DATA PROCESSING AGREEMENT
Last updated: January 3rd, 2024
This Data Processing Agreement (the “DPA”) is a binding agreement that is incorporated into the Terms of Service between Endear and Customer. All capitalized terms used and not otherwise defined in this DPA have the meanings given to them in the Terms of Service.
PLEASE CAREFULLY REVIEW THIS AGREEMENT. BY AGREEING TO THE ENDEAR TERMS OF SERVICE, YOU ARE AGREEING TO THE TERMS AND CONDITIONS OF THE DPA AND ARE LEGALLY BINDING CUSTOMER ON WHOSE BEHALF YOU HAVE AGREED. IF YOU DO NOT HAVE AUTHORITY TO BIND CUSTOMER TO THIS DPA, YOU MUST OBTAIN SUCH AUTHORITY BEFORE AGREEING TO THIS DPA. ENDEAR RESERVES THE RIGHT TO IMMEDIATELY TERMINATE THE SERVICES IF YOU DO NOT OR DID NOT HAVE AUTHORITY TO ENTER THIS DPA ON BEHALF OF CUSTOMER.
- Definitions. The following definitions apply in this DPA. All capitalized terms in this DPA that are not defined herein have the meanings set for them in the Terms of Service.
1.1 “Business Purpose” means the Services described in the Terms of Service.
1.2 “Controller” means the party to this DPA that provides or collects Personal Information for Processor and determines the Business Purpose and means of the processing of Personal Information. For the purposes of this Agreement, Customer shall be deemed to be a Controller of its Personal Information unless the parties agree otherwise in writing.
1.3 “Data Subject” means an individual, including an end user, customer, or employee of Customer, who is the subject of Personal Information and to whom or about whom Personal Information relates or identifies, directly or indirectly.
1.4 “Personal Information” means any information processed pursuant to the Terms of Service that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Processor's possession or control or that Processor is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information. Personal Information includes, but is not limited to, name, home or other physical address, email address, telephone number, personal interests, habits, or activities. For avoidance of doubt, Personal Information includes Sensitive Personal Information.
1.5 “processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, altering, retrieving, using, consulting, disclosing, disseminating, restricting, aligning, combining, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
1.6 “Processor” means the party to this DPA that processes Personal Information on behalf of Controller. For the purposes of this Agreement, Endear shall be deemed to be a Processor of Personal Information collected by Customer unless the parties agree otherwise in writing.
1.7 “Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, where applicable, the EU General Data Protection Regulation 2016/679 (GDPR), the Federal Trade Commission Act (FTC Act), the Telephone Consumer Protection Act (47 U.S.C. § 227), and Children's Online Privacy Protection Act (COPPA) (in all cases, as amended, superseded or replaced).
1.8 “Security Breach” means any act or omission that has been reasonably demonstrated to have compromised the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it and is considered a security breach under the Privacy and Data Protection Requirements.
1.9 “Sensitive Personal Information” means a Data Subject's (i) government-issued identification number (including social security number, driver's license number or state issued identification number); (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual's financial account; (iii) genetic and biometric data or data concerning health; (iv) personal characteristics, including photographic image, fingerprints, or handwriting; or (v) Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a natural person's sex life or sexual orientation, or criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed).
1.10 “Standard Contractual Clauses” means the European Commission's standard contractual clauses for the transfer of personal data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914 and accessible at http://eur-lex.europa.eu/legaI-content/en/TXT/?uri=CELEX%3A32010D0087, as amended, superseded or replaced from time to time.
- Personal Information Types; Processing Purposes; Controller Instructions. Controller retains control of Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions for Personal Information as documented in the Agreement and in any other written instructions given by Controller and acknowledged by Processor (collectively, the “Controller Instructions”). Controller agrees that the Controller Instructions will comply with all Privacy and Data Protection Requirements and will promptly notify Processor if it believes any of the Controller Instructions would not comply with the Privacy and Data Protection Requirements.
- Processor's Obligations.
3.1 Processor will process Personal Information collected by Controller solely in accordance with the Controller Instructions except to the extent prohibited by the Privacy and Data Protection Requirements. Processor will process Personal Data provided by Controller as long as required under this DPA or the Privacy and Data Protection Requirements.
3.2 Processor will only process, retain, use, or disclose Personal Information to the extent, and in such a manner, as is necessary for the Business Purpose, or in accordance with Controller Instructions. Processor will not process, retain, use, or disclose Personal Information for any other purpose, or outside of the parties’ business relationship, or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. Processor will not combine or update Personal Information with personal information obtained outside of the Terms of Service unless required and permitted by Privacy and Data Protection Requirements. Processor will promptly notify Controller if it believes Controller Instructions would not comply with any Privacy and Data Protection Requirements.
