Last Updated September 29, 2021
This Data Processing Addendum, inclusive of Schedules 1 and 2 (“DPA”) sets out the essential terms required by Sojern, Inc., a Delaware corporation with its principal place of business located at 255 California Street, 10th Floor, San Francisco, CA 94111 USA (“Sojern”). For the purposes of this DPA, the company that is a party to the Agreement (as defined below) in which this DPA is incorporated is referred to as “Company”.
“Agreement” means any and all agreements between the parties under which Sojern receives, collects, accesses or otherwise processes Personal Data for the purposes pursuant to the applicable data provider or service agreement. This DPA incorporates the terms and conditions of the Agreement and as set forth below. In the event of a conflict between the DPA and the Agreement, the terms of this DPA shall govern and prevail. All capitalized terms used but not defined herein shall have their respective meanings as set forth in the Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person who can be directly or indirectly identified.
“Service” means the services provided by Sojern or Company, as applicable, under the Agreement.
2. Application of DPA
For the purposes of the processing carried out by Sojern pursuant to the Agreement, Sojern’s role as a data processor or data controller with respect to Personal Data processed by Sojern shall be set forth in the applicable Agreement.
3. Use of Personal Data
Except as expressly permitted herein or in writing by Company, Sojern will not directly or indirectly (a) disclose, sell, distribute or transmit Personal Data to any third party, or (b) use Personal Data for any purpose other than to provide Company the Service under the Agreement, and in accordance with all applicable privacy and data protection laws.
4. Compliance with Law; Other Instructions
Each party certifies it understands its obligations under applicable privacy and data protection laws and shall process Personal Data in accordance with all applicable privacy and data protection laws. Where Sojern is acting as a data processor, Sojern will perform the processing as documented and instructed by Company in the Agreement, unless otherwise notified by a regulatory authority that such processing does not comply with applicable privacy and data protection laws, in which case Sojern will promptly provide Company with written notice of that regulatory notice and may cease processing Personal Data until the regulatory issue is resolved.
5. Records; Cooperation for Compliance
Each party will maintain a written or electronic record of the processing of Personal Data. Each party will reasonably cooperate with the other party in complying with applicable privacy and data protection laws with respect to data impact assessments, records of processing, related requests or consultations with data protection authorities, and audits in accordance with the applicable Agreement to enable Company to confirm that Sojern have complied with its obligations under applicable privacy and data protection laws and the Agreement.
7. Notice, Consent, and Opt-Out
Company shall provide notice to, and obtain consents from, individuals as required by applicable privacy and data protection laws regarding Company’s collection, use, and disclosure of Personal Data. If applicable privacy and data protection laws require mechanisms by which individuals may exercise rights, including but not limited to opt-out rights, Company (or such other party who is responsible for the collection of Personal Data on behalf of Company), shall provide such mechanism to individuals. Company will be presumed to have provided appropriate notices and have obtained appropriate consents, if required, from any individuals whose Personal Data is provided to Sojern.
8. Individual Privacy Rights
Each party will reasonably cooperate with the other party in response to any requests or complaints from individuals relating to the processing of Personal Data under the Agreement and pertaining to privacy rights under applicable privacy and data protection laws. If Sojern receives a request from an individual, Sojern will promptly: (a) forward the request to Company to manage the request; and (b) where Sojern is a data processor, implement Company’s decision with respect to how the request will be managed.
9. EU Personal Data
To the extent Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) is transferred to Sojern, the data processing requires adequacy under the laws of the country of the Company, and the required adequacy can be met by the terms of this DPA, then the parties agree that this DPA incorporates by reference, as applicable, the (EU) 2021/914 European Commission standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016-679 by EU/EEA controllers to processors established outside the EU/EEA (“Module 2”) and/or by EU/EEA controllers to controllers established outside the EU/EEA (“Module 1”), and as they are amended or replaced from time to time by the European Commission (collectively, the “Clauses”). For convenience purposes, the Clauses hyperlinked above are generated based on the text made available by the European Commission for the sole purpose to incorporate the Clauses into the Agreement, select the appropriate Module(s), and to add information in the Appendix as permitted by the Clauses. For purposes of Personal Data transfers, Company shall be the “data exporter” and Sojern shall be the “data importer” (even if Company is an entity located outside the EU/EEA, provided the Company is otherwise subject to the Regulation (EU) 2016-679). Where the Clauses apply, Company and Sojern will be deemed to have entered into the Clauses in their respective names and on their own behalf, and the parties’ names, addresses, contact details, roles, and activities related to the Personal Data transferred under these Clauses will be provided in the Agreement. The execution of the Agreement shall be deemed execution of the Clauses, specifically execution of Annex I.A of the Clauses. To the extent there is any conflict between the terms of this DPA and the Clauses, the applicable Clauses shall govern and prevail.
