Data Processing Addendum

Available Documents:
Privacy Policy
End User License Agreement
Master Subscription Agreement
Independent Contractor Agreement

Data Processing Addendum 

This Data Processing Addendum(the “Addendum”) is made a part of the Master Subscription Agreement (“Agreement”)and Statement(s) of Work (“SOWs”) between the customer (“Customer”)and Boomtown Network, Inc. dba OvationCXM (“SUBPROCESSOR” or “OvationCXM”).This Data Processing Addendum shall apply to all processing of Customer Personal Data by SUBPROCESSOR.

Schedule 1 – Data Protection In Schedules 1-4, the following defined terms shall mean:
"Data Processing Addendum"
Personal Information (otherwise known as Personal Data) which is to be Processed under the Agreement, as more particularly described in Schedule 2.
“Data  Protection Laws”
Any applicable data protection laws in force  from time to time that relates to data protection, the processing of personal  data and privacy, including: U.S. data privacy laws, including the California  Privacy Rights Act, California Consumer Protection Act, and the EU General  Data Protection Regulation 2016/679 of the European Parliament and of the  Council (“GDPR”) and any data protection laws substantially amending, replacing or superseding the GDPR following any exit by the United Kingdom  from the European Union, or, and to the extent applicable, the data  protection or privacy laws of any other Member State of the European Economic  Area or Switzerland.  Nothing in this  Addendum, however, shall be interpreted to infer or imply that either Customer  or SUBPROCESSOR is itself subject to the GDPR or to the jurisdiction of any  European regulatory body for these purposes.

(a) and  references to “Controller”, “Business”, “Data Subjects”, “Personal  Data”, “Personal Information”, “Process”,  “Processed”, “Processing”, “Processor”, “Service Provider”, and  “Supervisory Authority” have the meanings set out in, and will be  interpreted in accordance with, such laws
"Data Security Incident"
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Addendum Personal Information transmitted, stored or otherwiseProcessed.
"International Transfer"
A transfer to a country outside the European Economic Area (as it is made up from time to time) of Addendum PersonalInformation which is undergoing Processing or which is intended to be Processed after transfer.
"Standard Contractual Clause"
means Commission Decision C(2010)593 Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as amended, updated or replaced from time to time.
“Sub-Processor”
Any third party appointed by SUBPROCESSOR to Process Addendum Personal Information.


1.   DATA PROTECTION AND INFORMATION SECURITY

1.1  Customer authorizes SUBPROCESSOR to Process the Addendum Personal Information during the term of the Agreement as a Processor for the purpose set out in Schedule 2.

1.2  Customer warrants to SUBPROCESSOR that to the best of its knowledge and belief:

1.2.1  it has all necessary rights to authorize SUBPROCESSOR to Process Addendum Personal Information in accordance with theAddendum and the Data Protection Laws; and

1.2.2  its instructions to SUBPROCESSOR relating to Processing of Addendum Personal Information will not cause SUBPROCESSOR to be in breach of Data Protection Laws, including with regard to International Transfers.

1.3  If SUBPROCESSOR reasonably considers that any instructions from Customer relating to Processing of Addendum PersonalInformation may directly or indirectly cause SUBPROCESSOR to be in breach orviolation of Data Protection Laws, SUBPROCESSOR shall immediately inform Customer, and SUBPROCESSOR will be entitled not to carry out that Processing and will notbe in breach of the Agreement or otherwise liable to Customer as a result ofits failure to carry out that Processing, unless Customer varies its instructions, or provides further information to SUBPROCESSOR as to why theinstructions are not in violation of any Data Protection Law.

1.4   SUBPROCESSOR shall not retain, use, or disclose the personal information for any purpose other than for the specific purpose of performing the services specified in the Agreement, and SUBPROCESSOR shall notProcess Addendum Personal Information other than on Customer’s documented instructions  to perform the Services asset forth in the Agreement or as provided on Schedule 2, unless Processing is required by Data Protection Laws to which SUBPROCESSOR is subject, in which case SUBPROCESSOR, to the extent permitted by Data Protection Laws, shall inform Customer of that legal requirement before Processing Addendum Personal Information, save for where the SUBPROCESSOR is prohibited by law from doing so.

1.5 Customer authorizes SUBPROCESSOR to engage the Sub-Processors listed at Schedule 4 for the processing of Addendum Personal Information.  SUBPROCESSOR will inform Customer 30 days in advance of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving Customer the opportunity to object to such changes.

1.6 If SUBPROCESSOR appoints a Sub-Processor in compliance with paragraph 1.5 above, SUBPROCESSOR will put a written contract in place between SUBPROCESSOR and the Sub-Processor that specifies the Sub-Processor’s Processing activities and imposes on the Sub-Processor the same terms to those imposed on SUBPROCESSOR in this Addendum.  SUBPROCESSOR will remain liable to Customer for performance of the Sub-Processor’s obligations.

