Data Processing Agreement (DPA)
Updated: November 11, 2019
This data processing agreement (DPA), pursuant to art. 28 General Data Protection Regulation (GDPR), is made between the following parties:
Controller: a customer of Userlist (“Customer”, “you”);
Processor: Userlist, operated by Userlist, Inc. ("Userlist," "we," "our", or “us”).
The subject matter of this DPA and the thereto related processing activities result from Userlist Terms of Service Agreement (“Agreement”) between you and Userlist. This DPA amends and supplements your Agreement and requires no further action on your part.
The parties agree that to the extent Userlist operates and manages the Service, Userlist is acting as a processor under data protection laws on the Customer’s behalf, and the Customer is acting as the controller under data protection laws for the Customer’s end users.
The term of this DPA corresponds to the term of the Agreement.
Categories of Personal Data
The categories of personal data processed are:
- key personal data;
- contact data;
- key contract data;
- customer history;
- billing, invoicing and payment data;
- data related to user behavior within Customer’s software product (including, but not limited to, user events and properties);
- data related to communication (email and other types of messages) between the Customer and their end users;
- aggregated data and analytics gained by processing any of the above data categories;
- other Customer and end user data required for fulfilling the purpose of the Service.
Categories of Data Subjects
The personal data collected and processed related to:
- potential customers;
- employees, subcontractors, collaborators;
- authorised agents;
- reference persons.
The Customer acknowledges that, in connection with the Services, personal data will be transferred to Userlist in the United States.
The Standard Contractual Clauses apply with respect to personal data that is transferred outside the European Economic Area (“EEA”), either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the data protection laws).
Technical and Organisational Measures
1. Prior to the execution of this DPA, the Processor shall demonstrate that all necessary technical and organisational measures, specifically with regard to the detailed performance of this DPA, have been adopted and shall, upon request, provide documented evidence thereof to the Controller. Upon acceptance by the Controller, such documented measures become binding part of this DPA and are attached to it. Insofar as an inspection/audit by the Controller shows the necessity for amendments, such amendments shall be implemented by mutual agreement.
2. The Processor shall guarantee security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. Such measures shall guarantee data security and a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the likelihood of data breaches and the severity of risks to the rights and freedoms of natural persons possibly resulting thereof within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.
3. The technical and organisational measures are subject to technical and technological progress and development. Hence, the Processor may adopt alternative adequate measures adapted to the changed technological environment. When doing so, the processing security level may not be reduced. Substantial changes must be documented.
Rectification, Restriction and Erasure of Data
1. The Processor may not rectify, erase or restrict the processing of data that is being processed on the Controller's behalf at its own initiative but only upon documented instructions by the Controller, unless the Controller violates Userlist Terms of Service or Anti-Spam Policy and their access to Service is terminated as a result of such violation
2. Should a Data Subject contact the Processor directly concerning a rectification, erasure, or restriction of processing, the Processor shall immediately forward such Data Subject’s request to the Controller. The requests of erasure, rectification, data portability and access shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.
Quality Assurance and Other Duties of the Processor
In addition to complying with the provisions of this DPA, the Processor commits to meet all applicable statutory requirements set forth at Articles 28 to 33 GDPR. Therefore the Processor ensures, in particular, compliance with the following requirements:
1. Appointment of a Data Protection Officer (DPO). The current DPO is:
Address: 6595 Roswell Road, STE G2130, Atlanta, GA 30328, USA
Email address: email@example.com
The Processor shall inform the Controller without delay about any changes of Data Protection Officer.
2. Confidentiality. Processing activities under this DPA shall only be performed by such employees or collaborators and agents that have been instructed by the Processor about the appropriate dealing with personal data and have been contractually subjected to confidentiality pursuant to art. 28 par. 3 (b) and art. 32 GDPR. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by statutory law.
3. Technical and Organisational Measures. Implementation of and compliance with all appropriate Technical and Organisational Measures in the framework of this DPA, in particular as set forth at art. 32 GDPR. The Processor shall periodically monitor the internal processes and the technical and organisational measures to ensure that processing within its area of responsibility is in accordance with the requirements of applicable data protection law and the protection of data subjects' rights. The Processor shall grant verifiability of the technical and organisational measures to the Controller as part of the Controller’s supervisory powers referred to in sec. 7 of this contract.
