PeerBoard Data Processing Agreement (DPA)
Last Updated: July 28, 2020
Need a signed copy? Email us at firstname.lastname@example.org
This Data Processing Agreement (“Addendum”), applies to agreements between Circles Collective Inc (“PeerBoard”), and entities who subscribe for PeerBoard's services and who are subject to Applicable Law (“Customer”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with services to be rendered by PeerBoard to Customer pursuant to the subscription agreement entered into between the Parties (the “Master Agreement”).
THESE TERMS (WHICH TOGETHER WITH ANY ONLINE ORDER PROCESS OR ORDER FORM OFFERED BY PEERBOARD THROUGH THE WEBSITE WHICH INCORPORATE THESE TERMS BY REFERENCE (“ORDER FORM”) ARE COLLECTIVELY REFERRED TO AS THE “AGREEMENT”) CONTAIN IMPORTANT LIMITATIONS ON REPRESENTATIONS, WARRANTIES, CONDITIONS, REMEDIES AND LIABILITIES THAT ARE APPLICABLE TO THE SERVICES. ACCORDINGLY, YOU SHOULD READ THESE TERMS CAREFULLY BEFORE USING THE SERVICES. EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE OR BY EXECUTING AN ORDER FORM THAT REFERENCES THESE TERMS, YOU AGREE TO THE TERMS HEREOF. IF YOU ARE AN AGENT OR EMPLOYEE OF AN ENTITY YOU REPRESENT AND WARRANT THAT (I) THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS AUTHORIZED TO ACCEPT THIS AGREEMENT ON SUCH ENTITY'S BEHALF AND TO BIND SUCH ENTITY, AND (II) SUCH ENTITY HAS FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS HEREUNDER. IF YOU DO NOT ACCEPT THESE TERMS, THEN DO NOT USE THE WEBSITE OR ANY OF ITS CONTENT OR SERVICES.
(A) “Applicable Law” means all applicable laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), with effect from 25 May 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time.
(B) “Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
(C) “Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
(D) “Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.
(E) “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
(F) “Instructions” means this Addendum and any further written agreement or documentation through which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data.
(G) “Personal Data” means any information relating to an identified or identifiable natural person Processed by PeerBoard in accordance with Customer’s Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(H) “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
(I) “Process”, “Processed”,or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(J) “Services” means the services offered by PeerBoard and subscribed for by Customer under the Master Agreement.
(K) “Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.
II. Roles and Responsibilities of the Parties
(A) The Parties acknowledge and agree that Customer is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and PeerBoard is acting as a Data Processor on behalf and under the Instructions of Customer.
(B) Any Personal Data will at all times be and remain the sole property of Customer and PeerBoard will not have or obtain any rights therein.
III. Obligation of the PeerBoard
PeerBoard agrees and warrants to:
(A) Process Personal Data disclosed to it by Customer only on behalf of and in accordance with the Instructions of the Data Controller and Annex 1 of this Addendum, unless PeerBoard is otherwise required by Applicable Law. PeerBoard shall inform Customer if, in PeerBoard's opinion, an Instruction provided infringes Applicable Law.
(B) Ensure that any person authorized by PeerBoard to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.
(C) PeerBoard stores and Processes all data, including Personal Data, in the US. PeerBoard has and shall continue to enter into any written agreements as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from PeerBoard.
(D) Inform Customer promptly and without undue delay of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Customer in writing to do so. Taking into account the nature of the Processing of Personal Data, PeerBoard shall assist Customer, by appropriate technical and organizational measures and at Customer’s cost, insofar as possible, in fulfilling Customer’s obligations to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data.
(E) Notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and on behalf of PeerBoard. Customer may, if it so chooses, seek a protective order. PeerBoard shall reasonably cooperate with Customer in such defense.
(F) Provide reasonable assistance to Customer, at Customer’s cost, in complying with Customer’s obligations under Applicable Law.
(G) Maintain internal record(s) of Processing activities, copies of which shall be provided to Customer by PeerBoard or to supervisory authorities upon request.
(H) Remain in compliance with GDPR, CCPA, PIPEDA and all other Applicable Laws with respect to any and all of Customer’s users while they are using the PeerBoard Services.
