THIS IS A NEW DATA PROCESSING ADDENDUM THAT WILL GO INTO EFFECT ON DECEMBER 15, 2023.
This Data Processing Addendum (“DPA”) is incorporated into, is a supplement to and forms part of the Terms of Use (available at https://www.contractsafe.com/tou) or other written agreement between ContractSafe LLC (“ContractSafe”) and the party entering into said Terms of Use or other agreement (whether electronic or otherwise) (“Customer”), and each such agreement, (the “Agreement”) in each case where ContractSafe Processes any Customer Personal Data as part of performing Services for Customer under the Agreement. As to each Agreement, this DPA is coterminous with such Agreement and shall replace and supersede in its entirety any prior data processing agreement or similar document relating to Processing Customer Personal Data under such Agreement. This DPA does not change the terms of the Agreement but only supplements the Agreement for purposes of personal data processing and to the extent this DPA contradicts with the Agreement, this DPA shall control.
1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the applicable party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2 “Authorized Affiliate” means any Customer Affiliate that is (a) subject to Data Protection Laws and (b) permitted to use the Services under the Agreement.
1.3 “CCPA” means the California Consumer Privacy Act of 2018 and the California Consumer Privacy Act of 2020, including all laws and regulations implementing or supplementing CCPA and successor or modifying legislation.
1.4 “Customer Personal Data” means Personal Data agreed to be received or accessed and Processed by ContractSafe or a Sub-processor on behalf of Customer or an Authorized Affiliate pursuant to the Agreement
1.5 “Data Protection Laws” means all laws and regulations, including laws and regulations pertaining to data privacy and data protection applicable to the Processing of Personal Data under the Agreement, including but not limited to those of a) the European Union, the European Economic Area and their member states, including but not limited to GDPR and state implementing legislation, b) Switzerland and the United Kingdom, including but not limited to the UK GDPR, and c) CCPA and other national, state and provincial data protection laws, where applicable.
1.6 “GDPR” means the European Union (“EU”) General Data Protection Regulation and all laws and regulations (including implementing laws and regulations) of the EU, the European Economic Area (“EEA”) and their Member States, Switzerland and, under the United Kingdom Data Protection Act of 2018, the United Kingdom, in each case to the extent applicable to the Processing of Customer Personal Data under the Agreement.
1.7 “Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer or an Authorized Affiliate to ContractSafe or a Sub-processor, or (b) an onward transfer of Customer Personal Data from or between ContractSafe or a Sub-processor, in each of case (a) or (b) where such transfer is permitted under the Agreement but would be prohibited by Data Protection Laws in the absence of a legal transfer mechanism to be established under this DPA.
1.8 “Services” means the products and/or services provided by ContractSafe under the Agreement.
1.9 “EU Standard Contractual Clauses” means if and to the extent applicable under Section 8 (Restricted Transfers), module two, controller to processor, and module three, processor to processor, of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the approved version of which is available at http://data.europa.eu/eli/dec_impl/2021/914/oj) and together with the Annexes included referred to in Attachment 1 form a part of this DPA, if and to the extent applicable under Section 8 (Restricted Transfers).
1.10 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses approved by the UK Parliament and in force from 21 March 2022 (as may be amended or superseded from time to time), the details of which are provided for in clause 8.3 and in Attachment 3 (UK Addendum) to this DPA, if and to the extent applicable under Section 8 (Restricted Transfers).
1.11 "UK GDPR" means the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as may be amended and replaced from time to time.
1.12 “Sub-processor” means any third party appointed by or on behalf of ContractSafe to Process Customer Personal Data on behalf of ContractSafe or any ContractSafe Affiliate, including any other ContractSafe Affiliate.
The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR and UK GDPR ; provided, however, that for purposes of CCPA, “Data Subject” shall be synonymous with “Consumer”, and “Personal Data” shall be synonymous with “Personal Information”, as those terms are defined in CCPA, and “Supervisory Authority” shall mean the Office of the Attorney General of the State of California, or its designee or an independent public authority which is established by an EU Member State or the United Kingdom pursuant to the GDPR and UK GDPR or any other independent authority established by a government to investigate and enforce Data Protection Laws. The terms “Commercial Purpose”, “Sell”, and “Service Provider” shall have the same meanings as in CCPA. All capitalized terms defined in the Agreement shall have the same meanings in this DPA.
