Last updated on 10/03/2023
This Data Processing (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under EngageBay’s Terms of Service This DPA is an amendment to the TOS and is effective upon its incorporation into the TOS, which incorporation may be specified in an Order or an executed amendment to the TOS. Upon its incorporation into the TOS, the DPA will form a part of the TOS.
In this agreement:
a) all Data sent from the date of this agreement by the Customer to EngageBay for Processing;
b) all Data accessed by the EngageBay on the authority of the Customer for Processing from the date of this agreement; and
c) all Data otherwise received by EngageBay for Processing on the Customer's behalf;in relation to the Services.
In order to execute the Agreement, and in particular to perform the Services on behalf of Customer, Customer authorizes and requests that EngageBay process the following Personal Data:
Customer Information: information that we may collect from your use of the EngageBay web sites and your interactions with us offline such as:
Categories of Data Subjects: Data subjects include Customer’s representatives and end users, such as employees, job applicants, contractors, collaborators, partners, and customers of the Customer. Data subjects also may include individuals attempting to communicate or transfer Personal Data to users of the Services.
EngageBay shall Process Personal Data solely for the provision of the Services, and agrees to:
The Service Customer, as Data controller, must accept responsibility for abiding by the applicable data protection legislation. Notably, the Customer has an obligation to assess the lawfulness of the processing of personal data stored on the Platform.
The Customer agrees that it shall ensure compliance at all times with the applicable data protection law, and, in particular, the Customer shall ensure that any disclosure of Personal Data made by it to EngageBay is made with the data subject's consent or is otherwise lawful. The control of Personal Data remains with the Customer, and as between the Customer and EngageBay, the Customer will at all times remain the Data controller for the purposes of the Services, the TOS, and this Data Processing Agreement. The Customer is responsible for compliance with its obligations as Data controller under the applicable data protection Law, in particular for justification of any transmission of Personal Data to EngageBay (including providing any required notices and obtaining any required consents), and for its decisions concerning the Processing and use of the data.
EngageBay will grant Customer, electronic access to the Platform environment that holds Personal Data to permit Customer to delete, release, correct or block access to specific Personal Data or, if that is not practicable and to the extent permitted by applicable law, follow Customer’s detailed written instructions to delete, release, correct or block access to Personal Data.
EngageBay shall pass on to the Customer any requests of an individual data subject to delete, release, correct or block Personal Data Processed under the Agreement.
EngageBay treats all Personal Data in a manner consistent with the requirements of the applicable data protection Law and this Data Processing Agreement in all locations globally. Data is stored by EngageBay in data centers located in the United States.
With respect to Personal Data stored by EngageBay in data centers in the United States, shall ensure compliance its Sub Processors with the requirements of the applicable data protection law as follows:
EngageBay shall not subcontract any of its processing operations performed on behalf of the Customer under the Agreement and the TOS without the prior written consent of the Customer. Where EngageBay subcontracts its obligations under the Agreement, with the consent of the Customer, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on EngageBay under the Agreement. Where the subprocessor fails to fulfill its data protection obligations under such written agreement EngageBay shall remain fully liable to the Customer for the performance of the subprocessor’s obligations under such agreement.
The Customer as Data controller may request that EngageBay audit the Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Data Controller in obtaining a third-party audit report concerning Subprocessor’s operations) to ensure compliance with such obligations. The Controller also will be entitled, upon written request, to receive copies of the relevant terms of EngageBay’s agreement with Subprocessors that may process Personal Data, unless the agreement contains confidential information, in which case the EngageBay may provide a redacted version of the agreement.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Customer is established.
When Processing Personal Data on behalf of Customer in connection with the Services, EngageBay shall ensure that it implements and maintains compliance with appropriate technical and organizational security measures for the Processing of such data. Accordingly, EngageBay will implement the following measures:
The Customer may audit EngageBay’s compliance with the terms of the Agreement and this Data Processing Agreement up to once per year.
The Customer may perform more frequent audits of the Service computer systems that Process Personal Data to the extent required by laws applicable to the Customer. If a third party is to conduct the audit, the third party must be mutually agreed to by both parties and must execute a written confidentiality agreement acceptable to EngageBay before conducting the audit.
To request an audit, the Customer must submit a detailed audit plan at least 4 weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. EngageBay will review the audit plan and provide the Data Controller with any concerns or questions (for example, any request for information that could compromise EngageBay’s security, privacy, or employment policies).
The audit reports are Confidential Information of the parties under the terms of the Agreement. Any audits are at the Data Controller's expense.
Any request for EngageBay to provide assistance with an audit is considered a separate service if such audit assistance requires the use of different or additional resources. EngageBay will seek the Data Controller's written approval and agreement to pay any related fees before performing such audit assistance.
EngageBay evaluates and responds to incidents that create suspicion of unauthorized access to or handling of Personal Data.
The Customer is informed of such incidents and, depending on the nature of the activity, defines escalation paths and response teams to address those incidents. EngageBay will work with the Customer, with the appropriate technical teams and, where necessary, with outside law enforcement to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of the Services environment, and to establish root causes and remediation steps.
EngageBay operations staff are instructed on responding to incidents where handling of personal data may have been unauthorized.
EngageBay shall notify the Customer without undue delay after becoming aware of a personal data breach. EngageBay shall promptly investigate any security breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, EngageBay will provide the Data Controller with a description of the security breach, the type of data that was the subject of the breach, and other information Data Controller may reasonably request concerning the affected persons. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected persons.
Except as otherwise required by law, EngageBay will promptly notify the Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“demand”) that it receives and which relates to the Personal Data EngageBay is Processing on Customer’s behalf. At Customer’s request, EngageBay will provide reasonable information in its possession that may be responsive to the demand and any assistance reasonably required for the Customer to respond to the demand in a timely manner. The Customer acknowledges that EngageBay has no responsibility to interact directly with the entity making the demand.
The parties agree that on the termination of the provision of data processing services, EngageBay will make available for retrieval or otherwise will return Customer’s Personal Data stored in the Platform environment, unless legislation imposed upon the parties prevents it from returning or destroying all or part of the personal data transferred. In that case, the parties warrant that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
This agreement will be governed by the US laws and/or the laws of the Member State in which the Customer is established.