GDPR DATA PROCESSING ADDENDUM

Last Updated: July 25, 2020

This GDPR Data Processing Addendum (“DPA”) forms part of the Terms of Use available at https://flipcause.org/terms (as applicable, the “Agreement”), entered into by and between the Account Holder and Flipcause, pursuant to which the Account Holder has accessed Flipcause’s Service as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.

If the Account Holder entity entering into this DPA has executed an order form or statement of work with Flipcause pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Account Holder entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Account Holder entity that is a party to the Agreement executes this DPA.

This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by the Account Holder and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.

In the course of providing the Service to Users pursuant to the Agreement, Flipcause may process personal data on behalf of the Account Holder. Flipcause agrees to comply with the following provisions with respect to any personal data submitted by or for the Account Holder to the Service or collected and processed by or for the Account Holder through the Service. Any capitalized terms we use in this DPA without defining them have the definitions given to them in the Terms of Use and Privacy Policy.

1. DATA PROCESSING TERMS

1.1. In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.

“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;

1.2. The parties agree that Account Holder is the data controller and that Flipcause is its data processor in relation to personal data that is processed in the course of providing the Service. Account Holder shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Flipcause pursuant to the Agreement.

1.3. The subject-matter of the data processing covered by this DPA is the Service ordered by the Account Holder either through Flipcause’s website or through an Ordering Document and provided by Flipcause to the Account Holder via email, or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Account Holder’s continued use of the Service ceases. Further details of the data processing are set out in Section 2, below.

1.4. In respect of personal data processed in the course of providing the Service, Flipcause:

(i). shall process the personal data only in accordance with the documented instructions from the Account Holder (as set out in this DPA or the Agreement or as otherwise notified by the Account Holder to Flipcause (from time to time)). If Flipcause is required to process the personal data for any other purpose provided by applicable law to which it is subject, Flipcause will inform the Account Holder of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;

(ii). shall notify the Account Holder without undue delay if, in Flipcause’s opinion, an instruction for the processing of personal data given by the Account Holder infringes applicable Data Protection Legislation;

(iii). shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;

(iv). may hire other companies to provide limited services on its behalf, provided that Flipcause complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Flipcause has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Flipcause remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Flipcause transfers personal data will have entered into written agreements with Flipcause requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Account Holder located at https://help.flipcause.com/help/flipcause-subprocessors. If the Account Holder requires prior notification of any updates to the list of subprocessors, the Account Holder can request such notification in writing by emailing legal@flipcause.com. Flipcause will update the list within thirty (30) days of any such notification if the Account Holder does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Flipcause’s reasonable opinion, such objections are legitimate, the Account Holder may, by providing written notice to Flipcause, terminate the Agreement.

(v). shall ensure that all Flipcause personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;

(vi). at the Account Holder’s request and cost (and insofar as is possible), shall assist the Account Holder by implementing appropriate and reasonable technical and organisational measures to assist with the Account Holder’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Flipcause reserves the right to reimbursement from the Account Holder for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;

(vii). when the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at the Account Holder’s request and cost to assist Account Holder in meeting Account Holder’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Flipcause reserves the right to reimbursement from the Account Holder for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;

(viii). at the end of the applicable term of the Services, upon the Account Holder’s request, shall securely destroy or return such personal data to the Account Holder;

(ix). may transfer personal data from the EEA to the US for the purposes of this DPA pursuant to the EU-US Privacy Shield provided that Flipcause maintains its certification under the EU-US Privacy Shield;

(x). shall allow the Account Holder and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Flipcause in connection with the provision of the Services, and provide all reasonable assistance in order to assist the Account Holder in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Flipcause is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Flipcause of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Flipcause’s IT personnel. Such audit may be carried out by the Account Holder or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Flipcause’s IT system, data hosting sites or centers, or infrastructure will be permitted;

(xi). If Flipcause becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Flipcause in the course of providing the Service (an “Incident”) under the Agreement it shall without undue delay notify the Account Holder and provide the Account Holder (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident only if it affects the Account Holder Data stored in our database. Flipcause shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident; Account Holder waives disclosure of incidents that do not affect the Account holder or Data stored in our database;

(xii). Flipcause shall provide information requested by the Account Holder to demonstrate compliance with the obligations set out in this DPA.

2. DETAILS OF THE DATA PROCESSING

2.1. Flipcause shall process information to provide the Service pursuant to the Agreement. Flipcause shall process information sent by Account Holder’s end users identified through Account Holder’s implementation of the Service. As an example, in a standard implementation, to utilize the Service, the Account Holder may allow the following information to be sent by default as “default reporting fields:”

2.2 Types of Personal Data:

(i). For a full list of default reporting fields available to the Account Holder, see:
https://help.flipcause.com/help/default-reporting-fields.

2.3. Additional details regarding what information the Account Holder may send to Flipcause can be found in the terms of the Agreement.