2.1 Applicability. This DPA applies only to the extent and as of the time the Data Protection Laws apply to Customer Personal Data and the Processing of such Customer Personal Data by ContractSafe or a Sub-processor under the Agreement. This DPA does not apply to “Service Data” which means any data relating to the Customer’s use, support and/or operation of ContractSafe Services and ContractSafe websites, including information relating to Customer personnel such as activity logs, use patterns, cookie data or other information regarding use of ContractSafe Services and ContractSafe websites. To the extent any Service Data is considered personal data under applicable data protection and privacy laws, ContractSafe is responsible as a Data Controller, and processes such data in accordance with its privacy notice available at www.contractsafe.com/privacy and applicable data protection and privacy laws.
2.2 Authorization. Customer authorizes and requests that ContractSafe Process Customer Personal Data as set forth in the Agreement and this DPA for the purposes set forth below. This DPA addresses (i) the subject-matter and duration of the Processing, (ii) the nature and purpose of the Processing, and (iii) the types of Customer Personal Data, categories of Data Subjects whose Personal Data may be Processed and the obligations and rights of the parties.
2.3 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data in connection with the Agreement and this DPA, as between the parties, Customer is the Controller or Processor for a third party Controller (as applicable) and Data Exporter, and ContractSafe is a Processor or Sub-processor (as applicable), Data Importer and Service Provider and may engage ContractSafe Affiliates or other Sub-processors pursuant to the requirements set forth in this DPA.
2.4 Customer’s Obligations. Without limiting any other obligations of Customer under the Agreement or this DPA, Customer shall:
2.5 ContractSafe’s Obligations. Without limiting any other obligations of ContractSafe under the Agreement or this DPA, ContractSafe shall:
2.6 Purpose of Processing. Customer instructs ContractSafe to Process Customer Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable purchase order or similar document; (ii) Processing initiated by Customer’s authorized users (which may include authorized personnel of Customer’s customers) in their use of the Services in accordance with Customer’s configuration of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer via ContractSafe’s support service where such instructions are consistent with the terms of the Agreement and applicable Data Protection Laws. Where an instruction cannot be followed due to the architecture of the Services or generates disproportionate efforts, Customer will reimburse ContractSafe for the costs arising from these efforts or ContractSafe may terminate all or applicable parts of the affected Services.
2.7 Further Details of Processing. Further details of the Processing of Customer Personal Data, including, the categories of Customer Personal Data and Data Subjects are set forth in Attachment 1.
3.1 Correction, Amendment and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, transfer or delete Customer Personal Data, as may be required by Data Protection Laws, ContractSafe shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent ContractSafe is legally permitted to do so. Customer shall be responsible for any material costs arising from ContractSafe’ss provision of such assistance to the extent legally permitted.
3.2 Data Subject Requests. ContractSafe shall, to the extent legally permitted, promptly notify Customer if it receives any complaint, notice or request from a Data Subject related to that person’s Personal Data or either party’s compliance with Data Protection Laws other than if provided as an instruction as set out in Section 2.6 (Purpose of Processing). Customer acknowledges that ContractSafe cannot verify the identity of a Data Subject (other than Customer personnel) as to any particular Customer Personal Data without Customer’s assistance. ContractSafe shall not respond to any such Data Subject request except as required under Data Protection Laws, and ContractSafe shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request according to applicable Data Protection Laws, to the extent legally permitted and to the extent Customer cannot handle the request itself through its use of the Services. Customer shall be responsible for any costs arising from ContractSafe’s provision of such assistance.
4.1 Confidentiality. ContractSafe shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. ContractSafe shall ensure that such confidentiality obligations set forth in this Section 4.1 survive the termination of the personnel engagement. ContractSafe will promptly notify Customer if any Customer Personal Data is required by law or judicial process to be disclosed by it and will cooperate with Customer regarding the manner of such disclosure (but without prejudice to any obligation to comply with any such law or judicial process).
4.2 Reliability. ContractSafe shall take commercially reasonable steps to ensure the reliability of any ContractSafe personnel engaged in the Processing of Customer Personal Data.
4.3 Limitation of Access. ContractSafe shall ensure that ContractSafe’s access to Customer Personal Data is limited to those personnel who require such access to perform the Agreement.
5.1 General. ContractSafe will engage Sub-processors to process Customer Personal Data in accordance with this Section 5 and the EU Standard Contractual Clauses and UK Addendum (as applicable).