3.3 Processor will promptly comply with any request or instruction from Controller requiring Processor to amend, transfer, or delete Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
3.4 Processor will maintain the confidentiality of all Personal Information, will not sell it to or share it for cross-contextual advertising with anyone, and will not disclose it to third parties unless Controller or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Processor to process or disclose Personal Information, Processor must first inform Controller of the legal requirement and give Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.5 Processor will reasonably assist Controller with meeting Controller's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Processor's processing and the information available to Processor.
3.6 Processor must promptly notify Controller upon notice of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, which may adversely affect Processor's performance of the Terms of Service or this DPA.
3.7 Processor will only process Personal Information for or on behalf of Controller using a notice or method that Controller specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of Controller's identity, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements.
- Processor's Employees.
4.1 Processor will limit Personal Information access to:
(a) those employees who require Personal Information access to meet Processor's obligations under this DPA and the Terms of Service and agree to be bound by the obligations applicable to such employee under this DPA and the Terms of Service; and
(b) the part or parts of Personal Information that those employees strictly require for the performance of their duties.
(c) in the case of any disclosure required by law, the part or parts of Personal Information that is required by law to be disclosed.
4.2 Processor will ensure that all employees of Processor:
(a) are informed of Personal Information's confidential nature and use restrictions and are obliged to keep Personal Information confidential;
(b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
(c) are aware both of Processor's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
4.3 Processor will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of Processor's employees with access to Personal Information.
5.1 The parties will at all times implement appropriate and commercially reasonable technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage.
5.2 The parties will take commercially reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
- Security Breaches and Personal Information Loss.
6.1 Each party will promptly notify the other party upon discovery that any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The parties will reasonably attempt to restore such Personal Information.
6.2 Each party will promptly notify the other party upon discovery of any unauthorized or unlawful processing of Personal Information or any Security Breach.
6.3 As soon as practicable following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will coordinate with each other to investigate the matter. Processor will reasonably cooperate with Controller in Controller's handling of the matter, including assisting with any investigation; providing Controller with physical access to any facilities and operations affected; facilitating interviews with Processor's employees, former employees, and others involved in the matter; and making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by Controller.
6.4 The parties will not inform any third party of a Security Breach without first obtaining the other party’s prior written consent, except where required by law or regulation.
6.5 Controller has the sole right and obligation to determine (a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in Controller's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6 Controller will pay for and reimburse Processor for all reasonable expenses associated with the performance of the obligations under this section unless the matter was a direct result of Processor’s negligence, willful default, or breach of this DPA.
6.7 Controller will also reimburse Processor for actual reasonable expenses Processor incurs when responding to and mitigating damages relating to a Security Breach, including all costs of notice and any remedy as set out in 6.5, unless the matter was a direct result of Processor’s negligence, willful default, or breach of this DPA.
- Cross-Border Transfers of Personal Information.
7.1 Processor currently processes, receives, accesses, transfers and stores Controller’s Personal Information only in the United States. Processor shall notify Controller in writing if Processor processes, receives, accesses, transfers or stores Controller’s Personal Information in jurisdictions other than those listed above.
7.2 If any Personal Information transfer between Processor and Controller requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimize the transfer, including, implementing any needed supplementary measures or supervisory authority consultations. For avoidance of doubt, the parties agree that any Personal Information transfer pursuant to the Terms of Service (a) from member states of the European Economic Area, Switzerland or the United Kingdom and (b) to any countries where the European Commission has not decided that such recipient country provides an adequate level of protection of Personal Information shall require execution of Standard Contractual Clauses.
7.3 Processor agrees not to transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.
- Sub-processors. Processor may authorize a third-party processor (each, a “Sub-processor”) to process Personal Information, provided that:
(a) Processor enters into a written agreement with the Sub-processor that contains terms substantially the same as those set out in this DPA and, upon Controller's written request, provides Controller with copies of such agreement;
(b) Processor maintains control over all Personal Information it entrusts to the Sub-processor and agrees to remain fully liable for the Sub-processor’s compliance with this DPA; and
(c) The Sub-processor agrees to cease processing Personal Information and to comply with any applicable post-termination provisions of this DPA upon termination of this DPA for any reason.