4. Cooperation with Supervisory Authorities. The Controller and the Processor shall cooperate, on request, with the supervisory authority. The Controller shall be informed immediately of any inspections and measures executed by the supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the Processor shall make every effort to support the Controller.
1. The Processor may outsource part of the processing activities pursuant to this DPA to Subprocessors that, as far as legally required, shall be subject to the contractual obligations resulting from art. 28 par. 4 GDPR.
2. The Processor currently commissions the following Subprocessors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR are listed in our list of Subprocessors.
3. The transfer of personal data to any Subprocessor shall only take place after all above-mentioned conditions for the appointment of Subprocessors have been met.
4. The Processor shall bear full responsibility and liability for the activities of its Subprocessors. Any change in the list of Subprocessors shall be notified to the Controller without undue delay, giving the Controller the option to object. In case of objection, the Processor retains the right to terminate the Contract with the Controller without notice.
5. In particular, in case a Subprocessor should provide its services outside the EU/EEA, the Processor shall ensure compliance with EU Data Protection Regulations by appropriate measures, as described at sec. 2 of this DPA.
Supervisory Powers of the Controller
1. Upon consultation with the Processor, the Controller has the right to carry out inspections or to have them carried out by an auditor to be designated on a case-by-case basis. The auditor shall have the right to assess the Processor's compliance with this DPA in his business operations by means of random checks, which are ordinarily to be announced in advance.
2. The Processor shall allow the Controller to verify compliance with its obligations as provided by Article 28 GDPR. The Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the implementation of the technical and organisational measures.
3. Evidence of such measures, which may not only concern the activities under this DPA, may also be provided by:
- compliance with approved Codes of Conduct pursuant to Article 40 GDPR;
- certification according to an approved certification procedure in accordance with Article 42 GDPR;
- current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data protection auditor);
- a suitable certification by IT security or data protection auditing.
4. The Processor may charge a reasonable fee to the Controller for enabling inspections.
Assistance to the Controller
1. The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations set forth at Articles 32 to 36 of the GDPR, including
- ensuring adequate protection standards through technical and organisational measures, taking into account the type, circumstances and purposes of processing, the likelihood of data breaches and the severity of the risk to natural persons possibly resulting thereof;
- ensuring immediate detection of infringements;
- reporting data breaches without undue delay to the Controller;
- assisting the Controller in answering to data subjects' requests or the exercise of their rights.
2. The Processor may claim a reasonable fee for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
Directive Powers of the Controller
1. The Processor shall not process any personal data under this DPA except on instructions from the Controller, unless required to do so by Union or Member State law.
2. In case the Controller should require any change in the processing of personal data set forth by the documented instructions mentioned at sec. 2, the Processor shall immediately inform the Controller if it considers such changes likely to result in infringements to data protection provisions. The Processor may refrain from carrying out any activity that may result in any such infringement.
1. Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to or in connection with any culpable infringement by the respectively other party.
2. Art. 82 GDPR stays unaffected.
Deletion and Return of Personal Data
1. The Processor shall not create copies or duplicates of the data without the Controller's knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory data retention requirements.
2. After conclusion of the provision of services, the Processor shall, at the Controller's choice, delete in a data-protection compliant manner or return to the Controller all the personal data collected and processed under this DPA, unless any applicable legal provision requires further storage of the personal data. In any case the Processor may retain all information necessary to demonstrate orderly and compliant processing activities beyond termination of the Contract, in accordance with the statutory retention periods.
3. Documentation which is used to demonstrate orderly data processing in accordance with the DPA shall be stored beyond the contract term by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the contract duration to relieve the Processor of this contractual obligation.
Should you have any questions, or need a signed version of this DPA, please contact us at firstname.lastname@example.org or using the address below:
6595 Roswell Road, STE G2130
Atlanta, GA 30328
Userlist is a trademark of Userlist, Inc. Userlist reserves all rights not expressly granted in this Data Protection Agreement.