VipeCloud Data Processing Agreement

December 28, 2022

VIPECLOUD DATA PROCESSING AGREEMENT [between VIPE and its CRM customers (“User”)]

This Data Processing Agreement (“DPA”) supplements the VipeCloud, Inc. Subscription Agreement, VipeCloud, Inc. Privacy Policy and VipeCloud, Inc. Terms of Use which, together, constitute the entire agreement (“Agreement”) between VipeCloud, Inc. and User (collectively, the “Parties”), and governs User’s use of the VipeCloud, Inc.  products and services (“Service”). 

This DPA addresses the specific requirements of Data Protection Laws and applies solely to the extent User uses the Service to Process Personal Data subject to Data Protection Laws, as those terms are defined herein. 

This DPA is in effect for the period that VipeCloud, Inc. Processes Personal Data for User. This DPA may be amended from time to time by VipeCloud, Inc. to comply with any changes to applicable Data Protection Laws. This DPA was last updated on December 20, 2022.    

1. Definitions.  Unless the context otherwise requires or unless otherwise expressly defined herein, the terms defined in the Agreement shall have the same meanings whenever used in this DPA.  

1.1 “Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under this Agreement.

1.2 “Data Subject” means the individual to whom Personal Data relates.

1.3 "European Data Protection Laws" means all data protection laws and regulations applicable to Europe, including but not limited to Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”)

1.4 “Instructions” means the written, documented instructions issued by User to VIPE, and directing VIPE to perform a specific or general action with regard to Personal Data.

1.5 "Permitted Affiliates" means any of User’s Affiliates that (i) are permitted to use the Service pursuant to the Agreement, but have not signed their own separate agreement with VIPE and are not a “User” as defined under the Agreement.

1.6 “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household but does not include publicly available information.

1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by VIPE and/or our Sub-Processors in connection with the provision of the Service. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.8 “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

1.9 “Service” shall have the meaning as defined in the VIPE Privacy Policy.

1.10 "Sensitive Data" means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.

1.11 “SCCs” means either (i) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision 2010/87/EU of 5 February 2010, (the “2010 Controller-to- Processor Clauses”); (ii) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, and currently located here (the “2021 Controller-to-Processor Clauses”); or (iii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, and currently located here (the “2021 Processor-to-Processor Clauses”); as applicable in accordance with Section 7.

1.12 “User Data” means all information User loads or otherwise inputs into the Service (or provides to VIPE for loading or inputting into the Service on behalf of User), and any information provided by User relating to its use of Services and includes, but is not limited to, “Usage Data” as that term is defined in the VIPE Privacy Policy.

1.13 “User” means the user of the Service and the counter party to the Agreement.

1.14 “VIPE” shall mean VipeCloud, Inc.

2. User Responsibilities

2.1 Compliance with Laws. Within the scope of the Agreement and in its use of the Service, User shall be solely responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions User issues to VIPE.

2.2 In particular but without prejudice to the generality of the foregoing, User acknowledges and agrees that User shall be solely responsible for: (i) the accuracy, quality, and legality of User Data and the means by which User acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by User for marketing purposes); (iii) ensuring User has the right to transfer, or provide access to, the Personal Data to VIPE for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that User’s Instructions to VIPE regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. User will inform VIPE without undue delay if User is not able to comply with User’s responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.

2.3 Instructions. The parties agree that the Agreement (including this DPA), together with User’s use of the Service in accordance with the Agreement, constitute User’s complete Instructions to VIPE in relation to the Processing of Personal Data, so long as User may provide additional Instructions during the subscription term that are consistent with the Agreement, the nature and lawful use of the Service and this DPA.

2.4 Security. User is responsible for independently determining whether the data security provided for in the Service adequately meets User’s obligations under applicable Data Protection Laws. User is responsible for User’s secure use of the Service, including protecting the security of Personal Data in transit to and from the Service (including to securely backup or encrypt any such Personal Data).

2.5 User will not provide (or cause to be provided) any Sensitive Data to VIPE for processing under the Agreement, and VIPE will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.

3. VIPE Obligations

3.1 Role.  If European Data Protection Laws applies to either party’s processing of User Data, the parties acknowledge and agree that, with regard to the processing of User Data, VIPE is a processor acting on behalf of User (whether itself a controller or a processor). For the avoidance of doubt, this DPA shall not apply to instances where VIPE is the controller (as defined by European Data Protection Laws) 

3.2 Compliance with Instructions. VIPE will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of User’s lawful Instructions, except where and to the extent otherwise required by applicable law. VIPE shall not be responsible for compliance with any Data Protection Laws applicable to User or User’s industry that are not generally applicable to VIPE.

3.3 Conflict of Laws. If VIPE becomes aware that VIPE cannot Process Personal Data in accordance with User’s Instructions due to a legal requirement under any applicable law, VIPE will (i) promptly notify User of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as User issues new Instructions with which VIPE is able to comply. If this provision is invoked, VIPE will not be liable to User under the Agreement for any failure to perform the applicable Service until such time as User issues new lawful Instructions with regard to the Processing.

