-
Purpose of the DPA. This DPA is intended to satisfy the requirement for an obligatory contract between the processor and controller for the onward transfer of personal data as well as to reflect the Parties’ agreement for Cord’s provision of Services with regard to the Processing Personal Data, in accordance with the requirements of Applicable Data Protection Law. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
-
Definitions. For the purpose of this DPA, these terms shall mean the following:
2.1 “Applicable Data Protection Law” shall mean the laws and regulations of the United States, the European Union, the European Economic Area and/or their member states, and Switzerland and/or the United Kingdom as applicable to the Processing of the categories of Personal Data set forth in Section 4.7 of this DPA, including but not limited to, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the Swiss Federal Data Protection Act (“FDPA”), and the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100-.199 (“CCPA”).
2.2 “Authorized Personnel” means (a) Cord employees and Cord Affiliates’ employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable Services; and (b) Cord’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Cord to perform the Services. For the avoidance of doubt, Authorized Personnel include the sub-processors set forth in Section 7.
2.3 “EEA” means European Economic Area.
2.4 “Personal Data” means any data relating to an identified or identifiable person that is uploaded by Customer or its Users into the Subscription Services.
2.5 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.6 “Personal Data Breach” means a breach of Cord’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
2.7 “Sell” means the exchange of Personal Data for monetary or other valuable consideration, or as otherwise defined in the CCPA or federal law.
2.8 “Service Provider” means a legal entity that Processes Personal Data on behalf of Customer and to which Customer discloses Personal Data for a business purpose.
2.9 “Standard Contractual Clauses” means the those clauses for the transfer of Personal Data from the EEA to Processors established in non-EEA countries that do not provide an adequate level of data protection approved by EC Commission Decision of 5 February 2010, as currently set out at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
-
GDPR.
3.1 General. Cord shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to any request from a data subject to exercise any of its rights under GDPR (including its rights of access, correction, objection, erasure and data portability, as permitted); and any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Cord, Cord shall promptly inform Customer providing full details of the same unless otherwise prohibited. Cord shall provide Customer with reasonable assistance (at Customer’s expense) in support of a data protection impact assessment, solely in relation to Customer Personal Data, the Services and where the Customer would not otherwise have access to the relevant information. Cord shall maintain a record of all categories of Processing activities carried out on behalf of a Customer in accordance with the GDPR.
3.2 Cord as a Processor. Customer and Cord hereby agree that with respect to any Personal Data contained in the Customer Data Customer shall be deemed to be the data controller and the contracting Cord entity shall be deemed to be the data processor as those terms are understood under the Applicable Data Protection Law. Unless otherwise specifically agreed to by Cord, Personal Data may be Processed by Cord and its authorized third-party service providers in the United States, the EEA or other locations around the world provided that the transfer of Personal Data will comply with this DPA. As between the Parties, all Personal Data Processed under the terms of the Agreement shall remain the property of Customer. To the extent such Personal Data is not so categorized on the applicable Order or otherwise in writing, Customer’s Personal Data is limited to Customer employee first and last names, employee email addresses, IP address, and employee phone numbers. During the term of the Agreement Cord shall Process Personal Data in accordance with Customer’s written instructions (unless expressly waived in a written requirement) and as permitted in the Agreement. In the event Cord reasonably believes there is a conflict with any Applicable Data Protection Law and Customer’s instructions, Cord will inform Customer and the Parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
3.3 Cord as a Controller. Where Cord is a controller, Cord shall Process the Personal Data of Customer’s Users as is necessary for the provision of the Services to Customer (for security and support purposes) and for its legitimate interest in ensuring the efficient provision of, and anticipating necessary fixes to, the Services. The legal bases are Article 6.1.b and 6.1.f of GDPR. Cord’s Data Protection Officer can be contacted via email at privacy@Cord.com. Provision of Personal Data by the Customer is a requirement necessary for the performance of the Services. Failure to provide the requested Personal Data may substantially impact the quality of the Services or otherwise preclude access to the Services by Customers’ Users. Cord will retain the Customer’s Personal Data only for as long as is necessary for the purposes described under this Section 3.3. In accordance with the requirements of Applicable Data Protection Laws, the Customer has the right to request from Cord access to and rectification or erasure of Personal Data or restriction of Processing or to object to Processing as well as the right to data portability. The Customer has also the right to lodge a complaint with the appropriate supervisory authority.
