Data Processing Addendum
(Revision October 2023)
This Data Processing Addendum, including its Schedules, (“DPA”) forms part of the Master Services Agreement or other written or electronic agreement between Extu and Sponsor for the purchases of our “Services” to reflect the Parties’ agreement with regard to the Processing of Personal Data.
Sponsor enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Sponsor” shall include Sponsor and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Sponsor pursuant to the Agreement, Extu may Process Personal Data on behalf of Sponsor and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
HOW TO EXECUTE THIS DPA:
- This DPA consists of two parts: the main body of the DPA, and Schedules 1 and 2.
- This DPA has been pre-signed on behalf of SFDC. Schedule 2, section 1 has been pre-signed by Salesforce, Inc. as the data importer. Please note that the contracting entity under the Agreement may be a different entity to Salesforce, Inc.
- To complete this DPA, Sponsor must:
- Complete the information in the signature box and sign on page 6.
- Send the signed DPA to Extu by email at email@example.com.
Except as otherwise expressly provided in the Agreement, this DPA will become legally binding upon receipt by Extu of the validly completed DPA at this email address.
For the avoidance of doubt, signature of the DPA on page 6 shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2. Where Sponsor wishes to separately execute the Standard Contractual Clauses and its Appendix, Sponsor should also complete the information as the data exporter and sign on page 8 (Schedule A).
Data Processing Terms
- Definitions. All capitalized terms used but not otherwise defined herein will have the meaning set forth in this Section 1 (Definitions) or in the Agreement.
(A) “Data Protection Law” means, as applicable: (i) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “EU GDPR”); (ii) the EU GDPR as incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable legislation under such Act (the “UK GDPR”); (iii) the Federal Act on Data Protection of 19 June 1992 (Switzerland) (the “Swiss FADP”); and/or (iv) U.S. state laws that govern the processing of personal data, including the California Consumer Privacy Act of 2018 (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”).
(B) “EEA” means the European Economic Area.
(C) “EU” means the European Union.
(D) “Standard Contractual Clauses” or “SCCs” means the clauses annexed to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, which are available online at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
(E) “Transfer” means to disclose, provide or otherwise make personal data available to a third party including, but not limited to, disclosure by physical movement of the personal data to such third party or by enabling access to the personal data by other means.
(F) “UK” means the United Kingdom.
(G) The terms “controller”, “data subject”, “personal data”, “personal information”, “personal data breach”, “process” or “processing”, and “processor” each have the meaning set forth in the applicable Data Protection Law.
- Roles of the Parties. The parties agree that, for purposes of any applicable Data Protection Law, Sponsor is a controller (or, as applicable, a processor) of personal data, and Extu is a processor of personal data. Each party shall comply with the obligations of Data Protection Law applicable to it in connection with this DPA and the processing of personal data.
- Processing of Personal Data. Extu will process personal data solely: (a) as needed to perform its obligations under the Agreement; (b) in accordance with the Agreement, this DPA, and other documented instructions received from Sponsor as further set forth in Section 4 (Instructions) below; and (c) as needed to comply with applicable law. The details of the processing of personal data (including the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects) are set forth in Exhibit A attached hereto.
- Instructions. Extu will process personal data in accordance with Sponsor’s documented, lawful instructions as specified in the Agreement and this DPA, including instructions regarding Transfers. Sponsor acknowledges that Extu only collects personal data that is specifically requested and approved by Sponsor. Sponsor may provide additional instructions in writing to Extu with regard to the processing of personal data in accordance with Data Protection Law. Extu will comply with reasonable, lawful and documented additional instructions from Sponsor, except to the extent such instructions expand the scope of Extu’s performance pursuant to the Agreement in which case Extu reserves the right to charge Sponsor additional fees. Unless prohibited by applicable law, Extu will inform Sponsor if, in Extu’s reasonable opinion, an instruction from Sponsor violates applicable Data Protection Law.
- Data Subject Requests. If Extu receives a request from a data subject that relates to Sponsor’s personal data and identifies Sponsor, Extu will promptly instruct the data subject to submit such request to Sponsor. Extu will reasonably assist Sponsor, by appropriate technical and organizational measures and taking into account the nature of the processing, in meeting Sponsor’s obligations to respond to data subjects’ requests to exercise their rights under applicable Data Protection Law, including their rights to access, correction, objection, erasure and data portability.
- Additional Assistance. Taking into account the nature of the processing and the information available to Extu, Extu will reasonably assist Sponsor in meeting its compliance obligations regarding: (a) ensuring the security of the personal data; (b) responding to personal data breaches, as further set forth below in Section 11 (Personal Data Breach); and (c) carrying out privacy and data protection impact assessments and related consultations of data protection authorities.