- Controller to Controller. For the purposes of Module 1, (i) Schedule 1 to this DPA shall take the place of Annex 1.B of Module 1; (ii) Schedule 2 to this DPA shall take place of Annex II of Module 1; and (iii) under Clause 11(a) of Module 1, the optional text provided is selected; (iv) under Clause 17 of Module 1, OPTION 1 is selected, and the EU Member State is Ireland; and (v) under Clause 18(b) of Module 1 the courts of Ireland are selected.
- Controller to Processor. For the purposes of Module 2, (i) Schedule 1 to this DPA shall take the place of Annex 1.B of Module 2; (ii) Schedule 2 of this DPA shall take place of Annex II of Module 2; (iii) under Clause 9(a) of Module 2, OPTION 2: GENERAL WRITTEN AUTHORISATION is selected, and the time period for advance notice is thirty (30) days; (iv) under Clause 11(a) of Module 2, the optional text provided is selected; (v) under Clause 17 of Module 2, OPTION 1 is selected, and the EU Member State is Ireland; and (vi) under Clause 18(b) of Module 2 the courts of Ireland are selected.
- FISA Section 702 and Executive Order 12333. Sojern shall notify Company immediately and cease accepting Personal Data if Sojern becomes aware that it has become subject to data sharing or disclosure requirements as envisioned under Section 702 Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 of the United States. If further guidance is released by the European Data Protection Board or another regulatory authority that the Company is regulated by on what further adequate measures are required for the international export of Personal Data, Sojern shall promptly implement any further adequate measures.
10. Security Safeguards
Each party shall implement and maintain appropriate technical, physical, and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- Personal Data Breach. Upon becoming aware of a Personal Data breach under applicable privacy and data protection laws, each party will notify the other in writing without undue delay and within the time frame required under applicable privacy and data protection laws. Each party will reasonably cooperate with the other to mitigate, where possible, the adverse effects of a Personal Data breach.
- Data Storage; Deletion of Personal Data Post-Termination. Sojern implements technical security measures to guard against unauthorized access to Personal Data, including encrypting Personal Data in electronic form while in transit and at rest in storage on Sojern networks or systems. Sojern’s obligations with respect to Personal Data in the event of termination of the Agreement are set forth in the Term and Termination section of the Agreement, subject to any data retention terms of the applicable Agreement.
Company grants a general authorization to Sojern to use other data processors for the processing of Personal Data (“Sub-processors”), who are bound by confidentiality and data protection obligations consistent with this DPA, listed at https://www.sojern.com/legal/partner-list/. Where required by the Agreement or where Sojern is acting as a data processor, Sojern will inform Company of any changes concerning the addition or replacement of Sub-processors by updating the above-mentioned list, thereby giving Company an opportunity to object to such changes, and instructions for objections are provided at the same URL. If Company reasonably objects to a change and Sojern is unable to resolve such objection, Company may terminate the Agreement and DPA.
12. Application of DPA
This DPA shall remain in full force and effect until the latter of (a) the Agreement(s) remains in effect, and (b) Sojern retains copies of Personal Data. Either party may terminate this DPA immediately upon a material breach of this DPA or a regulatory authority and/or a tribunal or court with jurisdiction finds that processing of Personal Data by the parties materially violates applicable privacy and data protection laws, provided however, that the non-breaching party must provide notice of the alleged breach, and such breach shall have remained uncured for a period of fifteen (15) days following such notice.
13. Governing Law
This DPA shall be deemed to have been made in and shall be construed pursuant to the laws of the State of California, USA, without regard to conflicts of laws provisions thereof.