1.7  SUBPROCESSOR will:
1.7.1  Process the Addendum Personal Information only on documented instructions from Customer (unless
SUBPROCESSOR or the relevant Sub-processor is required toProcess Addendum Personal Information to comply with applicable laws to which the SUBPROCESSOR is subject, in which case SUBPROCESSOR will notify Customer of such legal requirement prior to such Processing unless such laws prohibit notice to Customer).  For the purpose of this paragraph 1.7.1, the obligations on SUBPROCESSOR to perform the Services detailed set forth inthe Agreement and in Schedule 2 are documented instructions.  Nothing in this paragraph 1.7.1 will permit Customer to vary SUBPROCESSOR’s obligations under the Agreement other than in accordance with its express terms;
1.7.2 ensure that any individual authorized to Process Addendum Personal Information is subject to contractual confidentiality obligations equivalent to those set out in the Addendum or is under an appropriate statutory obligation of confidentiality, and complies with paragraph 1.7.1 of this Schedule 1 and any other relevant provision of this Addendum and theAgreement; and
1.7.3  not transfer Addendum Personal Information outside the United States absent Customer’s advance written consent.

1.8   SUBPROCESSOR will:
1.8.1 implement appropriate technical and organizational measures to protect the Addendum Personal Information from a Data Security Incident, including at a minimum the technical and organizational measures set out in Schedule 3; and

1.8.2  notify Customer without undue delay (and in any event within 24 hours) uponSUBPROCESSOR or any approved Sub-processor becoming awareof a Data Security Incident involving Addendum Personal Information, providing Customer with information to assist it (or its controller/business) to meet any obligations to report or inform Data Subjects of the Data Security Incidentunder Data Protection Laws and thereafter provide Customer with such commercially reasonable cooperation as may be requested by Customer, in the investigation, response, mitigation and remediation of each Data SecurityIncident;  

1.8.3   provide such commercially reasonable cooperation as Customer may request in:
1.8.3.1  complying with any Customer obligations (or their controller’s/business’ obligations) under the Data Protection Laws relating to the security of Processing Addendum Personal Information;

1.8.3.2  assisting Customer when responding to anyrequests for exercising Data Subjects’ rights under the Data Protection Laws, including by appropriate technical and organizational measures, insofar as this is possible;

1.8.3.3  documenting any Data Security Incidents andreporting any Data Security Incidents to any Supervisory Authority and/or DataSubjects; and

1.8.3.4  if Customer determines it to be required or advisable, conducting privacy impact assessments of any Processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly.

1.9   SUBPROCESSOR will:

1.9.1  make available to Customer all information necessary to demonstrate compliance with the obligations set out in this Addendum; and

1.9.2  allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, provided: a) that MERCHANT gives SUBPROCESSOR at least ten (10) business days’ prior written notice of each such audit (unless a more urgent audit is required, for example, in the event of a Data Security Incident, or where an instruction for such an audit is issued by a Supervisory Authority, or other regulator); b) that each audit is carried out at Customer’s cost (unless the audit has been reasonably requested by Customer following SUBPROCESSOR’S breach of this Addendum, in which case the audit shall be at SUBPROCESSOR’S cost),during business hours, so as to cause the minimum disruption to SUBPROCESSOR’S business; 3) and without Customer or its auditor having any access to any data belonging to a person other than Customer.

1.10  Unless otherwise required by applicable laws, including Data Protection laws, following termination or expiration of theAgreement, SUBPROCESSOR shall without undue delay, at Customer’s option, delete or return any retained Addendum Personal Information and all copies to Customer.  To the extent that SUBPROCESSOR is required by a statutory obligation (to which SUBPROCESSOR is subject), or for its own commercial compliance purposes to retain the Addendum Personal Information for a specified purpose, SUBPROCESSOR shall notify Customer of this in advance and shall be permitted to retain a copy of the relevantAddendum Personal Information in order to comply with that statutory obligation, or to meet those commercial compliance obligations only as an independent Controller of the retained Addendum Personal Information and will hold Customer harmless in respect of the SUBPROCESSOR’S Processing of the retained Addendum Personal Information.      

1.11  In the event of any inconsistency between this Addendum and the Agreement with respect to Addendum Personal Information, thisAddendum shall prevail.

1.12  As specified above, nothing in this Addendum shall be interpreted to imply that Customer or SUBPROCESSOR is subject to the GDPR or to the jurisdiction of any European regulatory body for these purposes.

