This Data Processing Agreement (‘DPA’) is an addendum to and forms part of the Terms of Service, as applicable (‘Main Agreement’), under which Unleash provides services (‘Services’) to Customer.
Capitalized terms used in this DPA have the meaning set forth herein. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Main Agreement. Terms that are not capitalized are interpreted in accordance with applicable data protection and privacy laws.
This DPA does not change the terms of the Main Agreement but only supplements the Main Agreement for purposes of personal data processing.
Schedule 1: Data Processing Agreement
1 For the purposes of this Data Processing Agreement (‘DPA’), the terms controller, processor, data subject, personal data, personal data breach, and processing shall have the meaning given to them in the EU GDPR.
2 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This DPA is in addition to and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.
3 The parties have determined that for the purposes of Applicable Data Protection Laws:
3.1 Unleash shall process the personal data as described in Schedule 2 as processor on behalf of the Customer; and
3.2 Unleash shall act as controller of the personal data ancillary to the Services, such as personal data processed in connection with its sales, marketing or administration activities.
4 Should the determination in section 3 change or the type of data processed during the course of the agreement change, the parties shall use all reasonable endeavours to make any changes that are necessary to this DPA and Schedule 2.
5 Customer is not permitted to process sensitive personal data nor data which attracts elevated processing risks such as children’s data, national ID numbers, payment card data etc, without prior notification to Unleash and Customer’s provision of an updated Schedule 2 to Unleash which describes the processing. Unleash disclaims all responsibility for any processing of such personal data which occurs where Unleash has not been notified.
6 If Customer is processing the personal data described in section 5, Unleash may choose to suspend the Services or terminate this agreement with no further liability nor obligation to Customer.
7 Unleash is under no obligation to provide the Services where the Customer’s use of the Services is not in compliance with Applicable Data Protection Laws.
8 Without prejudice to the generality of section 2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Unleash Personal Data and Customer Personal Data to Unleash and, where relevant, its affiliates and lawful collection of the same by Unleash for the duration and purposes of this agreement.
9 In relation to the Customer Personal Data, Schedule 2 sets out the scope, nature and purpose of processing by Unleash, the duration of the processing and the types of personal data and categories of data subject.
10 Without prejudice to the generality of section 2, Unleash shall, in relation to Customer Personal Data:
10.1 process that Customer Personal Data only on the documented instructions of the Customer unless Unleash is required by applicable laws to otherwise process that Customer Personal Data (Purpose). Where Unleash is relying on applicable laws as the basis for processing Customer Personal Data, Unleash shall notify the Customer of this before performing the processing required by the applicable laws unless those applicable laws prohibit Unleash from so notifying the Customer on important grounds of public interest. Unleash shall inform the Customer if, in the opinion of Unleash, the instructions of the Customer infringe Applicable Data Protection Laws;
10.2 implement the technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
10.3 ensure that any personnel engaged and authorised by Unleash to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
10.4 assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Unleash), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
10.5 notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
10.6 at the written direction of the Customer provided within 30 days of termination of the agreement, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless Unleash is required by Applicable Law to continue to process that Customer Personal Data. If no direction is provided by Customer within 30 days of termination of the agreement, the Customer Personal Data shall be deleted. For the purposes of this clause, Customer Personal Data shall be considered deleted where it is put beyond further use by Unleash; and
10.7 maintain records to demonstrate its compliance with this DPA, and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice.
10.8 The Customer provides its prior, general authorisation for Unleash to appoint processors to process the Customer Personal Data, provided that Unleash:
(a) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Unleash in this DPA;
(b) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Unleash; and
(c) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, and Customer shall have 21 days to object to such changes. If Customer fails to object to such change within this time, Customer is deemed to have consented to such change. If the Customer objects to the changes within such 21 day period and an amicable resolution of the objection fails, Customer, as its sole and exclusive remedy, may provide written notice to Unleash terminating the Main Agreement. Unleash will refund Customer any prepaid unused fees of such Services following the effective date of termination.