3.4 Security. VIPE will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex B to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, VIPE may modify or update the Security Measures at VIPE’s discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. 

3.5 Confidentiality. VIPE will ensure that any personnel whom VIPE authorizes to Process Personal Data on VIPE’s behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

3.6 Personal Data Breaches. VIPE will notify User without undue delay after VIPE becomes aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by User. At User’s request, VIPE will promptly provide User with such reasonable assistance as necessary to enable User to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if User is required to do so under applicable Data Protection Laws.

3.7 Deletion or Return of Personal Data. VIPE will delete or return all User Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of User’s Subscription Service in accordance with the procedures set out in the Agreement. This term will apply except where VIPE is required by applicable law to retain some or all of the User’s Data, or where VIPE has archived User’s Data on back-up systems, which data VIPE will securely isolate and protect from any further Processing and delete in accordance with VIPE deletion practices. User may request the deletion of User’s VIPE account after expiration or termination of User’s subscription by sending a request to legal@vipecloud.com.  User may also cancel User’s account in accordance with VIPE Terms (found at https://vipecloud.com/terms/) and request deletion by emailing support@vipecloud.com. User may retrieve User’s Data from User’s account in accordance with provisions of the “Termination of Service” section in VIPE’s Terms.

3.8 Audit Rights.  Upon written request, VIPE shall supply (on a confidential basis) a summary copy of its most current security audit report(s) (“Report”) to User, so that User can verify VIPE’s compliance with the security standards against which it has been assessed and this DPA.  In addition to the Report, VIPE shall respond to all reasonable requests for information made by User to confirm VIPE’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon User’s written request to privacy@vipecloud.com, provided that User shall not exercise this right more than once per calendar year.

3.9 Data Protection Impact Assessment.   To the extent required under applicable Data Protection Laws, VIPE shall (considering the nature of the processing and the information available to VIPE) provide all reasonably requested information regarding the Service to enable User to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. VIPE shall comply with the foregoing by: (i) complying with Section 3.8 (Security Reports and Audits); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for User to comply with such obligations, upon request, providing additional reasonable assistance (at User’s expense)

4. Data Subject Requests

4.1 The Service includes certain features that allow User to comply with its legal obligations toward data subjects under applicable Data Protection Laws, including obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").  

4.2 To the extent User is unable to independently address a Data Subject Request through the Service, then upon User’s written request and at User’s expense, VIPE will utilize best efforts to comply with User’s reasonable requests for assistance in responding to a Data Subject Request. 

4.3 If VIPE receives a request from User’s Data Subject to exercise one or more of its rights under applicable Data Protection Laws, VIPE will redirect the Data Subject to make its request directly to User and VIPE will notify User that it received such request from a Data Subject. 

4.4 User will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

5. Sub-Processors

5.1 General Authorization. User hereby authorizes and agrees that VIPE may use sub- processors engaged by VIPE to perform its obligations under this Agreement or to provide certain services on VIPE’s behalf, such as database storage (“Sub-processors”). 

5.2 VIPE will impose on its Sub-processors the same (or substantially similar) data protection obligations as set out in this Agreement (as appropriate taking into consideration the type of Personal Data Processed by a Sub- processor and the nature of the Processing), and VIPE remains responsible for the Processing activities of its Sub-processors to the extent such Processing activities cause VIPE to breach any of its obligations under this Agreement.

5.3 Sub-processor List. User may view a list of VIPE’s current Sub-processors at https://vipecloud.com/privacy/ or by contacting VIPE’s support team at support@vipecloud.com.  

5.4 New or Replacement Sub-processors. VIPE will send an electronic notice to User’s then-current email address, as reflected on VIPE subscription records, of any intended addition or replacement of Sub-processors and allow User to reasonably object to such changes by notifying VIPE in writing within 30 days after receipt of VIPE’s notice of an addition or replacement of a Sub-processor. 

5.5 User’s objection notice must include an explanation for the reasonable grounds of User’s objection that relates to the protection of Personal Data, in which case VIPE  will have the right to cure User’s objection through one of the following options (to be selected at VIPE's sole discretion): 

5.5.1 VIPE will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Service without such Sub-processor; 

5.5.2 VIPE will take the corrective steps requested by User in its objection notice (which will eliminate User's objection) and proceed to use the Sub-processor with regard to  Personal Data; or 

5.5.3 VIPE may cease to provide or User may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Sub-processor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the fee for the Service considering the reduced scope of the Service.

If none of the above options are reasonably available and User’s objection has not been resolved to the mutual satisfaction of the parties within 30 days after VIPE’s receipt of User's written objection, either party may terminate the Service by providing the other party written notice and User will be entitled to a refund subject to VIPE’s Terms of Use found at https://vipecloud.com/terms/. If User’s objection remains unresolved 60 days after it was raised by User, and VIPE has not received any notice of termination from User, User will be deemed to accept the new or replacement Sub-processor. 

