Grouparoo Data Processing Addendum

Last Updated October 13, 2021

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, Master Terms and Conditions, or other written or electronic agreement (“Agreement”) between Grouparoo, Inc. (“Grouparoo”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA applies to the extent Grouparoo’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

1. Definitions

   1.1. For the purposes of this DPA:

   1.1.1. “CCPA” means the California Consumer Privacy Act and its implementing regulations;

   1.1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;

   1.1.3. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA;

   1.1.4. “Data Protection Laws” means all laws relating to data protection and privacy applicable to Grouparoo’s Processing of Customer Personal Data, including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;

   1.1.5. “Data Subjects” means the individuals identified in Schedule 1;

   1.1.6. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;

   1.1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);

   1.1.8. “Personal Data”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;

   1.1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller;

   1.1.10. “Sell” has the meaning given in the Data Protection Laws; and

   1.1.11. “UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.

   1.1.12. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

   2.1. The parties acknowledge and agree that Customer is the Controller or Processor of Customer Personal Data and Grouparoo is a Processor of Customer Personal Data. Grouparoo will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service. Grouparoo is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement. Grouparoo shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; or (2) Sell Customer Personal Data. Grouparoo certifies that it understands and will comply with the restrictions contained in this Section 2.1.

   2.2. Grouparoo will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws.

   2.3. The details of Grouparoo’s Processing of Customer Personal Data are described in Schedule 1.

   2.4. If applicable laws preclude Grouparoo from complying with Customer’s instructions, Grouparoo will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

   2.5. Each of Customer and Grouparoo will comply with their respective obligations under the Data Protection Laws.

3. Cross-Border Transfers of Personal Data

   3.1. With respect to Customer Personal Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Customer to Grouparoo, the parties agree to comply with the general clauses and, where Customer is a Controller of Customer Personal Data, with “Module Two” (Controller to Processor) and where Customer is a Processor of Customer Personal Data with “Module Three” (Processor to Processor) of the EU SCCs, which are incorporated herein by reference.

   3.2. For purposes of the EU SCCs the parties agree that:

   3.2.1. Customer shall act and comply with the obligations, and shall have the rights, of the “data exporter” under the EU SCCs, and Grouparoo shall act and comply with the obligations of the “data importer” under the EU SCCs;

   3.2.2. In Clause 7, the optional docking clause will not apply;

   3.2.3. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 5.1 of this DPA;

   3.2.4. In Clause 11, the optional language will not apply;

   3.2.5. For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;

   3.2.6. For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

   3.2.7. For the purposes of Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller or Processor, and Grouparoo is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;

   3.2.8. For the purposes of Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Grouparoo’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs, Clause 12 of the UK SCCs, and this DPA; (iv) Grouparoo uses sub-Processors to support the provision of the Services. A list of sub-Processors and the nature of the Processing activities can be found at Grouparoo’s Authorized Sub-Processor Page.

   3.2.9. For the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Grouparoo. If Customer does not communicate a competent supervisory authority to Grouparoo, the competent supervisory authority shall be the Irish Data Protection Commission.

   3.2.10. For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described at Grouparoo’s Security Page or as otherwise made reasonably available by Customer to Grouparoo.

   3.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the “GDPR” in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.

   3.4. With respect to transfers from Customer to Grouparoo of Customer Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the purposes of the UK SCCs: (i) Customer shall act as and comply with the obligations of the “data exporter”, and Grouparoo shall act as and comply with the obligations of the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for the purposes Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for the purposes Appendix 2 to the UK SCCs, the security measures are as described at Grouparoo’s Security Page or as otherwise made reasonably available by data importer to the data exporter. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until such time as the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. Once approved, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Personal Data in compliance with Data Protection Laws.

4. Confidentiality and Security

   4.1. Grouparoo will require Grouparoo’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.

   4.2. Grouparoo will implement commercially reasonable technical and organisational measures, as further described at Grouparoo’s Security Page, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

   4.3. To the extent required by Data Protection Laws, Grouparoo will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.