11 Transfer Mechanisms for Data Transfers:
11.1 Customer acknowledges that Unleash may process Personal Data in countries outside the EEA, Switzerland and the United Kingdom (“European Countries”). Unleash will not transfer Personal Data (within the meaning of applicable European Data Protection Laws, as defined below) outside the European Countries, unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such Personal Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
11.2 If any Personal Data transfer between Customer and Unleash requires execution of EU Commission’s Standard Contractual Clauses (annexed to EU Commission Decision 2021/914/EU of 4 June 2021) (the “EU SCCs”) in order to comply with (11.1) above, the parties agree that the EU SCCs are hereby incorporated by reference and form part of this DPA, and each Party’s signature to this DPA shall constitute such Party’s signature to the EU SCCs, as required by European Data Protection Laws, as follows:
(a) EEA Transfers. In relation to Personal Data (i) Customer is the “data exporter” and Unleash is the “data importer”; (ii) the Module Two terms apply to the extent the Customer is a Controller of Personal Data and the Module Three terms apply to the extent the Customer is a Processor of Personal Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the section 10.8.c of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the Main Agreement or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
(b) UK Transfers. In relation to Personal Data that is subject to the UK GDPR, the EU SCCs will apply in accordance with sub-section (a) and the following modifications (i) the EU SCCs will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the EU SCCs will apply in accordance with sub-section (a) and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
11.3 For purposes of this Section 11, “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.
12 Third Party Solutions appointed by Customer:
12.1 Customer may elect to subscribe to third party services that may integrate with the Services (Third Party Solutions).
12.2 Where Customer chooses to integrate with a Third Party Solution, this may entail providing Unleash with access to Personal Data held by such Third Party Solution, and may require the providers of such Third Party Solution to have access to Customer Personal Data. Unleash will only transfer Customer Personal Data to a Third Party Solution or other third parties appointed by Customer on written instructions from Customer. Customer must notify Unleash and update Schedule 2 relating to any extra categories of Customer Personal Data that Unleash will process on behalf of Customer due to such integration.
12.3 With regard to Third Party Solutions, Customer acknowledges and agrees that:
(a) Unleash has no contractual relationship with such third parties, and no responsibility for Customer Personal Data once such a transfer commences, nor for the duration such third party holds the relevant data. Unleash does not audit the adequacy or otherwise confirm the security or organizational measures employed by such third parties, which is Customer’s sole responsibility.
(b) Customer is responsible for ensuring that Customer’s and Unleash’s use of the Services and integration with a Third Party Solution complies with any service terms of the applicable Third Party Solution. Unleash is not required to maintain Customer Personal Data collected in breach of any relevant data protection or other Applicable Laws.
(c) Unleash makes no representations as to the appropriateness or legality of Customer’s choice to permit such third parties to have access to Customer Personal Data, and Customer is responsible for ensuring that it has all requisite consents and has provided any required notices to data subjects with respect to this processing of their data. Unleash is not responsible for the processing of Personal Data by Third Party Solutions or other third parties appointed by Customer.
(d) Unleash hereby disclaims all responsibility for the actions of such third parties or for loss, damages or claims arising because of deploying integration code facilitating transfer of Customer Personal Data or making a transfer of Customer Personal Data on Customer’s behalf. Unleash makes no representations or warranties as to the suitability of such third party for receipt of Customer Personal Data nor of the suitability of the Third Party Solutions to process Personal Data.
Schedule 2: Processing, personal data and data subjects
1 Particulars of processing
1.1 Scope: Customer Data on the Unleash Platform that is personal data.
1.2 Nature: Activities of Users on the Unleash Platform, and support services.
1.3 Purpose of processing: The customer PII is needed in order to contact our users while solving incidents on their service and collecting feedback on their user experience. Both situations are critical to help Unleash improve customer satisfaction.
1.4 Duration of the processing: Duration of this agreement plus period during which Customer may elect to have Customer Personal Data deleted or returned by Unleash.
1.5 Types of personal data: Platform: User, Authentication successful, log information, audit trail, IP address. Support services: name, email, phone number, job title.
(a) Authentication of Users accessing Unleash’s service management web interface, where User emails are used to authorize access throughout the lifetime of the User session
(b) Evaluation of end-user user session information that may contain personal data, e.g. user ids or any other personal data, explicitly provided by Customer end-user web or mobile applications via Unleash integration points, where the personal data, if any, may be a requirement for Unleash Services to work as configured by the Company.
(c) Only the configuration is exposed to the Services, and evaluations happen in Customer applications and/or services with the help of client SDKs. This means in practice that only a very tiny subset of userIds is actually exposed to Unleash.
(d) Proxy (optional): Information on End User to the Customers product, browser,ID, local IP.
(e) fields created by the Customer to target End Users
(f) The Customer should be aware that if they enter personal data via the Unleash Admin UI or API as part of the Unleash activation strategy or strategy constraints management, Unleash must be notified of such additional personal data processed and an update to this Schedule provided to Unleash.
(g) The following data is normally shared by customers when submitting support requests to Unleash: name, email, phone number. This personal data is only used for the purpose of replying to customers about their support request status.
1.6 Categories of data subject:
Users and End Users