KICKSERV DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “DPA”) forms part of the agreement for the subscription to the Agreement set forth at www.kickserv.com/ (“Subscription Agreement”) between Kickserv Inc. (“Kickserv”) and the person or entity who acquires the Service under the Subscription Agreement (“Customer”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data. All capitalized terms not defined herein will have the meaning set forth in the Subscription Agreement.
DATA PROCESSING TERMS
In the course of providing the Kickserv's business field service software and related services (the “Service”) to Customer pursuant to the Subscription Agreement, Kickserv may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Personal Data Processed by Kickserv as part of the Service for Customer.
“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Personal Data” means any information relating to a Data Subject. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Personnel” means persons authorized by Kickserv to Process Customer’s Personal Data. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“Process” or “Processing” means any operation or set of operations which is performed upon
Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction. “Standard Contractual Clauses” mean the annex to the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
Scope and Roles. This DPA applies when Personal Data is Processed by Kickserv as part of Kickserv’s provision of the Service. In this context and for the purposes of the GDPR, Customer is the data controller and Kickserv is the data processor. Subject Matter, Duration, Nature and Purpose of Processing. Kickserv processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Subscription Agreement. Type of Personal Data and Categories of Data Subjects. In delivering the Service, Kickserv will process the types of Personal Data that Customer and its authorized users upload to the Service. Such Personal Data may include, depending on Customer’s use of the Service, name (first and last), contact information (e.g., postal address (personal, business, and/or shipping), telephone number, email address), geo location data, financial information, credit or debit card number, consumer report information, device-level data and information on a Data Subject’s use of Customer’s services, such as the type of services, date and time of use and cost and reporting information. Instructions for Kickserv’s Processing of Personal Data. Kickserv will only Process Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs Kickserv to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Subscription Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Subscription Agreement. Customer undertakes to provide Kickserv with lawful instructions only. Kickserv will inform Customer immediately, if in Kickserv's opinion an instruction infringes any provision under the GDPR
and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under the GDPR, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, for the Processing of Personal Data by Kickserv pursuant to this DPA.
Taking into account the nature of the Processing, Kickserv will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subjects' rights under the GDPR. Kickserv will further assist Customer in ensuring compliance with Customer's obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer's data protection impact assessments and Customer's prior consultation with supervisory authorities, in relation to Kickserv's Processing of Personal Data under this DPA. Except for negligible costs, Customer will reimburse Kickserv with costs and expenses incurred by Kickserv in connection with the provision of assistance Customer under this DPA.
Limitation of Access. Kickserv will ensure that Kickserv’s access to Personal Data is limited to those personnel who require such access to perform the Services pursuant to the Subscription Agreement. Confidentiality. Kickserv will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Kickserv will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Kickserv will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
Kickserv may engage third-party service providers to process Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Kickserv with a general authorization to engage the Other Processors listed in Exhibit A to this Agreement.
All Other Processors have entered into written agreements with Kickserv that bind them by substantially the same material obligations under this DPA. Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Kickserv will remain fully liable to Customer for the performance of that Other Processor's obligations. Kickserv may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer's behalf. Customer may object to the Processing of Customer's
Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Kickserv's written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Kickserv a written objection notice, the parties will make a good-faith effort to resolve Customer's objection. In the absence of a resolution, Kickserv will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer's Personal Data.
1.1. Subject to this Section 6, Customer consents to transfers of Personal Data to Kickserv, Kickserv’s Affiliates and their respective Sub-processors based in countries outside the European Economic Area (the “EEA”). Where Kickserv transfers Personal Data, either directly or via onward transfer, from the EEA to a recipient outside the EEA in a country not recognized by the European Commission as providing an adequate level of protection for personal data (“Third Country Recipient”), such transfer shall be covered by a framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Standard Contractual Clauses, binding corporate rules or the EU-US Privacy Shield Framework (each a “Data Transfer Mechanism”).