Schedule 2 - Addendum Personal Information

Subject Matter of Processing
The subject matter of Processing of Personal Data by OvationCXM is the provision of the SaaS and product support services to Customer that involves the processing of Personal Data.
Duration of Processing
The  Processing will continue until the expiration or termination of the Agreement,  unless otherwise agreed upon in writing by OvationCXM and Customer.
Nature of Processing and Purpose of Processing
The  Processing will involve Processing for the provision of SaaS and Product  Support services by OvationCXM for Customer, as further specified in the  Agreement and Statement(s) of Work and as instructed by Customer in its use  of the SaaS and product support services.
Type of Personal Data
In its use of the SaaS and product support services, Customer may submit Personal Data to OvationCXM, the extent of which is determined and controlled by Customer in its sole discretion.  This Personal Data may include, but is not limited to:
•First and Last Name
•Business Name
•E-mail Address
•Phone Number
•Street Address, City, State, Zip Code, Country
•Merchant Identification Number
Categories of Data Subject
Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, may include, but is not limited to the following categories of data subjects:
•Prospects, customers, business partners, and vendors of Customer
•Employees or contact persons of Customer’s prospects customers, business partners, and vendors
•Employees, agents, advisors, freelancers of Customer
•Authorized Customer Users


Schedule 3 – Technical and Organizational Security Measures

SUBPROCESSOR has implemented and will maintain reasonable and appropriate technical and organizational security measures, including the measures specified in this Schedule. These measures are intended to protect Addendum Personal Information against accidental or unauthorized loss, destruction, alteration, disclosure or access.  SUBPROCESSOR will adhere to the following technical and organizational security measures:

1. It will take all reasonable measures to control who gets to access Addendum Personal Information.  
1.1 It will take all reasonable measures to:
1.1.1 devise proper access controls including, physical access controls, and restrict Addendum Personal Information access.
1.1.2 grant Addendum Personal Information handling access only to privileged users.

1.2 Without limiting the generality of the foregoing, SUBPROCESSOR will implement appropriate technical and organizational measures designed to ensure against unauthorized or unlawful access, use, disclosure, processing or modification and accidental loss, destruction of or damage to Addendum Personal Information (e.g. Addendum Personal Information at rest or in motion will be encrypted, interfaces between IT systems will use strong credentials and authentication, and appropriate physical security measures and access controls will be put in place).  

1.3 Addendum Personal Information will not be retained unless pursuant to other legal requirements.  In such a situation, Addendum Personal Information will be retained for the shortest possible time.  Prior to deletion or destruction of Addendum Personal Information, SUBPROCESSOR will notify Customer in writing of such proposed action and shall not so delete or destroy until five (5) calendar days have elapsed from the date of receipt of such notice without an instruction having been received from Customer requesting suspension of any such deletion or destruction.

2. SUBPROCESSOR will take all reasonable measures to audit user behavior.  

2.1 SUBPROCESSOR will take all reasonable measures to keep track when users:
2.1.1 access Addendum Personal Information storage platforms (whether that is a server, database, or cloud application).
2.1.2 alter Addendum Personal Information (e.g. modify, delete, or rename files).
2.1.3 perform access modifications, permission changes, and privilege escalations with respect to Addendum Personal Information access.

3. SUBPROCESSOR will take all reasonable measures to get real-time insights about any abnormal or suspicious activities.

4. SUBPROCESSOR will implement best practice protections against any virus and internet attacks, not compromise security by functionality changes, patch IT systems to industry best practices and keep code libraries up-to-date. SUBPROCESSOR’s IT systems will use a deployment process designed to ensure authority and efficacy of any release (including rollback and failed release planning) and maintain skilled staff or contractors adequate to ensure IT systems are appropriately supported at all times.

Schedule 4 - Authorized Sub-Processors

Purpose
Entity Country
Entity
Iron Mountain Data Centers, LLC
Hosting center provider for the OvationCXMSoftware.
United States
Google LLC (Google Cloud Platform)
Cloud service provider for the OvationCXM Software.
Google Workspace used for communications and document storage.
United States
DigitalOcean, Inc.
Cloud service provider for the OvationCXM Software
United States
Twilio, Inc.
SMS text messaging for OvationCXM Software
United States
GoodData Corporation
Data and analytics platform for the OvationCXMSoftware.
United States
RingCentral, Inc.
Contact center software provider integrated with the OvationCXM Software.
United States
Datalog, Inc.
Third-party logging platform that OvationCXM uses for ingesting, parsing, querying and performaing analytics.
United States
Salesforce
Customer relationship management (CRM) system of record
United States
Slack Technologies, LLC
Internal communications as well as external communications with clients and vendors (where authorized via Slack Connect)
United States
ActiveCampaign, LLC
Marketing Automation Platform
United States
Dropbox, Inc
File Storage
United States
Wrike, Inc.
Onboarding and Customer Success Platform
United States
Zapier, Inc
Integration and automated workflows
United States
Breakout Platforms, Inc. dba Cobalt
Integration and automated workflows
United States
Platform
Solutions
Resources
About

    Own the journey. Guide the experience. Unleash the benefits.

    © 2023 OvationCXM. All rights reserved.

    OvationCXM, DBA of Boomtown Network, Inc.

    Privacy Policy  |  Terms Of Service