- Use of Subprocessors. Sponsor hereby provides Extu with a general written authorization to appoint third party subcontractors to process Sponsor’s personal data in connection with Extu’s performance pursuant to the Agreement (each a “Subprocessor”). In particular, Extu may continue to use those Subprocessors already engaged as of the DPA Effective Date, a list of which is available at https://extu.com/legal/subprocessors (the “Subprocessor Website”). At least thirty (30) days prior to appointing any new Subprocessor to process Sponsor’s personal data in connection with Extu’s performance pursuant to the Agreement, Extu will provide Sponsor with a notice of its intent to appoint the new Subprocessor by updating the list available on the Subprocessor Website. If Sponsor does not object within such ten (10) business day period, the new Subprocessor shall be deemed approved. If Sponsor objects within such ten (10) day period, the parties will use good faith efforts to resolve such objection within a reasonable time. If the parties are unable to resolve such objection within a reasonable time, Sponsor may terminate the Agreement and this DPA, upon notice to Extu. Before permitting any Subprocessor to process Sponsor’s personal data, Extu will enter into a written agreement with such Subprocessor that is no less restrictive than this DPA with respect to the processing of personal data. Extu will remain responsible and liable for any act or omission by such Subprocessor with respect to the personal data as if such act or omission were performed by Extu.
(A) To the extent the processing of personal data by Extu requires any Transfers by Sponsor of personal data originating within the EEA, UK, or Switzerland to Extu in a country located outside the EEA, UK, or Switzerland that has not been the subject of a binding adequacy decision by the European Commission or by a similar competent data protection authority, such Transfers will be made pursuant to the SCCs, which are hereby incorporated by reference, subject to the following:
(i) where Sponsor is a controller and Extu is a processor, such Transfers will be made pursuant to Module Two of the SCCs;
(ii) where both Sponsor and Extu are processors, such Transfers will be made pursuant to Module Three of the SCCs;
(iii) where the Transfer relates to personal data originating within the UK, the SCCs shall be modified as set forth within the “UK Transfer Addendum”, developed by the UK Information Commissioner’s Office (“UKICO”) and effective as of March 21, 2022, which is available online at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, and incorporated herein by this reference;
(iv) the parties’ choices, with respect those elements of the SCCs that provide for optionality, are set forth on a jurisdiction-by-jurisdiction basis in Exhibit B attached hereto; and
(v) the information required by: (A) Annex I and Annex III of the SCCs appears in Exhibit A attached hereto, and (B) Annex II of the SCCs appears in Exhibit C attached hereto.
(B) Any onward Transfers by Extu of personal data originating within the EEA, UK, or Switzerland to a recipient in a country located outside the EEA, UK, or Switzerland that has not been the subject of a binding adequacy decision by the European Commission or by a similar competent data protection authority shall be subject to binding and appropriate Transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Law, such as the standard contractual clauses or approved binding corporate rules.
- Confidentiality. Extu will ensure that all persons authorized to process personal data are subject to written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality that are no less restrictive that those set forth herein or in the Agreement.
- Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Extu will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of personal data.
- Personal Data Breach. If Extu becomes aware that there has been a personal data breach (as defined by Data Protection Law), Extu will notify Sponsor in writing of such personal data breach without undue delay. Taking into account the nature of processing and the information available to Extu, Extu will reasonably assist Sponsor in complying with its obligations regarding personal data breaches.
- Return or Destruction. Extu will return or destroy all personal data to Sponsor upon termination of the Agreement or this DPA, and destroy existing copies of personal data unless: (a) applicable law or Extu’s reasonable data retention policy requires storage of the personal data, or (b) such personal data is stored in Extu’s archival or backup systems. Any personal data retained by Extu pursuant to this Section 12 (Return or Destruction) shall be retained in accordance with the terms of this DPA.
- Audits; Inquiries. Extu will make available to Sponsor information reasonably necessary to demonstrate Extu’s compliance with Data Protection Law and this DPA, and, at Sponsor’s expense, allow for and contribute to audits, including inspections, conducted by the internal and external auditors and personnel of Sponsor and applicable data protection authorities. In connection with the foregoing, Sponsor will provide Extu with reasonable notice of such audit (and in any event not less than thirty (30) days’ notice) and such audit will occur at a date and time mutually agreed to by the parties during normal business hours and will not unreasonably interfere with Extu’s business operations. Sponsor agrees, and prior to performing any audit or inspection pursuant to this Section 13 (Audits; Inquiries) will contractually obligate its internal and external auditors and personnel to agree, to treat any information reviewed, obtained or otherwise made available by Extu during any audit or inspection, including the results of such audit and inspection, as confidential information of Extu.
- Disclosure Requests. If Extu receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to its processing of Sponsor’s personal data (“Disclosure Request”), it will promptly pass on such Disclosure Request to Sponsor without responding to it, unless otherwise required by applicable law. Extu will provide Sponsor with relevant information in its possession that may be responsive to the Disclosure Request and any reasonable assistance required for Sponsor to promptly respond to such Disclosure Request.
