happen in Customer applications and/or services with the help of client SDKs. This means in practice that only a very tiny subset of userIds is actually exposed to Unleash.
(d) Proxy (optional): Information on End User to the Customers product, browser,ID, local IP.
(e) fields created by the Customer to target End Users
(f) The Customer should be aware that if they enter personal data via the Unleash Admin UI or API as part of the Unleash activation strategy or strategy constraints management, Unleash must be notified of such additional personal data processed and an update to this Schedule provided to Unleash.
1.6 Categories of data subject:
Users and End Users