1.2. If Kickserv elects to apply the Standard Contractual Clauses pursuant to Section 6.1: if required by Kickserv, Customer shall sign a copy of the Standard Contractual Clauses and take such further action as is required by applicable law to ensure that the Standard Contractual Clauses are legally valid; if the Processing under the Standard Contractual Clauses can subsequently be performed under an alternative Data Transfer Mechanism, then the Standard Contractual Clauses shall automatically terminate effective as of the date that such alternative Data Transfer Mechanism takes effect in respect of such Processing, and Customer shall execute such documents or acknowledgements as Kickserv may reasonably request to evidence such termination; the parties agree to amend the Standard Contractual Clauses if required in accordance with a relevant European Commission decision or Data Protection Laws; the parties agree that the prior written consent to the engagement of sub-processors required by Clause 5(h) of the Standard Contractual Clauses has been given pursuant to clause 10.1 of this DPA; the parties agree that Section 9 of this DPA shall satisfy the audit requirements of the Standard Contractual Clauses applied to a Data Importer (as defined in the GDPR) under Clause 5(f) and to any sub-processors under Clause 11 and Clause 12.
Controls. Kickserv will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer's Personal Data,pursuant to the technical and organizational measures set forth in Exhibit B. Kickserv regularly monitors compliance with these safeguards. Kickserv will not materially decrease the overall security of the Service during the term of providing the Service to the Customer under the Subscription Agreement. Customer has assessed the level of security appropriate to the Processing in the context of its obligations under the GDPR and all other mandatory laws and regulations of the European Union, the EEA and their member states and the United Kingdom, applicable to the parties’ Processing of Personal Data under the Agreement (collectively, “Data Protection Laws”) and agrees that the security measures set out in Exhibit B are consistent with such assessment.
PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
Kickserv will maintain security incident management policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer's Personal Data which Kickserv, or any of Kickserv's Other Processors, Process. Kickserv's notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the Kickserv's data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Kickserv to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Kickserv will work diligently, pursuant to its incident management policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will inform Customer accordingly. Kickserv's liability for a Personal Data Breach toward Customer and any third party is subject to the following limitations: (a) the Personal Data Breach is a result of a breach of Kickserv's information security obligations under this DPA; and (b) the Personal Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer (collectively "Customer Representatives"); (ii) Customer Representatives' instructions to Kickserv; (iii) a willful, deliberate or malicious conduct by a third party; or (iv) acts of God or force major, including, without limitation, acts of war, terror, state-supported attacks, acts of state or governmental action prohibiting or impeding Kickserv from performing its information security obligations under the Agreement and natural and man-made disasters.
AUDIT AND DEMONSTRATION OF COMPLIANCE
Kickserv will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Kickserv and its Other Processors. Kickserv will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Kickserv's obligations under this DPA. Kickserv may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Kickserv, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (ii) the auditor will execute a non-disclosure and non-competition undertaking toward Kickserv; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Kickserv's business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; and (vi) Customer will receive only the auditor's report, without any Kickserv 'raw data' materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; (vii) at the request of Kickserv, Customer will provide it with a copy of the auditor's report; and (viii) As soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.
DELETION OF PERSONAL DATA
1.1. At the choice of Customer, Kickserv will delete or return all Customer's Personal Data to Customer after the end of the provision of Services relating to Processing of Customer's Personal Data, and delete existing copies unless a law of the European Union or an EU member state requires the storage of the Personal Data. If Kickserv does not receive a request in writing to return Customer’s Personal Data, Kickserv will delete all such Personal Data within 30 days following the end of the provision of Services relating to Processing of Customer's Personal Data.
ANONYMIZED AND AGGREGATED DATA
Kickserv may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Kickserv's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Kickserv's discretion.
The parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commence legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within two (2) business days after delivery of the notice, the receiving party will submit to the other party a written response. The notice and the response will include a statement of each
party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.
This DPA takes effect on the effective date of the Subscription Agreement to which it relates and will continue until the Subscription Agreement expires or is terminated.
Kickserv is responsible to make sure that all relevant Kickserv's personnel adhere to this DPA. Kickserv's compliance and privacy team can be reached at: firstname.lastname@example.org Customer and Kickserv have caused this Data Processing Addendum to be executed by their duly authorized representatives as of the last date set forth below.
Customer: Kickserv Inc.