- CCPA Compliance. The parties acknowledge and agree that Extu is acting as a service provider (as such term is defined by the CCPA) to Sponsor in connection with Extu’s performance pursuant to the Agreement. Extu acknowledges and confirms that it does not provide Sponsor with any monetary or other valuable consideration in exchange for the receipt of personal information (as defined by the CCPA) and certifies that it understands and will comply with the restrictions set forth in this Section 15 (CCPA Compliance). Except as required by applicable law, Extu will not collect, access, use, disclose, process, or retain personal information for any purpose other than Extu’s performance pursuant to the Agreement or another business purpose permitted by the CCPA, this DPA, or the Agreement. In particular, Extu shall not sell (as defined by the CCPA) or share (as defined by the CPRA) any personal information.
- Survival. Extu’s obligations under this DPA will continue for so long as Extu has access to, is in possession of or acquires personal data, even if the Agreement has expired or been terminated.
- Limitations on Liability. For the avoidance of any doubt, this DPA and any liabilities or remedies arising from it are subject to any and all limitations on liability provisions and disclaimers of types of damages provisions set forth in the Agreement, to the maximum extent permitted by applicable law.
- Interpretation. Except as specifically provided herein, the Agreement shall remain in full force and effect. The rights granted to any party hereunder are in addition to and not a replacement for other rights such party may have under the Agreement. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement with respect to the processing of personal data, the terms of this DPA shall control. In the event of any conflict or inconsistency between the terms of any applicable module of the SCCs and the terms of this DPA with respect to any Transfers, the terms of the SCCs shall control.
IN WITNESS WHEREOF, the parties hereto have caused this DPA to be executed by their duly authorized representatives as of the DPA Effective Date.
Details of Processing
A. LIST OF PARTIES:
|Contact Person:||Phone: [TBD] |
|Activities Relevant to Transferred Data:||The receipt of services in accordance with the Agreement.|
|Signature and date:||See signature and date in the DPA.|
|Role:||Controller or processor, as applicable.|
|Address:||2299 Perimeter Park Drive, Suite 150 Atlanta, Georgia 30341|
|Contact Person:||Kelly Held Chief Information Officer |
|Activities Relevant to Transferred Data:||The provision of services in accordance with the Agreement.|
|Signature and date:||See signature and date in the DPA.|
B. DESCRIPTION OF TRANSFER:
|Subject Matter of the Processing:||The processing of personal data will be in the context of Extu providing its services to Sponsor, as set forth in the Agreement.|
|Nature and Purpose of Processing:||Extu offers a web-based incentive program whereby participants are awarded points and may redeem points on an online and real time interactive point-based catalog of various goods and services. The processing of personal data will be in connection with the foregoing and in connection with Extu’s provision of services to Sponsor, as set forth in the Agreement.|
|Duration of Processing:||For the term set forth in the Agreement.|
|Categories of Data Subjects:||[TBD]|
|Categories of Personal Data:||The personal data transferred will include the following categories of personal data: [TBD]; [TBD]; and [TBD].|
|Special Categories of Personal Data / Sensitive Data Transferred:||None – Sponsor will not make available to Extu any special categories of personal data or sensitive data without Extu’s prior written consent.|
|Frequency of the Transfer:||Continuous.|
|Period of Retention / Retention Criteria:||Extu will return or delete all Transferred personal data in accordance with Section 12 (Return or Destruction) of the DPA.|
|Subject Matter, Nature, and Duration of Subprocessor Processing:||To the extent Extu uses any Subprocessors to perform any of the functions outlined herein, the subject matter, nature, and duration will be substantially identical to what is set forth herein.|
C. COMPETENT SUPERVISORY AUTHORITY:
The applicable competent supervisory authority is set forth in Exhibit B.
D. EXISTING SUBPROCESSORS:
Extu’s existing Subprocessors are set forth at the Subprocessors page on the Extu website at the URL: https://extu.com/legal/subprocessors
Standard Contractual Clauses – Implementation Choices
|SCC Clause||EEA Data||UK Data||Swiss Data|
|Clause 7||The parties choose not to include the optional docking clause.|
|Clause 9||The parties choose Option 2, “General Written Authorization,” and a notification period of thirty (30) days.|
|Clause 11||The parties choose not to include the optional language providing data subjects with the right to lodge complaints with an independent dispute resolution body.|
|Clause 13||The Irish Data Protection Commission will be the competent supervisory authority.||The UKICO will be the competent supervisory authority.||The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) will be the competent supervisory authority.|
|Clause 17||The SCCs shall be governed by the laws of the Republic of Ireland.||The SCCs, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.||The SCCs shall be governed by the laws of the Republic of Ireland.|
|Clause 18||The parties agree that any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland.||The parties agree that any dispute arising from the SCCs or the incorporated UK Transfer Addendum shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.||The parties agree that any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland, but the parties’ selection of forum may not be construed as forbidding data subjects in Switzerland from suing for their rights in Switzerland.|