DATA PROCESSING ADDENDUM

Effective from: 15 November, 2020

This Conductor Software Data Processing Addendum (the ‘Addendum’) forms part of, and is subject to the provisions of, the Conductor Terms of Service (the ‘Agreement’). Capitalized terms that are not defined in this Addendum have the meanings set forth in the Terms of Service.

1.     Additional Definitions.

The following definitions apply solely to this Addendum:

a. the terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor” have the meanings given to these terms in EU Data Protection Law.

b. “Breach” means a breach of the Security Measures resulting in access to Conductor Software’s equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by Conductor Software on your behalf and instructions through the Services.

c. “Customer Data” means any personal content or data that you or your Users submit or transfer to Conductor Software using the Services (including names and/or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account or any Users survey responses). Customer Data also includes any data Conductor Software may need to collect for the purpose of identity verification, or as part of its legal obligation to retain Subscriber and User records.

d. “Customer Usage Data” means data processed by Conductor Software for the purposes of transmitting or exchanging Customer Data, including data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the date, time and location of the device generated in the context of providing the Services, and (b) activity logs used to identify, Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.

e. “Customer Account Data” means personal data that relates to Customer’s relationship with Conductor Software, including the names and/or contact information of individuals authorized by Customer to access Customer’s account and billing information associated with its account. Customer Account Data also includes any data Conductor Software may need to collect for the purpose of identity verification, or as part of its legal obligation to retain subscriber records.

f. “EU Data Protection Law” means any data protection or data privacy law or regulation of Switzerland, the United Kingdom or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.

g. “GDPR” means the EU General Data Protection Regulation 2016/679.

h. “Security Measures” means the terms set forth in the Agreement outlining the technical and organizational security controls to protect Customer Data.

i. “Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration unauthorized disclosure of, or access to Customer Data.

j. “SCCs” means either: (i) the standard contractual clauses (without the optional clauses) for the transfer of personal data to data processors established in third countries adopted by the European Commission decision (C(2010)593) of 5 February 2010 (as may be amended from time to time by European Commission decision); or (ii) such other form of European Commission standard contractual clauses for transfers of personal data to processors adopted by the European Commission pursuant to the GDPR as notified by Conductor to you; together, in either case with the details set out in Section 3 of this DPA serving as Appendix 1 and the Security Measures (as changed from time to time in accordance with this DPA) serving as Appendix 2 to the SCCs. You can find the SCCs here.

k. “Sub-Processor” means an entity engaged by Conductor to process Your Controlled Data.

l. “Your Controlled Data” means the personal data Conductor processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. 

2.     Applicability.

This Addendum only applies to you if you or your Users are data subjects located within the EEA, United Kingdom or Switzerland and only applies in respect of Your Controlled Data. You agree that Conductor Software is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.

3.     Details of Data Processing.

3.1 Subject Matter. The subject matter of the data processing under this Addendum is Your Controlled Data.

3.2 Duration. As between you and us, the duration of the data processing under this Addendum is determined by you.  

3.3 Purpose. The purpose of the data processing under this Addendum is the provision of the Services initiated by you from time to time.

3.4 Nature of the Processing / Processing Operations. The Services as described in the Agreement and initiated by you from time to time.

3.5 Type / Categories of Personal Data. Your Controlled Data relating to you, or other users whose personal data is included in content which is processed as part of the Services in accordance with instructions given through the Services.

3.6 Special Categories of Data. Any special categories of data relating to you, your Users or other individuals whose special categories of data are, where permitted by the Agreement, included in content which is processed as part of the Services in accordance with instructions given through the Services.

3.7 Categories of Data Subjects. You, Your Users and any other individuals whose personal data is included in content.

4.    Processing Roles and Activities.

4.1 Conductor Software as Processor and You as Controller. You are the controller and Conductor Software is the processor of Your Controlled Data.

4.2 Conductor Software as Controller. Conductor Software may also be an independent controller for Customer Usage Data, Customer Data relating to you or Users of our services. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, you receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.

4.3 Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified through the Services. For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to use our services; or (b) email survey participants on your behalf.