-
Transfer Mechanism. The Standard Contractual Clauses shall apply only to Processing of Personal Data that is directly or indirectly transferred from the EEA or Switzerland, to any recipient in a country that is not recognized by the European Commission or the Swiss FDPIC as providing an adequate level of protection to personal data or not covered by a suitable framework for the protection of Personal Data. The Parties agree that by executing this DPA they are also executing the Standard Contractual Clauses together with the following additional terms:
4.1 The Standard Contractual Clauses apply only to (i) Customer as a Data Exporter and, (ii) any Named Affiliates subject to the GDPR or FDPA, and are hereby incorporated by reference.
4.2 This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to Process Personal Data: (i) Processing in accordance with the Agreement; (ii) Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
4.3 Pursuant to Clause 5(h) of the Standard Contractual Clauses, (i) Customer acknowledges and expressly agrees that Cord’s Affiliates and the sub-processors listed in Section 7 of the DPA may be sub-processors; and (ii) Customer acknowledges and expressly agrees that Cord may engage new sub-processors as described in Section 7 of the DPA. The parties agree that sub-processing obligations pursuant to Clause 11 of the Standard Contractual Clauses shall be carried out in accordance with GDPR Article 28 or the applicable provisions of FDPA. The parties agree that the copies of the sub-processors agreements that must be provided by Cord to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial and confidential information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, redacted by Cord beforehand; and, that such copies will be provided by Cord, in a manner to be determined in its discretion, only upon written request by Customer. 4.4 The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 10 of this DPA. To the extent the Standard Contractual Clauses additionally require Cord’s facilities be submitted for inspection, Customer may contact Cord through prior written notice to request an on-site audit of the procedures relevant to the protection of Customer Personal Data. Customer shall reimburse Cord for any time expended for any such on-site audit at the Cord then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Cord shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. Customer shall promptly notify Cord with information regarding any noncompliance discovered during the course of an audit. For the avoidance of doubt, Customer’s right to audit shall be subject to any limitations set forth in the Security Standards or the Agreement.
4.5 The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Cord to Customer only upon Customer’s request.
4.6 Each party’s liability for breaches of the Standard Contractual Clauses shall be subject to the limitations and exclusions of liability set out in the Agreement.
4.7 For the purposes of Appendix 1 of the Standard Contractual Clauses, the parties agree: (i) the Data Exporter is Customer; (ii) the Data Importer is Cord.; (iii) the Data Subjects are customers, users, employees and contractors of Customer; (iv) the Categories of Data include business contact information, e.g., name, email address, phone number and such other types of data as are set out in the Company’s privacy policy from time to time; (v) there are no Special Categories of Data; and (vi) the Processing operations are Cord’s provision of Services.
4.8 For the purposes of Appendix 2 of the Standard Contractual Clauses, the description of the technical and organizational security measures are those described in Cord’s “Security Standards” (as defined in the Agreement).
-
CCPA. Customer has the authority to determine the purposes for and means of Processing the Personal Data. The parties further agree that Cord is acting solely as a Service Provider with respect to Personal Data, and accordingly will not Sell, collect, retain, use, disclose or otherwise Process Personal Data for any purpose other than for the specific purpose of performing the Services, obligations, or actions for the benefit of Customer or Users as specified in the Agreement. Cord will promptly inform Customer of any individuals’ requests with respect to Personal Data for which Customer is responsible, including requests to access or delete Personal Data, and will promptly refer to Customer any inquiries received by Cord regarding the privacy practices of Customer. Cord will reasonably cooperate with and assist Customer in responding to such requests and inquiries.
-
Security Controls. Cord shall maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer’s data and confidential and proprietary information, including Personal Data, as further set forth in Cord’s Security Standards. Cord will regularly monitor compliance with the Security Standards. Cord will not intentionally decrease the Security Standards during the term of the Agreement.
-
Sub-processors.
7.1 Customer acknowledges and specifically authorizes Cord’s use of its sub-processors existing as of the Effective Date, including those sub-processors set out in the Company’s privacy policy from time to time. Customer hereby gives a general authorization to new or replacement sub-processors, provided Cord follows the following procedure:
(a) With to any new or replacement sub-processor Cord shall (i) execute a written agreement that obligates it to (1) protect such Personal Data to the same extent as is required of Cord by the Agreement, and (2) be in compliance with Applicable Data Protection Laws, and (ii) ensures such new sub-processor is subject to industry-standard external security auditing (collectively, the “Conditions”). Cord agrees to provide Customer with notice at least thirty (30) days in advance of any new or replacement sub-processors that Processes Personal Data under the Agreement (“Sub-processor Notice”) giving the Customer the opportunity to object. Such Sub-processor Notice may be provided either by sending an email to the Account Administrator indicated in the applicable Order, or notifying Customer Users via the Subscription Services. If Customer has a reasonable belief that such new sub-processor cannot comply with the Conditions, Customer may object to any new sub-processor by terminating the applicable Order(s) with respect only to those services which cannot be provided by Cord without the use of the objected-to new sub-processor. Such termination will be made by providing written notice to Cord, on the condition that Customer provides such notice within twenty (20) days of being informed of the engagement of the new sub-processor as described herein. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new sub-processor. For the avoidance of doubt, Customer will be deemed to have consented to such sub-processor absent an objection within the stated time period.