5. Sub-Processing 5.1. Customer agrees that Grouparoo may engage sub-Processors to Process Customer Personal Data on Customer's behalf. The agreed list of sub-Processors currently engaged by Grouparoo and authorized by Customer are available at Grouparoo’s Authorized Sub-Processor Page (the “Authorized Sub-Processors”). Grouparoo will inform Customer of any intended changes concerning the addition or replacement of any Authorized Sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within fifteen days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

   5.2. Grouparoo will impose on its Authorized Sub-Processors substantially the same obligations that apply to Grouparoo under this DPA. Where any of its Authorized Sub-Processors fails to fulfil its data protection obligations, Grouparoo will be liable to Customer for the performance of its Authorized Sub-Processors’ obligations.

   5.3. The parties agree that the copies of the Authorized Sub-Processor agreements that must be provided by Grouparoo to Customer pursuant to Clause 9(c) of the EU SCCs and Clause 5 of the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs removed by Grouparoo beforehand; and, that such copies will be provided by Grouparoo, in a manner to be determined in its discretion, only upon Customer’s written request.

6. Data Subject Rights

   Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Grouparoo receives any Requests during the term, Grouparoo will advise the Data Subject to submit the request directly to Customer or the appropriate Controller. Grouparoo will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.

7. Personal Data Breaches

   Grouparoo will notify Customer without undue delay after it becomes aware of any Personal Data Breach affecting any Customer Personal Data. At Customer’s request, Grouparoo will reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Grouparoo’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Grouparoo or any fault or liability with respect to the Personal Data Breach.

8. Data Protection Impact Assessment; Prior Consultation

   Grouparoo will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities, if Customer is required to engage in such activities under applicable Data Protection Laws, and solely to the extent that such assistance is necessary and relates to the Processing by Grouparoo of Customer Personal Data, taking into account the nature of the Processing and the information available to Grouparoo.

9. Deletion of Customer Personal Data

Customer instructs Grouparoo to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Grouparoo may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Grouparoo maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

10. Audits

    10.1. Customer may audit Grouparoo’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Grouparoo suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Grouparoo’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Grouparoo will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.

    10.2. To request an audit, Customer must submit a detailed proposed audit plan to legal@grouparoo.com at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Grouparoo will review the proposed audit plan and provide Customer with any concerns or questions (for example, Grouparoo may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Grouparoo confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.  Nothing in this Section 10 shall require Grouparoo to breach any duties of confidentiality.

    10.3. Grouparoo may object to third party auditors that are, in Grouparoo’s reasonable opinion, not suitably qualified or independent, a competitor of Grouparoo, or otherwise manifestly unsuitable.  Such objection by Grouparoo will require Customer to appoint another auditor or conduct the audit itself.

    10.4. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Grouparoo’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Grouparoo confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the report.

    10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Grouparoo’s health and safety or other relevant policies and may not unreasonably interfere with Grouparoo business activities.

    10.6. Any audits are at Customer’s expense and Customer will promptly disclose to Grouparoo any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.

    10.7. The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10.

11. Analytics Data

    Customer acknowledges and agrees that Grouparoo may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for Grouparoo’s other legitimate business purposes.

12. Liability

    12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

    12.2. Customer acknowledges that Grouparoo is reliant on Customer for direction as to the extent to which Grouparoo is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Grouparoo will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Grouparoo in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

13. General Provisions

    With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the EU or UK SCCs, the EU OR UK SCCs will prevail.

SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. This DPA applies to the Processing of Customer Personal Data relating to Customer’s customers, marketing leads, and other individuals whose Personal Data is contained in Customer’s databases (“Data Subjects”).
2. Types of Personal Data. The extent of Customer Personal Data Processed by Grouparoo is determined and controlled by Customer in its sole discretion and includes names, email addresses, phone numbers, physical addresses, billing information, occupation related information, and any other Personal Data that may be transmitted through the Service by Data Subjects. The Service is not intended to process sensitive data or special categories of data as defined by applicable Data Protection Laws. Customer Personal Data does not include Telemetry Data.
3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Grouparoo is the provision of the Service to Customer. Customer Personal Data will be subject to those Processing activities which Grouparoo needs to perform in order to provide the Service pursuant to the Agreement.
4. Purpose of the Processing. Customer Personal Data will be Processed by Grouparoo for purposes of providing the Service as set out in the Agreement.
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.