Name of Other Processor Type of Services
Amazon Web Services Hosting services
Airbrake Error tracking
Appsee Mobile application usage tracking
Braintree Payment processing
Chargify Payment processing
Delighted Customer satisfaction
Elastic Search indexing
Google Mapping and contact import
Intercom Customer support and tracking
Intuit Accounting integration
Mixpanel User tracking
New Relic Application and server performance
Postmark Email send & receive
Sumo Logic Application and server logging
Twilio Text messaging
Xero Accounting integration
Salesforce Customer relationship management
Stripe Consumer credit card processing
Technical and Organizational Measures
Kickserv shall ensure the security and integrity of the Personal Data in accordance with the legal requirements of the applicable member state of the European Union, and as instructed by Customer. At a minimum, the Kickserv has implemented the following measures:
Kickserv has implemented physical access controls to prevent unauthorized access to systems that process Personal Data, which include the following measures (or similar measures that are at least as effective as those described below): Kickserv reasonably restricts physical access to Personal Data stored in facilities and other storage areas.
Kickserv maintains a security system and other physical measures (such as locks and clean desk policy) to safeguard premises housing systems or files containing Personal Data.
Kickserv maintains logs of employees and visitors who access premises housing systems or files containing Personal Data.
Kickserv has implemented technical controls to prevent unauthorized access to systems that process Personal Data, which include the following measures (or similar measures that are at least as effective as those described below): Kickserv maintains appropriate user identification and authentication techniques for each user with access to Personal Data. Kickserv maintains appropriate password requirements (including to periodically change passwords) for each user with access to Personal Data. Kickserv maintains access logs for systems that process Personal Data. Kickserv installs, monitors, and periodically updates firewalls, anti-virus software, and malware protections on all information systems that process Personal Data. Kickserv ensures encryption of Personal Data stored on portable media and devices.
Kickserv has implemented access controls to ensure that individuals may access Personal Data only to the extent allowed by their access level designation and that, in the course of processing or storing Personal Data, Personal Data cannot be read, copied, modified or deleted without authorization, which include the following measures (or similar measures that are at least as effective as those described below):
Kickserv restricts access to Personal Data to employees and, where relevant, authorized contractors who require access to Personal Data to carry out their business purpose. Kickserv maintains procedures to grant and record access to Personal Data. Kickserv maintains procedures to revoke access to Personal Data as appropriate, such as upon termination of an employee. Kickserv maintains records of the individuals with access to systems containing Personal Data.
Data Transfer Controls
Kickserv ensures that Personal Data cannot be read, copied, modified or deleted without authorization during electronic or physical transmission, transport, storage, or destruction, including implementing the following measures (or similar measures that are at least as effective as those described below):
• Kickserv uses appropriate encryption technologies and other equivalent measures when transmitting Personal Data over public networks.
• Kickserv maintains policies and procedures governing the storage, access and transportation of records containing Personal Data outside of its business premises.
• When disposing of or destroying data storage media that contains Personal Data, Kickserv uses appropriately secure methods to ensure that Personal Data cannot be reconstructed or retrieved.
Kickserv ensures that appropriate administrative controls are in place for the processing of Personal Data, which include the following measures (or similar measures that are at least as effective as those described below):
Kickserv maintains and enforces various policies, standards and processes designed to secure Personal Data and ensure that Personal Data is processed only for the purposes of providing services to Customer.
Kickserv maintains a comprehensive, updated, written information security program.
Kickserv ensures appropriate segregation of Personal Data processed for different purposes.
Kickserv requires all individuals involved in the processing of Personal Data to safeguard and protect Personal Data, and holds those individuals accountable for their processing of Personal Data.
Kickserv periodically trains its individuals involved in the processing of Personal Data on the processing and safeguarding of Personal Data.
Kickserv ensures that Personal Data is protected against accidental destruction or loss, including implementing the following measures (or similar measures that are at least as effective as those described below):
• Kickserv takes steps to identify, assess and mitigate any reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of systems or files containing Personal Data and evaluates and improves safeguards as necessary.
• Kickserv maintains incident response procedures to respond to information security incidents involving Personal Data.
• Kickserv maintains policies or procedures for disaster recovery. The Parties agree to abide by any additional or higher security standards that may be set forth by applicable Member State legal requirements or as requested by Customer. Kickserv shall keep its security requirements and measures up to date, and revise as appropriate whenever relevant changes are made to information systems that process Personal Data