8.2 Upon Controller’s request, Processor shall provide to Controller in writing the name, location and contact information of any Sub-processor used by Processor in connection with the processing of Personal Information. A current list of Processor’s Sub-processors can be found at https://security.endearhq.com/?itemUid=e3fae2ca-94a9-416b-b577-5c90e382df57&source=click. If Controller objects to Processor’s engagement of a particular Sub-processor regarding the Personal Information, Controller and Processor will cooperate in good faith to resolve Controller’s objection or concern.
- Complaints, Data Subject Requests, and Third-Party Rights.
9.1 Processor must notify Controller as promptly as practicable upon any material complaint, notice, or communication relating to the processing of Personal Information or either party’s compliance with the Privacy and Data Protection Requirements. The parties agree to provide mutual cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.
9.2 The parties hereto agree to notify the other party within five (5) business days upon a request from a Data Subject to exercise any rights the individual may have regarding such individual’s Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.
9.3 Processor must not disclose Personal Information to any Data Subject or to a third party (other than to a third party pursuant to Section 8) unless the disclosure is either at Controller's request or instruction, permitted by this DPA, or is otherwise required by law.
- Term and Termination.
10.1 Term. This DPA will remain in full force and effect until the earlier of (a) the termination of the Terms of Service, including pursuant to Section 10.2 or Section 10.3 of this DPA, or (b) Processor no longer retains any Personal Information related to the Terms of Service in its possession or control. (the “Term”).
10.2 Termination for Breach. The parties agree that a party’s failure to comply with the terms of this DPA would constitute a breach of the Terms of Service. In such event, the non-breaching party may terminate the Terms of Service or any part of the Terms of Service authorizing the processing of Personal Information effective fifteen (15) days upon written notice to the breaching party if such breach is not cured within such period. Notwithstanding such termination, the parties shall remain liable for any amounts or obligations due or accrued until the date of termination pursuant to this Section 10.2.
10.3 Termination for Non-compliance with Privacy and Data Protection Requirements. If a change in any Privacy and Data Protection Requirement prevents a party from fulfilling all or part of its obligations pursuant to the Terms of Service or this DPA, the parties will suspend the processing of Personal Information until the party is able to comply with all Privacy and Data Protection Requirements. If the parties are unable, after due effort, to bring Personal Information processing into compliance with the Privacy and Data Protection Requirements within fifteen (15) days of any such suspension, either party may terminate the Terms of Service upon written notice to the other party.
- Data Return and Destruction.
11.1 Processor will delete or give Controller a copy of or access to all or part of Personal Information provided by Controller that is in Processor’s possession custody or control in the format and on the media reasonably specified by Controller within 90 days of receiving Controller’s reasonable written request.
11.2 Upon termination or expiration of this DPA or the Terms or Service for any reason, Processor by no later than 90 days after termination or expiration will securely destroy or return to Controller all or any Personal Information provided by Controller in Processor’s possession or control, except for copies that it may retain: (a) pursuant to automatic archiving systems, (b) for internal audit purposes, (c) for the purposes pursuant to Section 11.3 below, and (d) as may be required by the Privacy and Data Protection Requirements.
11.3 If any law, regulation, government or regulatory body agency or court requires Processor to retain or disclose any documents or materials that Processor would otherwise be required to return or destroy, it will notify Controller in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. Processor may only use this retained Personal Information for the required retention reason.
11.4 Notwithstanding the obligations set forth above in this Section 11, the parties agree that during and after the Term, Processor may collect and retain, compile, disassemble and/or aggregate: (a) information other than Personal Information relating to or resulting from Customer’s use of the Service and Software (including, but not limited to, Customer’s product categories, sales figures, message statistics, and conversion rates), and (b) anonymized or pseudonymized Personal Information, provided that such information is used solely for Processor’s internal research and/or product development purposes.
- Records; Security Policy.
12.1 Processor will keep detailed, accurate, and current records regarding any processing of Personal Information it carries out for Controller, including but not limited to, the access, control, and security of Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
12.2 Processor will ensure that the Records are sufficient to enable Controller to verify Processor's compliance with its obligations under this DPA.
12.3 Processor shall be and will remain in compliance with SOC 2. Processor will maintain annually updated certifications of compliance with SOC2 and a current security policy that can be found at https://security.endearhq.com.
13.1 At least once annually, Processor will procure SAS 70 Type II or SOC2 audits of its facilities, networks and systems by an independent third party. Within two (2) days of written request by Controller, Processor will provide the results from such audits to Controller in the form reasonably requested by Controller. Any audits conducted by or on behalf of Controller shall be undertaken under the terms and conditions mutually agreed by the parties hereto.