5.2 Appointment of Sub-processors. Customer acknowledges, agrees, authorizes and herewith consents that (a) ContractSafe Affiliates may act as Sub-processors; and (b) ContractSafe and ContractSafe Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A current list of Sub-processors (and the subject matter/nature and location of applicable Processing) is available at https://www.contractsafe.com/subprocessors and under the “Infrastructure and Sub-processor Documentation” section of the ContractSafe website, Documentation as well as a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe, and if Customer subscribes, ContractSafe shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services. In such cases ContractSafe will enter into a written agreement with the Sub-processor that will include contractual obligations substantially similar to those under this DPA relating to data protection, data security and the authorization of further sub-processors, in each case to the extent applicable. The parties agree that copies of Sub-processor agreements provided to Customer by ContractSafe upon request may have all commercial information or clauses unrelated to data processing removed by ContractSafe beforehand; and, that such copies will be provided by ContractSafe in a manner to be determined in its discretion, only upon request by Customer.
5.3 Liability. To the extent required by applicable Data Protection laws, ContractSafe shall be liable for the acts and omissions of its Sub-processors to the same extent ContractSafe would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
5.4 Changes to List of Current Sub-processors. ContractSafe may remove, replace or appoint suitable and reliable further Sub-processors in its sole discretion. To the extent required under applicable Data Protection Laws ContractSafe will inform Customer about any changes to the list of Sub-processors in a timely fashion, which may be by announcing them to the Customer through automated notice, such as the mechanism described at Section 5.2 of this DPA. Customer may object to any change of Sub-processors in writing on legitimate grounds based on data protection or security concerns, detailed in writing, within 10 business days after receipt of ContractSafe’s notice, and, if Customer so objects, ContractSafe will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If ContractSafe is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable order document(s) in respect only to those Services which cannot be provided by ContractSafe without the use of the objected-to new Sub-processor, by providing written notice to ContractSafe. Customer shall receive a refund of any unused prepaid fees for the period following the effective date of termination in respect of such terminated Services.
6.1 Controls for the Protection of Personal Data. ContractSafe shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data as set forth in the “Description of the technical and organizational security measures implemented by the data importer” as amended from time to time, a current copy of which is included as part of Attachment 1.
6.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, ContractSafe shall provide a copy of ContractSafe’s then most recent third-party audits or certifications, as applicable, or any summaries thereof or other information that ContractSafe generally makes available to its customers at the time of such request evidencing ContractSafe’s compliance with Section 6.1. In the absence of such audits or certificates, and to the extent ContractSafe is required to submit to audits under applicable Data Protection Laws, Customer may, at its own cost, audit the technical and organizational measures taken by ContractSafe.
6.3 Audit restrictions.
(a) Unless otherwise required by Data Protection Laws, Customer’s audit right pursuant to Section 6.2 (Third-Party Certifications and Audits) is limited to once in any twelve-month period and may not be conducted by a competitor of ContractSafe.
(b) An audit may not exceed three business days.
(c) Customer shall provide ContractSafe with at least thirty (30) days’ prior written notice (unless a Supervisory Authority or applicable Data Protection Law requires a shorter notice period).
(d) Customer and ContractSafe shall mutually agree the scope and determine the agenda of the audit in advance. The audit shall, to the extent possible, rely on certifications and audit reports or other verifications available to confirm ContractSafe’s compliance with Section 6.1 and shall exclude any third party penetration testing, or repetitive audits, requests for information.
(e) Customer shall conduct the audit under reasonable time, place and manner conditions and provide ContractSafe with a copy of the audit report and will inform ContractSafe without undue delay and comprehensively about any errors or irregularities related to Processing of Customer Personal Data detected during the audit.
(f) If an audit determines that ContractSafe is required to take corrective technical and/or organizational security measures, ContractSafe will at its sole discretion determine which measures are best suitable to ensure compliance and perform such measure within a reasonable time frame.
6.4 Data Protection Checks by Supervisory Authorities. ContractSafe will provide the Customer and Supervisory Authorities (as applicable) with all information and assistance reasonably necessary to investigate Personal Data Breaches or otherwise to demonstrate that the Services comply with Data Protection Laws to the extent that such inspections concern the Processing of Customer Personal Data under the Agreement, and will without undue delay implement the requirements of such Supervisory Authority in agreement with and at the cost of Customer.
At any time upon Customer’s request, ContractSafe will return to Customer all Customer Personal Data and any copies thereof or will destroy all such Customer Personal Data as required by Data Protection Laws, except to the extent Data Protection Laws or any other applicable law or judicial process imposed upon ContractSafe prevents it from doing so or as necessary under applicable Data Protection Laws. Any certification required by applicable Data Protection Laws may only be done upon written request.
