Data Processing Agreement
Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) is entered into between Social Intents and Customer (jointly “the Parties”), and forms a part of the Services Agreement between the Parties, and reflects the Parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of the Data Protection Laws.
By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Social Intents Processes Personal Data for which such Authorized Affiliates qualify as the Controller (or for the purposes of the CCPA - as defined below - as a Business). For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
This DPA is effective on the date that it has been duly executed by both Parties (“Effective Date”), and amends, supersedes and replaces any prior data processing agreements that the Parties may have been entered into. Any modifications to the terms of this DPA (whether handwritten or otherwise) will render this DPA ineffective unless Social Intents has separately agreed to those modifications in writing.
1. Definitions
1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. “Authorized Affiliate” means Customer's Affiliate(s) which are subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. Customer shall be responsible for the acts and omissions of its Authorized Affiliates under this Agreement to the same extent Customer would be responsible for its own acts and omissions under the same.
1.3. “CCPA” means the California Consumer Privacy Act and any implementing, derivative, or related legislation, rule, regulation, or regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.
1.4. “Covered Services” or “Services” means the services that are ordered by the Customer from Social Intents involving the Processing of Personal Data on behalf of the Customer.
1.5. “Customer” means the entity that signed the Services Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the “Controller” of the Personal Data provided pursuant to this DPA.
1.6. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Data transmitted, stored or otherwise Processed.
1.7. "Data Protection Laws" means any applicable law, statute, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Service Agreement, including the EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and the CCPA, each as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Service Agreement.
1.8. “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘Data Subject’) that is subject to the Data Protection Laws, which is provided by or on behalf of Customer and Processed by Social Intents pursuant to the Services Agreement.
1.9. “Regulator” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
1.10. “Services Agreement” means any agreement between Social Intents and Customer under which Covered Services are provided by Social Intents to Customer.
1.11. "Standard Contractual Clauses" or "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, for the transfer of personal data to processors established in third countries, as amended or replaced from time to time.
1.12. "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018, Version B1.0, in force 21 March 2022, as amended or replaced from time to time.
1.13. "Subprocessor" means any Processor engaged by Social Intents to Process Personal Data on behalf of Social Intents.
2.1. This DPA supplements the Services Agreement and in the event of any conflict between the terms of this DPA and the terms of the Services Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA.
3. Data Protection Laws
3.1. Roles of the Parties. The Parties acknowledge and agree that Social Intents will Process the Personal Data in the capacity of a Processor (or, for the purposes of the CCPA, as a Service Provider) and that Customer will be the Controller of the Personal Data (or, for purposes of the CCPA, will be a Business).
3.2. DPO. To the extent required by the GDPR, will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party where required by the Data Protection Laws.
4. Obligations of the Controller
4.1. Instructions. Customer warrants that the instructions it provides to Social Intents pursuant to this DPA will comply with Data Protection Laws.
4.2. Data Subject and Regulator Requests. Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require Social Intents' assistance, Customer shall immediately notify Social Intents in writing of the Data Subject’s or Regulator’s request.
4.3. Notice, Consent and Other Authorizations. Customer agrees that the Personal Data will be collected in compliance with Data Protection Laws, including all legally required consents, approvals and authorizations. Upon Social Intents' request, Customer shall provide adequate proof of having properly obtained all such necessary consents, authorizations and required permissions. Customer shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which Customer acquired the Personal Data.
4.4. CCPA. The parties acknowledge and agree that the Personal Information it discloses to Social Intents for Processing pursuant to the Services Agreement is for a Business Purpose.
5. Details of Processing Activities
5.1. The following table sets out the details of Processing:
|
Purposes for which the
|
- Social Intents will Process Personal Data for the purpose of providing the Covered Services described in the Services Agreement.
|
|
Personal Data shall be processed
|
- Customer may submit Personal Data to the Services, and may request for its customers (“End Users”) to submit Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion
|
|
Description of the categories of the data subjects
|
- Natural persons who submit personal data to Customer via use of the Services.
- Natural persons who are employees, representatives, or other business contacts of Customer
|
|
Description of the categories of Personal Data
|
- Personal Data processed includes: name, email address, phone number, and/or other personal information;
- Personal Data about End Users that Customer provides to the Service or through your End User’s interaction with the Services;
- Personal Data from Add-ons and other third-party services you use in conjunction with our Services;
- Data about Customers and End Users' use of the Services, such as but not limited to interactions with the user interface to the Services, and the Internet Protocol Address for the computers with which you use to connect to the Service.
|
6. Obligations of the Processor
6.1. Scope of Processing. Social Intents will Process the Personal Data on documented instructions from Customer in such manner as is necessary for the provision of Services under the Service Agreement, except as may be required to comply with any legal obligation to which Social Intents is subject. Social Intents may make reasonable effort to inform Customer if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Data Protection Laws based on Social Intents' actual knowledge of Customer’s Processing of Personal Data. In the event Social Intents must Process or cease Processing Personal Data for the purpose of complying with a legal obligation, Social Intents will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
6.2. Data Subject and Regulator Requests. Social Intents will promptly notify Customer in writing of any complaints, questions or requests received from Data Subjects or Regulators regarding the Personal Data. Taking into account the nature of the Processing and to the extent reasonably possible, Social Intents will assist Customer in fulfilling Customer’s obligations in relation to Articles 13 and 14 of the GDPR, and Data Subject requests, under applicable Data Protection Laws.