5.6 Emergency Sub-processor Replacement. Notwithstanding the foregoing, VIPE may change a Sub-processor where the reason for the change is outside of VIPE’s reasonable control. In this case, VIPE will inform User of the replacement Sub-processor as soon as possible. User retains its right to object to a replacement Sub-processor under Sections 5.4 and 5.5 above. 

6. Data Transfers.  User acknowledges that VIPE may transfer and process User Data to and in the United States and anywhere else in the world where VIPE, its Affiliates or its Sub-processors maintain data processing operations. VIPE shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA. 

7. Additional Provisions for European Data Transfers.  To the extent that VIPE is a recipient of User Data protected by European Data Protection Laws (“European Data”) in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable European Data Protection Laws), the parties agree to abide by and process European Data in compliance with the SCCs, which shall be incorporated into and form an integral part of this DPA as follows:(a) if User started using the Service before 27 September 2021, the 2010 Controller-to- Processor Clauses shall apply (regardless of whether User is a controller or a processor) until December 27, 2022, and thereafter the 2021 Controller-to-Processor Clauses and/or the 2021 Processor-to-Processor Clauses shall automatically apply (according to whether User is a controller and/or a processor) thereafter;(b) if Customer started using the Service on or after 27 September 2021, the 2021 Controller-to-Processor Clauses and/or the 2021 Processor-to-Processor Clauses shall apply (according to whether User is a controller and/or a processor) immediately.  

8. Compliance with the SCCs.

8.1 The parties agree that if VIPE cannot ensure compliance with the SCCs, it shall promptly inform User of its inability to comply. 

8.2 If User intends to suspend the transfer of European Data and/or terminate the affected parts of the Service, it shall first provide notice to VIPE and provide VIPE with a reasonable period of time to cure such non-compliance, during which time VIPE and User shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. 

8.3 User shall only be entitled to suspend the transfer of data and/or terminate the affected parts of the Service for non-compliance with the SCCs if VIPE has not or cannot cure the non-compliance within a reasonable period.

9. Additional Provisions for California Personal Information.  

9.1 To the extent the California Consumer Privacy Act (“CCPA”) applies, this 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information.

9.2 When processing California Personal Information in accordance with User’s Instructions, the Parties acknowledge and agree that User is a Business and VIPE is a Service Provider, as those terms are defined in the CCPA.

9.3 The Parties agree that VIPE will Process California Personal Information as a Service Provider strictly for the purpose of performing the Service under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA.

10. General Provisions.  The parties agree that this DPA will replace any existing data processing agreement the Parties may have previously entered into in connection with the Service. 

10.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

10.2 Any claims against VIPE or its Affiliates under this DPA may only be brought by the User that is a party to the Agreement. 

10.3 In no event shall this DPA or any party restrict or limit the rights, if any, of any Data Subject or of any competent supervisory authority. 

10.4 This DPA will be governed by and construed in accordance with the governing law, jurisdiction, and venue provisions in the Agreement, unless otherwise required by applicable Data Protection Laws. 

10.5 Except as amended by this DPA, the Agreement remains in full force and effect. If there is a direct conflict between the Agreement and this DPA, the terms of this DPA will control.

11. Parties to this DPA.

11.1 By signing the Agreement, User enters into this DPA (including, where applicable, the SCC) on behalf of itself and in the name and on behalf of User’s Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “User”, “you” and “your” will include User and such Permitted Affiliates.

11.2 The legal entity agreeing to this DPA as User represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

11.3 The Parties agree that (i) solely the User entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the User entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. 

11.4 The User entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.  

Annex A – Details of Data Processing

a) Categories of data subjects:

The categories of data subjects whose personal data is processed include (i) Users (i.e., individual end users with access to a VIPE account) and (ii) Contacts (i.e., User’s subscribers and other individuals about whom a User has given us information or has otherwise interacted with a User via the Service).

b) Categories of personal data:

User may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by User in its sole discretion, and may include the following types of personal data:

- Users: Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility).

- Contacts: Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).

c) Sensitive data processed (if applicable):

VIPE does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service.

d) Frequency of processing:

Continuous and as determined by User.

e) Subject matter and nature of the processing:

VIPE provides a suite of customer relations management services including an email service, automation and marketing platform and other related services, as more particularly described in the Agreement. The subject matter of the data processing under this DPA is the User Data. User Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:

- Storage and other processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement; and/or

- Disclosures in accordance with the Agreement and/or as compelled by applicable law.

f) Purpose of the processing:

VIPE shall only process User Data for the lawful, permitted purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by User in its use of the Service; and (iii) processing to comply with any other reasonable Instructions provided by User (e.g., via email or support tickets) that are consistent with the terms of the Agreement.

g) Duration of processing and period for which personal data will be retained:

VIPE will process User Data for the duration of the term set forth in this DPA, including section 3 herein.

Annex B - Security Measures

See VIPE’s Security, Privacy and Architecture Documentation, found at

https://vipecloud.com/security/

https://vipecloud.com/privacy/