13.2 If (i) a Security Breach occurs or is occurring, (ii) Processor becomes aware of a breach of any of its obligations under this DPA or any Privacy and Data Protection Requirements, or (iii) an audit reveals one or material vulnerabilities in Processor’s facilities, networks or systems, Processor will: (a) promptly conduct its own audit (if needed) to determine the cause; (b) provide Controller with a copy of a written report that includes plans to remedy any deficiencies identified by the audit; and (c) remedy any deficiencies identified by the audit at its sole cost and expense within thirty (30) days.
- Representations and Warranties; Covenants.
14.1 Processor warrants and represents that:
(a) its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to Personal Information and agree to be bound by the obligations of this DPA applicable to such party;
(b) it and anyone operating on its behalf will process Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments;
(c) to its knowledge, there are no Privacy and Data Protection Requirements that prevent it from fulfilling any of its obligations under the Terms of Service or this DPA;
(d) it will regularly investigate the completeness, accuracy, and sufficiency of any specific instructions from Controller, including Controller Instructions, or Personal Information to ensure compliance with all applicable Privacy and Data Protection Requirements; and
(e) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to (i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; (ii) the nature of Personal Information protected; and (iii) comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in Section 5.1.
14. 2 Controller warrants and represents that Processor’s expected use of Personal Information for the Business Purpose and as specifically instructed by Controller will, to Controller’s knowledge at such time, comply with all Privacy and Data Protection Requirements which are applicable at the time such instruction is provided.
14.3 Processor and Controller hereby covenant not to perform any of its obligations under this DPA and/or the Terms of Service in any manner as to cause either party to breach any of its obligations arising under the Privacy and Data Protection Requirements or otherwise act or fail to act in such a manner that leads to such a breach.
- Indemnification; Limitation of Liability. Controller shall indemnify, defend, and hold harmless, at its own expense, Processor and its officers, directors, agents, employees, shareholders, and representatives (collectively, “Affiliates”) against any and all costs, claims, damages, and expenses (including reasonable attorney’s fees and expert fees) (each a “Loss” and collectively, “Losses”) incurred by Processor or for which Processor may become liable due to any failure by Controller or its employees, subcontractors, or agents to comply with any of Controller’s obligations under this DPA or applicable Privacy and Data Protection Requirements. Processor shall indemnify, defend and hold harmless, at its own expense, Controller and its Affiliates against any and all Losses incurred by Controller or for which Controller may become liable due to any failure by Processor or its employees, Sub-processors or agents to comply with any of Processor’s obligations under this DPA or applicable Privacy and Data Protection Requirements. An indemnifying party shall control the defense and settlement of any indemnified Loss under this DPA with counsel of its choice. The indemnified party may, however, retain additional counsel at its sole cost and expense. An indemnifying party may not settle a Loss on behalf of the indemnified party without the indemnified party’s prior written consent, which shall not unreasonably be withheld. This DPA shall not limit the liability of either Controller or Processor to a Data Subject regarding such individual’s data protection rights under Privacy and Data Protection Requirements; provided, however, that any claims made against Processor or Controller arising out of or related to this DPA may only be brought by a party to this DPA. In addition, this DPA shall not limit any liability between the parties hereto for violations of Privacy and Data Protection Requirements.
16.1 Notice. Unless otherwise specified herein, any notice or other communication given to Endear under or in connection with this DPA must be in writing and delivered to:
4 East 72nd Street
New York, NY 10021
Attention: Leigh Teicher
16.2 Interpretation. This DPA is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this DPA. In the case of conflict or ambiguity between:
(a) any of the provisions of this DPA and the provisions of the Terms of Service and any invoices, exhibits, or related agreements thereto, the provisions and Appendices of this DPA will prevail;
(b) any of the provisions of this DPA and any executed Standard Contractual Clauses, where applicable, the provisions of the executed Standard Contractual Clauses will prevail; and
(c) any of the provisions of this DPA or any executed Standard Contractual Clauses and any Privacy and Data Protection Requirements, where applicable, the Privacy and Data Protection Requirements will prevail.
16.3 Service Provider Relationship. To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Processor is a service provider and is receiving Personal Information from Controller to provide the services as agreed in the Terms of Service, which constitutes a business purpose.
16.4 Survival. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms of Service or the DPA in order to protect Personal Information will remain in full force and effect for so long as applicable.