ActiveCampaign Data Processing Addendum
This Data Processing Addendum (“Addendum“) supplements the Terms of Service, located at https://www.activecampaign.com/tos/ (the “Agreement“), between the Client identified in the signature block below (“Client“) and ActiveCampaign, LLC (“Company“), is dated the later of (i) May 25, 2018 or (ii) the date of last signature of a party below, and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum will govern. Client and Company agree as follows:
- Personal Information. In connection with providing the Services, Company will be Processing Personal Information on behalf of Client. “Personal Information” means information that relates, directly or indirectly, to an identified or identifiable person (a “Data Subject”), which may include names, email addresses, postal addresses, or online identifiers, that Client provides or submits in connection with using the Services. Specific categories of Personal Information that Company will Process in connection with the Agreement are set forth in Schedule 1 (Scope of Processing). As between Client and Company, all Personal Information is the sole and exclusive property of Client.
- Company and Client Responsibilities. The parties acknowledge and agree that: (a) Company is a processor of Personal Information under Applicable Law (defined below); (b) Client is a controller of Personal Information under Applicable Law; and (c) each party will comply with the obligations applicable to it under Applicable Law with respect to the Processing of Personal Information.
- Company Responsibilities. As part of the Services, Company will use commercially reasonable efforts to Process Personal Information. “Process” or “Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Personal Information. Company will use commercially reasonable efforts to:
- Process Personal Information solely in accordance with Client’s documented instructions;
- Process Personal Information in accordance with laws, rules, and regulations that apply to Company’s provision, and Client’s use, of the Services, including the General Data Protection Regulation (EU) 2016/679 (“GDPR,” and collectively, “Applicable Law”);
- not disclose or otherwise make available in any form any Personal Information to any third party without first, except to the extent prohibited by Applicable Law, (i) notifying Client of the anticipated disclosure (so as to provide Client the opportunity to oppose the disclosure and obtain a protective order or seek other relief); (ii) obtaining Client’s prior consent to the disclosure; and (iii) imposing contractual obligations on the third party recipient that are at least equivalent to those obligations imposed on Company under this Addendum;
- amend, correct, or erase Personal Information at Client’s written request and provide a means for Client to update and make accurate Personal Information Processed by Company;
- notify Client of any third party request (by a Data Subject or otherwise) to (i) restrict the Processing of Personal Information; (ii) port Personal Information to a third party; or (iii) access, rectify, or erase Personal Information. Company will use commercially reasonable efforts to assist Client, at Client’s reasonable written request, in complying with Client’s obligations to respond to requests and complaints directed to Client with respect to Personal Information Processed by Company;
- at the reasonable written request of Client, cooperate and assist Client in conducting a data protection impact assessment;
- ensure that Company personnel Processing Personal Information are subject to obligations of confidentiality; and
- keep all Personal Information compartmentalized or otherwise logically distinct from other information of Company or its personnel, suppliers, customers or other third parties.
Company will use commercially reasonable efforts to inform Client if Company becomes aware or reasonably suspects that Client’s instructions regarding the Processing of Personal Information may breach any Applicable Law.
- Subcontractors. Company will not engage another processor to process Client’s Personal Information without authorization from Client. Company will be responsible to Client for any material failure of such processor to fulfill Company’s data protection obligations as set forth in this Agreement. Client hereby provides its general written authorization for Company’s use of subcontractors to Process Personal Information on behalf of Client, including those identified at https://www.activecampaign.com/subprocessors, which may be updated from time to time by Company. Client consents to any such updates.
- Data Transfers. Company will use commercially reasonable efforts not to transfer, or cause to be transferred, any Personal Information from one jurisdiction to another without Client’s prior written consent. Where Client consents to such transfer, the transfer will be in accordance with Applicable Law. Company has certified its compliance to the EU-U.S. Privacy Shield Framework Principles (collectively, the “Principles”) with the U.S. Department of Commerce (the “Department”). Company will provide commercially reasonable assistance to Client in responding to requests from the Department or other applicable data protection regulators in the U.S. and European Union related to compliance with the Principles. Upon request of the Department, Company may disclose the terms of this Addendum to the Department.