PeerBoard shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless PeerBoard has entered into a written agreement with each such third party that imposes obligations on the third party that are substantively similar as those imposed on PeerBoard under this Addendum. PeerBoard shall only retain third parties that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data. A list of PeerBoard's current Sub-Processors are set out at Annex 2. Where Customer permits the integration of the Service with third party services, such integration may allow for the transfer of data to such third party (subject to Customer’s consent through the configuration of the integration by Customer). Such third parties shall not be considered Sub-Processors for the purpose of this section and it is Customer sole obligation to ensure that it has the appropriate agreements in place with such third party in respect of the processing of such data.
V. Compliance with Applicable Laws
(A) Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.
(B) Without limiting the above, (i) Customer is responsible for ensuring that it has a lawful basis for the processing of Personal Information in the manner contemplated by this Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) PeerBoard is not responsible for determining the requirements of laws applicable to Customer’s business or that PeerBoard's provision of the Services meet the requirements of such laws. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Personal Data. Customer will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.
(C) If a Data Subject brings a claim directly against PeerBoard for a violation of their Data Subject rights in breach of Applicable Laws and such claim does not arise from a breach by PeerBoard of the terms of this Agreement, Customer will indemnify PeerBoard for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that PeerBoard has notified Customer about the claim and given Customer the opportunity to cooperate with PeerBoard in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from PeerBoard amounts paid to a Data Subject for a violation of their Data Subject rights caused by PeerBoard's breach of its obligations under GDPR.
VI. Data Security
(A) PeerBoard shall develop, maintain and implement a comprehensive written information security program that complies with Applicable Law and good industry practice. PeerBoard's information security program shall include appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
a) The encryption of the Personal Data;
b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
c) The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of the Processing.
(B) PeerBoard shall supervise PeerBoard personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. PeerBoard shall provide training, as appropriate, to all PeerBoard personnel who have access to Personal Data.
(C) Promptly (and in any event within 90 days) following the expiration or earlier termination of the Master Agreement, PeerBoard shall return to Customer or its designee, if so requested during such period, or if not so requested securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in PeerBoard's, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit PeerBoard to comply with the delivery or destruction of the Personal Data, PeerBoard warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum.
VII. Data Breach Notification
(A) PeerBoard shall promptly inform Customer in writing of any Personal Data Breach of which PeerBoard becomes aware. The notification to Customer shall include all available information regarding such Personal Data Breach, including information on:
a) The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
b) The likely consequences of the Personal Data Breach; and
c) The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
PeerBoard shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. PeerBoard shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR, if applicable.
PeerBoard shall on written request (but not more than once per year, other than in the event of a breach) make available to Customer such information as may be reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum and, where required by Applicable Law and at the Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Upon prior written request by Customer (provided that it shall be not more than once per year other than in the event of a breach), PeerBoard agrees to cooperate and, within reasonable time, provide Customer with: (a) audit reports (if any) and all information necessary to demonstrate PeerBoard's compliance with the obligations laid down in this Addendum; and (b) confirmation that no audit, if conducted, has revealed any material vulnerability in PeerBoard's systems, or to the extent that any such vulnerability was detected, that PeerBoard has fully remedied such vulnerability.
IX. Governing Law
This Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.
ANNEX 1: SCOPE OF THE DATA PROCESSING
This Annex forms part of the Data Processing Addendum between Customer and PeerBoard.
The Processing of Personal Data concerns the following categories of Data Subjects:
- End users
- Administrative users
The Processing concerns the following categories of Personal Data:
i) Name: To help data subjects identify themselves in the community and let others call them by their names or nicknames
(ii) External user ID (Optional): To uniquely identify the data subject when the data subject is authenticated
(iii) Email address: To send email notifications to data subjects
(iv) Biography: For data subjects to introduce themselves to the community
(v) Profile Pictures: For data subjects to introduce themselves to the community by uploading their picture or Avatar
(vi) IP addresses: To log data subjects activities for future reference and to secure the community in case of spam attacks from a certain IP
(vii) Cookie data: sessionId for authentication purpose and CSRF-Token for security purpose
(viii) Behavioral Events: To enhance user experience and show the most relevant and recommended content to the data subjects
(ix) Posts, replies, uploaded files and videos of data subjects: To provide the community services to data subjects.
(X) such additional ad hoc categories as may be prompted by new fields added by Customer
The Processing concerns the following categories of Sensitive Data:
The Processing concerns the following categories of data Processing activities (i.e., purposes of Processing):
Provision of services to Customer
ANNEX 2 - SUB-PROCESSORS
| Third Party Service | Purpose | Location | Website |
| Amazon Web Services, Inc. | Cloud Hosting | USA | www.aws.com |
| SendInBlue | Admin emails & support | Paris (EU) | www.sendinblue.com |