(b) Customer acknowledges that Cord provides a standardized service to all customers which does not allow using different sub-processors for different customers and, therefore, that the inability to use a particular new or replacement sub-processors for the Services to the Customer may result in delay in performing the Services, inability to perform the Services or increased fees. Cord will notify Customer in writing of any change to Services or fees that would result from Cord’s inability to use a new or replacement sub-processors to which Customer has objected.
(c) Cord will ensure that sub-processors only access and use Personal Data in accordance with the terms of the Agreement (including this DPA) and that they are bound by written obligations: (i) that require them to provide at least the level of data protection required by Applicable Data Protection Law and by the Agreement; and (ii) where applicable, that impose the level of data protection required by the Standard Contractual Clauses.
7.2 Cord may replace a sub-processor without advance notice where the reason for the change is outside of Cord’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Cord will inform Customer of the replacement sub-processor as soon as possible following its appointment. Section 7.1(a) applies accordingly.
7.3 Cord shall be liable for the acts and omissions of its or its Affiliate’s sub-processors to the same extent Cord would be liable if performing the Services of each sub-processors directly under the terms of this DPA.
7.4 A current list of sub-processors as may be used for Processing Personal Data is available to Customer without charge on demand. Cord will keep the sub-processors list current and inclusive of any new sub-processors and will make available to Customer the updated sub-processors list upon request by Customer.
-
Personal Data Breaches. After becoming aware of a confirmed Personal Data Breach Cord will (a) notify Customer of the Personal Data Breach without undue delay; (b) investigate the Personal Data Breach; (c) provide Customer with details about the Personal Data Breach; and (d) make best efforts to prevent a recurrence of the Personal Data Breach. Cord agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Personal Data Breach’s effects on Customer, as required to comply with Applicable Data Protection Law.
-
Audits and Certifications. Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under Applicable Data Protection Law), Cord shall make available to Customer (or a mutually agreed upon third-party auditor) information regarding Cord’s compliance with the obligations set forth in this DPA, including reasonable documentation as further set forth in Cord’s Security Standards. For the avoidance of doubt, the scope of any assessment on Cord’s privacy program and compliance with this DPA (“Privacy Assessment”) shall be limited to documents and records allowing the verification of Cord’s compliance with the obligations set forth in this DPA, and shall exclude financial documents or records of Cord or any documents or records concerning other customers of Cord. Without limiting the foregoing if Customer has audited Cord pursuant to Exhibit B, Section 11 (Audit and Testing) of the Master Terms and Conditions (“Security Audit”), Cord may charge the associated costs of any Privacy Assessment that includes an additional Security Audit in the same twelve (12) month period. Cord will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
-
Interpretation. The Parties agree that when interpreting Applicable Data Protection Law in conjunction with either Party’s rights and obligations in this Data Processing Agreement, it shall be interpreted based on the applicable Party’s role in its Processing of Personal Data.
-
Miscellaneous.
11.1 Conflicts. In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail. In the event and to the extent of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses in a way that materially affects the adequacy of the transfer, the Standard Contractual Clauses shall prevail.
11.2 Severability. In the event any provision of this DPA, in whole or in part, is invalid, unenforceable or in conflict with the applicable laws or regulations of any jurisdiction, such provision will be replaced, to the extent possible, with a provision which accomplishes the original business purposes of the provision in a valid and enforceable manner, and the remainder of this DPA will remain unaffected and in full force.
11.3 Counterparts. This DPA may be executed in several counterparts, each of which shall be deemed and original and all of which shall constitute one and the same instrument, and shall become effective when counterparts have been signed by each of the Parties and delivered to the other Parties; it being understood that all Parties need not sign the same counterparts. Signatures of the Parties transmitted via facsimile or other electronic means shall be deemed to be their original signatures for all purposes.
11.4 Liability. Each party’s liability for breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Either party’s liability for a breach of this DPA will be subject to the liability cap set out in the Agreement.