- Security Safeguards. Company will use commercially reasonable efforts to implement and maintain appropriate technical and organizational measures consistent with industry standards to protect and ensure the confidentiality and integrity of Personal Information.
- Records and Audits. Company will keep at its normal place of business records of its Processing of Client Personal Information. At Client’s reasonable request and with advance written notice, Company will use commercially reasonable efforts to make available to Client such records and information as is necessary to demonstrate its compliance with Applicable Law with respect to Personal Information and allow Client or an independent third party to conduct an audit to verify such compliance. Any such audit will be conducted (a) on reasonable advance written notice to Company; (b) no more than once per year; (c) during Company’s standard business hours; and (d) in such a manner to min1m1ze disruption to Company’s operations. Any information provided by Company in connection with such audit must be protected as Company’s confidential information subject to a separate non-disclosure agreement entered into between Company and the recipient of such information before such audit. To request an audit, Client must submit a detailed audit plan at least 90 days in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Client will bear the costs of such audit.
- Security Breach. If Company has actual or constructive notice of any actual or potential Security Breach (defined below), Company will take commercially reasonable efforts to, without undue delay: (a) notify Client of the Security Breach and any third-party legal processes relating to the Security Breach; (b) help Client investigate, remediate, and take any necessary action regarding the Security Breach and any dispute, inquiry, investigation, or claim concerning the Security Breach; and (c) provide Client with assurance that such Security Breach will not recur. “Security Breach” means any unauthorized access to Company owned or controlled networks or systems where Personal Information resides or any misuse or unlawful or accidental loss, destruction, alteration, or unauthorized Processing of Personal Information under Company’s possession or control. This obligations in this Section do not apply to incidents that are caused by Client or Client’s personnel or users.
- Return or Destruction of Personal Information. Upon written request by Client or when Company no longer is required to Process Personal Information to fulfill its obligations under the Agreement, Company will use commercially reasonable efforts to (a) cease all use of Personal Information; and (b) return all Personal Information to Client or, at Client’s option, destroy all Personal Information and all copies thereof, except to the extent that Company is required under Applicable Law to keep a copy of Personal Information for a specified period of time.
- DISCLAIMER. COMPANY MAKES NO REPRESENTATION OR WARRANTY THAT THIS ADDENDUM IS LEGALLY SUFFICIENT TO MEET CLIENT’S NEEDS UNDER APPLICABLE LAW, INCLUDING THE GDPR. COMPANY EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, THROUGH A COURSE OF DEALING, OR OTHERWISE THAT THIS ADDENDUM WILL COMPLY WITH OR SATISFY ANY OF CLIENT’S OBLIGATIONS UNDER APPLICABLE LAW, INCLUDING THE GDPR. CLIENT FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS ADDENDUM WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.
ActiveCampaign Data Processing Addendum
SCHEDULE 1
Scope of Processing
Subject Matter of Processing: The context for the Processing of Personal Information is Company’s provision of Services under the Agreement.
Duration of Processing: The Processing will begin on the effective date of the Agreement and will end upon expiration or termination of the Agreement.
Nature and Purpose of Processing: Company specializes in the development of email marketing, marketing automation, sales, CRM, contact management, and business marketing services. Client, as a client of Company, uses the Services to process Personal Information of its customers or contacts for marketing and related customer relationship management purposes. Company stores the Personal Information on its servers and processes such Personal Information only for the purposes of, and in accordance with, the instructions of Client and does not make any decisions itself as to the use, updating, or deletion of Personal Information.
Types of Personal Information: The Personal Information concern the following categories of data: contact details including name, address, telephone or mobile number, fax number and email address; date of birth; personal bank account details; details of goods and/or services which customers/potential customer have purchased or inquired about; IP address; place of employment; occupation; personal interests; age; and other Personal Information collected and provided by Client in connection with Client’s use of the Services.
Categories of Data Subjects: The Personal Information transferred concerns the following categories of data subjects: customers and prospective customer of Client and other marketing contacts determined by Client in connection with Client’s use of the Services.