8.1 UK Addendum Application. Customer and each Authorized Affiliate (each as Controller under Module Two or as the transferring Processor under Module Three, but in either case as “data exporter”) and ContractSafe (as Processor under Module Two or as the receiving Processor under Module Three, but in either case as “data importer”) hereby enter into the UK Addendum in respect of such Restricted Transfer; provided, however, that:
8.2 EU Standard Contractual Clauses. By entering into this DPA, the parties are deemed to have signed the EU Standard Contractual Clauses incorporated herein, including their Annexes. Customer and each Authorized Affiliate (each as Controller under Module Two or as the transferring Processor under Module Three, but in either case as “data exporter”) and ContractSafe (as Processor under Module Two or as the receiving Processor under Module Three, but in either case as “data importer”) hereby enter into the EU Standard Contractual Clauses in respect of such Restricted Transfer; provided, however, that:
9.1. To the extent permitted by Data Protection Laws, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and ContractSafe, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
9.2. For the avoidance of doubt, to the extent permitted by Data Protection Laws, ContractSafe’ss and its Affiliates’ total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
9.3. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.
10.1 Governing Law and Jurisdiction. Without prejudice to the EU Standard Contractual Causes and UK Addendum: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
10.2 Order of Precedence. Nothing in this DPA reduces ContractSafe’s or Customer’s (or Customer Affiliates or their respective users’) obligations under the Agreement or Applicable Data Protection Laws in relation to the protection of Customer Personal Data or permits any party to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Agreement. Notwithstanding the foregoing, in the event of any conflict or inconsistencies between this DPA and the EU Standard Contractual Clauses or the UK Addendum, the applicable Standard Contractual Clauses or UK Addendum shall prevail.
10.3 Changes in Data Protection Laws. Either party may propose variations to this DPA if and as they may apply to a particular Data Protection Law, which such party believes in good faith are required as a result of any change in, or decision of a competent authority under, that Data Protection law. In the event of such a proposal, the parties agree to work together in good faith to implement mutually agreed changes. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by ContractSafe to protect ContractSafe and its Affiliates and Sub-processors against additional risks associated with such changes.
10.4 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
10.5 Legal Effect. This DPA shall only become legally binding between Customer and ContractSafe when the DPA has been executed via digital signature or other legally binding mechanism.
Certain Details of Processing of Customer Personal Data
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement (including ordering documents) and this DPA.
The nature and purpose of the Processing of Customer Personal Data
The nature and purpose of the Processing of the Customer Personal Data are set out in the Agreement and this DPA namely contract storage, administration and administration and improvement of the Services.
The types of Customer Personal Data to be transferred and Processed
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and uploaded into or accessed by Customer, which may include, but is not limited to the following categories of Personal Data: Employee/agent email address, contact information, IP address and use history; Customer client information as contained in contracts which is stored but not accessed by ContractSafe LLC and contract administration data.
Sensitive data to be transferred
None are anticipated.
The categories of Data Subjects to whom the Customer Personal Data relates
Data Subjects will be determined by Customer in its discretion which may include Customer employees agents, clients, members and designees.
The period for which the Customer Personal Data will be retained
The period for which Customer Personal Data will be retained is set out in the Agreement and this DPA.
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Authorized Affiliates are set out in the Agreement and this DPA.
Processing operations
Providing the Service (Contract management and storage) Administering and Reporting on the use of the Services, supporting the Services, offering a improving the Services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
The transfers will occur on a continuous basis throughout the duration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Sub-processors will provide on a continuous basis throughout the duration of the Agreement provide the services set forth on the Sub-Processors list at https://www.contractsafe.com/subprocessors continuously for the duration of the Agreement
Description of the technical and organisational security measures
Within ContractSafe’s area of responsibility, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ContractSafe has in relation to the Customer Personal Data implemented will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk as set forth at https://www.contractsafe.com/dataprotectionpolicy and as otherwise agreed in writing in the Agreement. These include administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data including protection intended against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, disclosure or access of or to Customer Personal Data. Measures may include:
UK Addendum
Addendum |
This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs |
The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2 (please see clause 8.1 of the DPA), including the Appendix Information. |
Appendix Information |
As set out in Table 3 (please see clause 8.1 of the DPA). |
Appropriate Safeguards |
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum |
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs |
The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO |
The Information Commissioner. |
Restricted Transfer |
A transfer which is covered by Chapter V of the UK GDPR. |
UK |
The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws |
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR |
As defined in section 3 of the Data Protection Act 2018. |
16.The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Effective: December 15, 2023
Subscribe for Updates