4.4 Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You acknowledge that Conductor Software is not responsible for determining which laws are applicable to Customer’s business nor whether Conductor’s provision of the Services meets or will meet the requirements of such laws. You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Addendum. Conductor Software will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.  Conductor Software will inform the Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.

5.     Conductor as a Processor - Processing Customer Data.

5.1 Customer Instructions. Customer appoints Conductor Software to process Customer Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents, preventing fraudulent activity, and detecting and preventing network exploits and abuse); (b) as necessary to comply with applicable law, and as otherwise agreed in writing by the parties (the “Services”).

5.2 How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through the Services. You agree that the Agreement and the instructions given through the Services are your complete and final documented instructions to us in relation to Your Controlled Data. Additional instructions outside the scope of this Addendum require prior written agreement between you and us, including  agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe EU Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.

5.3 Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under EU Data Protection Law. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by Conductor Software of any fault or liability of Conductor Services with respect to the Breach. Despite the foregoing, Conductor’s obligations under this Section do not apply to incidents that are caused by you, any activity on your Account(s) and/or Third-Party Services.

5.4 Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from a User, or other individual whose personal data is included in your content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data.

5.5 Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services or otherwise, provide reasonable assistance to you in respect of your fulfilment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.

5.6 Security Measures and Safeguards. We will maintain the Security Measures and the safeguards. We may change or update the Security Measures or safeguards but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5.7 Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Addendum, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to privacy@conductorsoftware.com. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to privacy@conductorsoftware.com. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate the Services or, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 5.7, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.7. Except as set forth in this Section 5.7 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. Conductor will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause Conductor to breach any of Conductor’s obligations under this Addendum, solely to the extent that Conductor would be liable under the Terms of Service if the act or omission was Conductor’s own. 

5.8 Conductor Audits. Conductor may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.

5.9 Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing Conductor to carry out the audit described in Section 5.8. You agree that you may be required to agree to a non-disclosure Agreement with Conductor before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If Conductor does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with EU Data Protection Law by means other than reviewing a report from such an audit, you may only request a change in the following way:

a. First, submit a request for additional information in writing to Conductor, specifying all details required to enable Conductor to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures.

b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for Conductor to verify Conductor’s compliance with the Security Measures in order to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for Conductor to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of Conductor or our users’ information.

(c)You will pay our costs in considering and addressing any Request. Any information and documentation provided by Conductor or its auditors pursuant to this Section 5.9 will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected Paid Services.

5.10 Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this DPA, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available by Conductor under this Section 5.10 is limited to solely that information necessary, taking into account the nature of the Services and the information available to Conductor, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure Agreement with Conductor before we share any such information with you.  

5.11 Requests. You can delete or access a copy of some of Your Controlled Data through the Services. For any of Your Controlled Data which may not be deleted or accessed through the Services, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the  Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable Paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which we maintain in order to comply with applicable law or as otherwise set forth in the Terms of Service). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy.

5.12 Security Incident Notification.  Conductor Software will provide notification of a Security Incident in the following manner:

(a) To the extent permitted by applicable law, Conductor Software will notify Customer without undue delay, but no later than seventy-two (72) hours after, Conductor’s confirmation or reasonable suspicion of a Security Incident impacting Customer Data of which Conductor is a processor;

(b) To the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which Conductor is a controller; and

(c) Conductor will notify the email address of Customer’s account owner.

Conductor Software will make reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by Conductor, remediate the cause of such Security Incident. Conductor will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.

6.     Data Transfers.

6.1 Taking into account, the Security Measures and safeguards provided for in this Addendum and the specific circumstances, you instruct Conductor to transfer Your Controlled Data away from the country in which such data was originally collected to other countries globally in which Conductor or any sub-processors operate, in particular, to the Australia, Canada or the US. Unless such transfer is otherwise permitted under EU Data Protection Law, the SCCs apply between you and Conductor Software to Your Controlled Data that is transferred, either directly or via onward, to any country not recognized under EU Data Protection Law as providing an adequate level of protection for Your Controlled Data. You and Conductor Software are deemed to have executed and agreed to the SCCs upon the earlier of: (i) you agreeing to the  Agreement, including any future amendments; or (ii) this Addeundum applying to you and/or your use of the Services in accordance with Section 2 of this Addendum.