6.3. Retention. Upon Customer’s written request, Social Intents will destroy all Personal Data in its possession or return the Personal Data to Customer, as requested. Notwithstanding the foregoing, any return or destruction shall be subject to all applicable laws(including, without limitation, Data Protection Laws), regulations and Social Intents' compliance policies.
6.4. Disclosure to Third Parties. Except as expressly provided in this DPA, Social Intents will not disclose Personal Data to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Personal Data, to the extent legally permissible and practicable, Social Intents will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
6.5. Confidentiality. Social Intents will restrict access to the Personal Data to its personnel (and the personnel of its Affiliates) and to its Subprocessors who need access to meet Social Intents' obligations under the Services Agreement. Further, Social Intents will ensure that all such personnel and Subprocessors are informed of the confidential nature of the Personal Data and have undertaken training on how to handle such data. Social Intents will ensure that personnel authorized to Process the Personal Data are subject to binding confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
6.6. GDPR Articles 32-36. Taking into account the nature of the Processing and the information available to Social Intents, Social Intents will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
6.7. Use of Personal Information. For purposes of the CCPA, Social Intents shall not retain, use, or disclose the Personal Information for any purpose other than to perform the Services or otherwise as permitted by the CCPA. The restrictions of this Section do not apply to Deidentified or Aggregate Consumer Information.
6.8. Information Security. Taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, Social Intents will take appropriate steps to implement and maintain adequate organizational and technical measures designed to protect the confidentiality, integrity and availability of the Personal Data it Processes on Customer’s behalf (the “Security Measures”). All of the Personal Data Social Intents Processes is stored in the cloud. Social Intents uses only top-tier cloud providers that have confirmed they have implemented and maintain Security Measures in compliance with Article 32 of the GDPR, in storing and keeping secure Personal Data.
7. International Data Transfers
7.1. Data Storage. Customer acknowledges that Social Intents stores and processes Personal Data on Amazon Web Services (AWS) infrastructure located in the United States.
7.2. EU/EEA Transfers. To the extent that the Processing of Personal Data involves a transfer of Personal Data from the European Union or the European Economic Area to a country outside the EU/EEA that has not received an adequacy decision from the European Commission, the Parties agree that such transfers shall be governed by the EU Standard Contractual Clauses (Module Two: Controller to Processor), which are hereby incorporated by reference into this DPA.
7.3. UK Transfers. To the extent that the Processing of Personal Data involves a transfer of Personal Data from the United Kingdom to a country outside the UK that is not subject to UK adequacy regulations, the Parties agree that such transfers shall be governed by the EU Standard Contractual Clauses as supplemented by the UK Addendum, which is hereby incorporated by reference into this DPA. For the purposes of the UK Addendum:
- (a) Table 1: The Parties' details shall be as set forth in the signature block of this DPA. The Key Contact for Social Intents is service@socialintents.com.
- (b) Table 2: The version of the Approved EU SCCs which this Addendum is appended to is the EU SCCs as defined in Section 1.11 of this DPA, Module Two (Controller to Processor).
- (c) Table 3: The description of the transfer is as set forth in Section 5 of this DPA.
- (d) Table 4: Social Intents may end this Addendum as set out in Section 19 of the UK Addendum.
7.4. Swiss Transfers. To the extent that the Processing of Personal Data involves a transfer of Personal Data from Switzerland to a country that has not received an adequacy decision from the Swiss Federal Data Protection and Information Commissioner, the Parties agree that such transfers shall be governed by the EU Standard Contractual Clauses with the modifications required by the Swiss Federal Act on Data Protection.
7.5. Alternative Transfer Mechanisms. To the extent that Social Intents adopts an alternative lawful data export mechanism for international transfers of Personal Data (including any new version of, or successor to, the Standard Contractual Clauses or the UK Addendum adopted pursuant to applicable Data Protection Laws), such alternative transfer mechanism shall apply automatically in place of the transfer mechanisms described in this Section 7.
