This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement between Customer and Kyndi (the “Agreement”) to which it is attached, to reflect the parties’ agreement with regard to the Processing of Customer Data, including Personal Data, in accordance with the requirements of Data Protection Laws and Regulations. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Kyndi may Process Personal Data on behalf of Customer and Kyndi agrees to comply with the following provisions with respect to any Personal Data.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to: (a) an identified or identifiable person and; (b) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where such data is submitted to the Services as Customer Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Standard Contractual Clauses” means the agreement executed by and between Customer and Kyndi, Inc. and attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-processor” means any Data Processor engaged by Kyndi.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller, Kyndi is a Data Processor and may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 Kyndi’s Processing of Personal Data. Kyndi shall only Process Personal Data on behalf of and in accordance with Customer’s instructions and shall treat Personal Data as Confidential Information. Customer instructs Kyndi to Process Personal Data for the following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3. RIGHTS OF DATA SUBJECTS
3.1 Correction, Blocking and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Kyndi shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Kyndi is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any costs arising from Kyndi’s provision of such assistance.
3.2 Data Subject Requests. Kyndi shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Kyndi shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer to which Customer hereby agrees. Kyndi shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Services. If legally permitted, Customer shall be responsible for any costs arising from Kyndi’s provision of such assistance.
4. KYNDI PERSONNEL
4.1 Confidentiality. Kyndi shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
4.2 Limitation of Access. Kyndi shall ensure that Kyndi’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.3 Data Protection Officer. Kyndi has appointed a data protection officer to the extent this is required by Data Protection Laws and Regulations. Upon request, Kyndi will provide the contact details of the appointed person.
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that: (a) Kyndi’s Affiliates may be retained as Sub-processors; and (b) Kyndi and Kyndi’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Kyndi will only disclose Personal Data to Sub-processors that are parties to written agreements with Kyndi including obligations no less protective that the obligations of this DPA. Kyndi will, following the Customer’s written request, provide to the Customer the names of its Sub-processors processing the Personal Data and the countries outside of the European Union in which such data is or may be processed, provided that such request will not be made more than once in each calendar year.
5.2 Liability. Kyndi shall be liable for the acts and omissions of its Sub-processors to the same extent Kyndi would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
Controls for the Protection of Personal Data. Kyndi shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, including Personal Data. Kyndi regularly monitors compliance with these safeguards. Kyndi will not materially decrease the overall security of the Services during the subscription term.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
Kyndi maintains security incident management policies and procedures and shall, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Customer Data, including Personal Data, by Kyndi or its Sub-processors of which Kyndi becomes aware (a “Security Breach”). To the extent such Security Breach is caused by a violation of the requirements of this DPA by Kyndi, Kyndi shall make reasonable efforts to identify and remediate the cause of such Security Breach.
8. RETURN AND DELETION OF CUSTOMER DATA
Kyndi shall return Customer Data to Customer and delete Customer Data in accordance with the procedures and timeframes specified in the Agreement.
9. ADDITIONAL TERMS FOR EU PERSONAL DATA
9.1 Application of Standard Contractual Clauses. The Standard Contractual Clauses in Attachment 1 (the “Standard Contractual Clauses”) and the additional terms in this Section 9 will apply to the Processing of Personal Data by in the course of providing the Services listed in Appendix 3 to the Standard Contractual Clauses (the “SCC Services”):
9.1.1 The Standard Contractual Clauses apply only to Personal Data that is transferred from the European Economic Area and/or Switzerland to outside the European Economic Area and Switzerland, either directly or via onward transfer, to any country or recipient: (a) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive); and (b) not covered by a suitable framework (e.g. Binding Corporate Rules for Processors) recognized by the relevant authorities or courts as providing an adequate level of protection for personal data.
9.1.2 The Standard Contractual Clauses apply to: (a) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and (b) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area and Switzerland which have signed Order Forms for the SCC Services. For the purpose of the Standard Contractual Clauses and this Section 10, the aforementioned entities shall be deemed “Data Exporters”. Notwithstanding that RingCentral UK is the Data Exporter of record, RingCentral UK may delegate transfer of Personal Data specified in Appendix 1 to its parent company, RingCentral, Inc.
9.2 Instructions. This DPA and the Agreement are Customer’s complete and final instructions to Kyndi for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data: (a) Processing in accordance with the Agreement and applicable Order Form(s); and (b) Processing initiated by Users in their use of the SCC Services.
9.3 Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that: (a) Kyndi’s Affiliates may be retained as Sub-processors; and (b) Kyndi and Kyndi’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the SCC Services.
9.4 List of Current Sub-processors and Notification of New Sub-processors. Kyndi shall make available to Customer a list of Sub-processors for the respective SCC Services with the identities of those Sub-processors (“Sub-processor List”). Kyndi shall provide Customer with a mechanism to subscribe to updates to the relevant Sub-processor List, to which Customer shall subscribe, and Kyndi shall provide such updates before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the SCC Services.
9.5 Objection Right for new Sub-processors. If Customer is legally prohibited from consenting to Kyndi’s use of a new Sub-processor, then Customer will notify Kyndi of such prohibition in writing within 10 business days after receipt of Kyndi’s notice. Kyndi will use reasonable efforts to make available to Customer a change in the affected Products and/or Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Products and/or Services to avoid processing of Personal Data by said new Sub-processor. If Kyndi is unable to make available such change within a reasonable period of time, which shall not exceed 60 days, then Customer may terminate any applicable Agreement in respect only to those Products and/or Services that cannot be provided by Kyndi without the use of the objected-to new Sub-processor, by providing written notice to Kyndi. Customer shall receive a pro-rated refund of any prepaid fees for such licenses or Services for the period following the effective date of termination.
9.6 Audits and Certifications. The parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications:
Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Kyndi shall make available to Customer that is not a competitor of Kyndi (or Customer’s independent, third-party auditor that is not a competitor of Kyndi) information regarding Kyndi’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits to the extent Kyndi makes them generally available to its customers. Customer may contact Kyndi in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse Kyndi for any time expended for any such on-site audit at Kyndi’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Kyndi shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Kyndi. Customer shall promptly notify Kyndi with information regarding any non-compliance discovered during the course of an audit.
9.7 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) shall be provided by Kyndi to Customer only upon Customer’s request.
9.8 Conflict. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses in Attachment 1, the Standard Contractual Clauses shall prevail.
10. LIMITATION OF LIABILITY
Each party’s and its Affiliates’ liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the section ‘Limitation of Liability’ of the Agreement, and any reference in such section to the liability of a party means that party and its Affiliates in the aggregate.