6.2 Where the SCCs apply:

a. you are the “data exporter” and Conductor Software is the “data importer” as those terms are defined in the SCCs;

b. the ‘data subjects’, ‘categories of data’, ‘special categories of data’ and ‘processing operations’ as identified in Section 3 of this Addendum shall serve as Appendix 1 of the SCCs;

c. the technical and organisational measures implemented by Conductor Software are the Security Measures (as may be changed from time to time, for example to reflect technological developments, subject to Section 5.5 of this Addendum) and are binding on Conductor Software as if set out in Appendix 2 of the SCCs;

d. you will comply with the SCCs and, in countries where regulatory approval is required for use of the SCCs, you are responsible for obtaining such approval;

e. you agree that any sub-processor Agreements to be provided to you under clause 5(j) of the SCCs is to be provided to you on your request only, is confidential and will be limited to the data protection provisions related to Your Controlled Data with commercial information redacted;

f. the general consent given under Section 5.6 of this Addendum to the use of a sub-processor is also consent under clause 11 of the SCCs;

g. you will use your rights of information, reports and audit under this Addendum to satisfy any requirements you have for an audit in place of your audit rights under the SCCs, unless your audit requirements cannot reasonably be satisfied in this way in which case Conductor Software and you will mutually agree upon the details of the other means of audit (using the least intrusive means possible), including without limitation, as relevant, timing, duration, scope, control, manner, evidence requirements, auditor identity and fees (including for time expended by Conductor Software) for the other means of audit under the SCCs. Conductor Software will not use this to unreasonably delay performance of the other means of audit;

h. you agree that Your Controlled Data will, for the purposes of clause 12(1) of the SCCs, be deleted in the manner described in Section 5.11 of this Addendum and certification of deletion is only required under clause 12(1) of the SCCs upon your request;

i. references in the SCCs to provisions of Directive 95/46/EC are treated as references to the relevant and appropriate provision of the GDPR; and

j. Conductor Software is entitled to rely upon the provisions of the  Agreement (including this Addendum) as if a party thereto.

6.3 Where the SCCs apply:

a. Conductor is entitled to sever and disapply or, in accordance with the amendment clause of the  Agreement, modify this Section 6 of this Addendum, and is entitled to terminate or replace the SCCs, in order for Conductor Software to implement an alternative transfer mechanism recognized by EU Data Protection Law.

7.    Confidentiality.

7.1 Responding to Third Party Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory authority, or this party is made directly to Conductor Software in connection with Conductor’s processing Customer Data, Conductor will promptly inform Customer and provide details of the same, to the extent legally permitted. Unless legally obligated to do so, Conductor will not respond to any such request, inquiry, or complaint without Customer’s prior consent except to confirm that the request relates to Customer.

7.2 Confidentiality Obligations of Conductor Software Personnel. Conductor Software will ensure that any person it authorizes to process the Customer Data has agreed to protect personal data in accordance with Conductor’s confidentiality obligations under the  Agreement.

8. Liability.

Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

9.    Conflict.

 If there is any conflict between this Addendum and the Agreement and/or Privacy Policy, then the terms of this Addendum will control. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the  Agreement.

10.     Miscellaneous.

1. Costs of Compliance. You are responsible for any costs and expenses arising from Conductor Software’s compliance with your instructions or requests pursuant to the Agreement (including this Addendum) which fall outside the standard functionality made available generally through the Services.

2. Sensitive Data. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing any Sensitive Data over the Services, or prior to permitting Users to transmit or process Sensitive Data over the Services.

3. Notification Cooperation. Customer acknowledges that Conductor, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Usage Data. If the regulatory authority requires Conductor to notify impacted data subjects with whom Conductor does not have a direct relationship (e.g., Customer’s users), Conductor will notify Customer of the requirement. Customer will provide reasonable assistance to Conductor to notify the impacted data subjects.

4. Failure to Perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the Parties Agreement in accordance with the  Agreement termination provisions.