8. Audit
8.1. Scope. Social Intents will maintain records of its Processing activities as required by the Data Protection Laws and will make available to Customer information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Customer’s inspection rights under this DPA do not extend to Social Intents' employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties.
8.2. Process. Subject to reasonable written notice from Customer and at the Customer's additional expense, Social Intents will permit audits conducted by an independent third-party auditor that is not a competitor to Social Intents acting on Customer’s behalf to enable Customer to verify that Social Intents is in compliance with material obligations under this DPA. Audits and inspections will be carried out at mutually agreed times during regular business hours and no more than once annually.
8.3. Confidentiality. All information obtained during any such request for information or audit will be considered Social Intents' confidential information under the Services Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Social Intents' confidential information. The third party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
9. Contracting with Subprocessors
Customer provides general written authorization for Social Intents to engage Subprocessors to Process Personal Data on Customer’s behalf for the purposes of providing the Services. Social Intents remains responsible for the performance of each Subprocessor’s data protection obligations required under applicable Data Protection Laws.
Social Intents will maintain an up-to-date list of Subprocessors in Annex III (Subprocessor List), including the Subprocessor name, purpose of processing, location, and categories of Personal Data processed.
Social Intents will provide at least fifteen (15) days’ prior written notice of any intended addition or replacement of a Subprocessor that materially affects Processing of Personal Data. Customer may object in writing on reasonable data protection grounds within fifteen (15) days of such notice. If Social Intents cannot provide a commercially reasonable alternative, either Party may terminate the affected Services upon written notice.
10. Information Obligations and Incident Management
10.1. Data Breach Notification. Social Intents will notify Customer without undue delay and, in any event, no later than seventy-two (72) hours after confirming a Personal Data Breach affecting Customer Personal Data.
10.2. Notification Content. To the extent known at the time of notice, Social Intents’ notification will include: (a) the nature of the Personal Data Breach; (b) the date and time of occurrence and discovery; (c) the categories of affected data subjects; (d) the categories of affected Personal Data; (e) the likely consequences; (f) the measures taken or proposed to address and mitigate the breach; and (g) contact details for follow-up.
10.3. Ongoing Updates and Cooperation. If all required information is not available at the time of initial notice, Social Intents will provide additional information in phases without undue delay as it becomes available, and will reasonably cooperate with Customer in relation to Customer’s regulatory and data subject notification obligations.
11. Obligations Post Termination
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.
12. Liability and Indemnity
Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Services Agreement.
13. Severability
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.
14. Mutual Notice
Any notice, consent, instruction or communication related to this DPA will be provided in writing to the Company email address specified in the signature block below. All notices to Social Intents must be provided via email to service@socialintents.com.
Annex III is incorporated by reference into, and forms an integral part of, this DPA.
Annex III – Subprocessor List
The following Subprocessors may Process Personal Data on behalf of Social Intents, as applicable based on the Services and integrations enabled by Customer:
1. Amazon Web Services, Inc. (AWS)
Purpose: Cloud hosting, infrastructure, storage, database, backup
Location: United States
Data Categories: Account data, service usage data, message content, technical logs
2. OpenAI, L.L.C.
Purpose: AI processing features (as enabled by Customer)
Location: United States
Data Categories: Prompt/input content, model output content, related metadata
3. Pinecone Systems, Inc.
Purpose: Vector indexing and retrieval for AI features (as enabled by Customer)
Location: United States
Data Categories: Indexed content/embeddings, related metadata
4. Stripe, Inc.
Purpose: Payment processing and billing
Location: United States
Data Categories: Billing/contact data, transaction metadata (no full card PAN stored by Social Intents)
5. Slack Technologies, LLC
Purpose: Messaging platform integration (as enabled by Customer)
Location: United States
Data Categories: Message content, user/workspace identifiers, integration metadata
6. Microsoft Corporation (Microsoft Teams)
Purpose: Messaging platform integration (as enabled by Customer)
Location: United States/EU (per Microsoft service region)
Data Categories: Message content, user/tenant identifiers, integration metadata
7. Google LLC (including Google Chat)
Purpose: Messaging platform integration (as enabled by Customer)
Location: United States/EU (per Google service region)
Data Categories: Message content, user/workspace identifiers, integration metadata
8. Zoom Video Communications, Inc.
Purpose: Messaging/communications integration (as enabled by Customer)
Location: United States
Data Categories: Message/integration metadata, user/workspace identifiers
9. Cisco Systems, Inc. (Webex)
Purpose: Messaging/communications integration (as enabled by Customer)
Location: United States
Data Categories: Message/integration metadata, user/workspace identifiers
Signed for and on behalf of the Customer
Print name:
Company email address: Company name:
Title:
Date:
Signed for and on behalf of Social Intents
Print name:
Company email address: Company name:
Title:
Date:
