DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “Addendum”) is effective upon its incorporation into the Agreement and forms part of the Terms of Use Agreement (the “Agreement”) between Ikeono, LLC (“Ikeono”) and the End-User (“Customer”).
Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement. Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.
The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Customer Personal Data, if applicable.
DEFINITIONS.
“Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means Personal Data Processed by Ikeono on behalf of Customer to perform the Services under the Agreement.
“Data Protection Laws” means the data privacy and security laws and regulations applicable to the Processing of Customer Personal Data, including, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”); (c) the Colorado Privacy Act and its implementing regulations (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) the Connecticut Data Privacy Act (“CTDPA”), when effective; and (f) any other applicable law or regulation related to the protection of Customer Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.
“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
“Personal Data” means information that constitutes “personal information,” “personal data,” or “personally identifiable information” as defined under Data Protection Laws.
“Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
“Processor” means an entity that Processes Personal Data on behalf of a Controller.
“Security Incident” means a breach of Ikeono’s security that leads to unauthorized access to or acquisition of Customer Personal Data in Ikeono’s possession, custody, or control.
“Services” means the services that Ikeono has agreed to provide to Customer under the Agreement.
“Subprocessor” means any Processor appointed by Ikeono to Process Customer Personal Data on behalf of Customer under the Agreement.
PROCESSING OF CUSTOMER PERSONAL DATA.
Roles of the Parties; Customer Instructions. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement, Customer is a Controller and Ikeono is a Processor. Ikeono will Process Customer Personal Data only in accordance with Customer’s documented instructions unless otherwise required by applicable law, in which case Ikeono will inform Customer of such Processing unless notification is prohibited by applicable law. Customer hereby instructs Ikeono to Process Customer Personal Data: (a) to provide the Services to Customer; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) for the purposes described in Appendix 1. Ikeono will notify Customer if, in its opinion, an instruction of Customer infringes upon Data Protection Laws.
Customer Obligations. Customer’s instructions for the Processing of Customer Personal Data shall comply at all times with Data Protection Laws. Customer represents and warrants that: (a) Customer has given adequate notice and made all appropriate disclosures to Data Subjects regarding the Processing of Customer Personal Data in connection with the Services; (b) Customer has obtained all necessary rights, and, where applicable, all appropriate and valid consents to use the Services and to disclose Customer Personal Data to Ikeono to permit the Processing described herein; (c) Customer’s use of the Services is and shall at all times be in compliance with all applicable laws, regulations, rules, and guidelines relating to text messaging, spam, and telemarketing, including without limitation the Telephone Consumer Protection Act and any other local, state, federal, or foreign laws regulating similar activities or guidelines issued by the Federal Communications Commission, Federal Trade Commission, and Mobile Marketing Association; and (d) Customer will not use the Services to Process Personal Data that is subject to the EU General Data Protection Regulation, the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, or similar laws in the EEA, UK, or Switzerland governing the Processing of Personal Data. Customer shall notify Ikeono of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact Ikeono’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.
Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1. Ikeono may Process Customer Personal Data in the United States or anywhere Ikeono and its Subprocessors maintain facilities. Customer is responsible for ensuring that Customer’s use of the Services complies with any cross-border data transfer restrictions under Data Protection Laws.
Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. Ikeono will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and Ikeono; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from Ikeono’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. Ikeono hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The parties acknowledge that the Personal Information disclosed by Customer to Ikeono is provided to Ikeono only for the limited and specified purposes set forth in Appendix 1. Ikeono will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Ikeono uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 7. Ikeono will notify Customer if it makes a determination that Ikeono can no longer meet its obligations under the CCPA. If Ikeono notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Ikeono, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
CONFIDENTIALITY. Ikeono will take reasonable steps to ensure that Ikeono personnel who Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Customer Personal Data.
SECURITY.
Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ikeono will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.
Security Incidents. Upon becoming aware of a confirmed Security Incident, Ikeono will: (a) notify Customer of the Security Incident without undue delay after becoming aware of the Security Incident; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Ikeono will take commercially reasonable steps to provide Customer with information available to Ikeono that Customer may reasonably require to comply with its obligations under Data Protection Laws. Ikeono’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by Ikeono of any fault or liability with respect to a Security Incident.
Customer Responsibilities. Customer agrees that, without limitation of Ikeono’s obligations under this Section 4, Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Services, where applicable. Without limiting Ikeono’s obligations hereunder, Customer is responsible for reviewing the information made available by Ikeono relating to its Processing and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
SUBPROCESSING. Subject to the requirements of this Section 5, Customer generally authorizes Ikeono to engage Subprocessors as Ikeono considers reasonably appropriate for the Processing of Customer Personal Data. A list of Ikeono’s Subprocessors, including their functions and locations, is available upon Customer’s written request and may be updated by Ikeono from time to time in accordance with this Section 5. Ikeono will inform Customer of the addition or replacement of any Subprocessor on such list, such as via an alert within the Services. Customer may object to a new Subprocessor on reasonable data protection grounds by providing Ikeono with written notice of such objection within ten (10) days after Ikeono has provided such information. In the event of such objection, either party may terminate the Agreement and this Addendum upon notice to the other party. When engaging any Subprocessor, Ikeono will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum. Ikeono shall be liable for the acts and omissions of the Subprocessor to the extent Ikeono would be liable under the Agreement and this Addendum.
DATA SUBJECT RIGHTS. Ikeono will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Services, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible and including the self-service functionality of the Services, as necessary for Customer to fulfill its obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. Ikeono reserves the right to charge Customer on a time and materials basis in the event that Ikeono considers that such assistance is onerous, complex, frequent, or time consuming. If Ikeono receives a request from a Data Subject under any Data Protection Laws with respect to Customer Personal Data, Ikeono will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request.
RELEVANT RECORDS AND AUDIT RIGHTS.
Review of Information and Records. Upon Customer’s reasonable written request, Ikeono will make available to Customer information in Ikeono’s possession reasonably necessary to demonstrate Ikeono’s compliance with Data Protection Laws and Ikeono’s obligations set out in this Addendum. Such information will be made available to Customer no more than once per calendar year and subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement.
Audits. If Customer requires information for its compliance with Data Protection Laws in addition to the information provided under Section 7.1, at Customer’s sole expense and to the extent Customer is unable to access the additional information on its own, Ikeono will allow for, cooperate with, and contribute to reasonable assessments and audits, including reasonable inspections, by Customer or an auditor mandated by Customer (“Mandated Auditor”), provided that (a) Customer provides Ikeono with reasonable advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Ikeono; (b) Ikeono approves the Mandated Auditor in writing, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Ikeono’s normal business operations; (d) Customer or any Mandated Auditor complies with Ikeono’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Ikeono and subject to a nondisclosure agreement to be provided by Ikeono; and (f) Customer may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws. Alternatively, at Ikeono’s sole discretion Ikeono may arrange for a qualified and independent auditor to conduct the requested audit and agrees to provide a report of the audit to Customer upon Customer’s written request.
Results of Audits. Customer will promptly notify Ikeono of any non-compliance discovered during the course of an audit and provide Ikeono any reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports solely for the purposes of meeting Customer’s audit requirements under Data Protection Laws to confirm that Ikeono’s Processing of Customer Personal Data complies with this Addendum.
DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Following termination or expiration of the Agreement, Ikeono will delete all Customer Personal Data in accordance with Ikeono’s standard deletion schedules, unless retention thereof is required by applicable law. If Ikeono retains Customer Personal Data pursuant to applicable law, Ikeono agrees that all such Customer Personal Data will continue to be protected in accordance with this Addendum. If Customer wishes to for Ikeono to return Customer Personal Data upon termination of the Agreement, Customer shall submit such request to Ikeono in writing at least thirty (30) days prior to the date of termination.
GENERAL TERMS. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Ikeono’s deletion or return of all Customer Personal Data. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement in relation to the Processing of Customer Personal Data, this Addendum will govern with respect to the subject matter hereof. Notices required under this Addendum may be sent via email to Ikeono at support@ikeono.com and to Customer at the email address or other contact information provided by Customer at the time of account registration for the Services. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws
APPENDIX 1
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
Subject matter and duration of the Processing of Customer Personal Data: The subject matter and duration of the Processing are as described in the Agreement and the Addendum.
Nature and purpose of the Processing of Customer Personal Data: The nature of the Processing involves those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and the Addendum. The purpose of the Processing of Customer Personal Data includes the following: (a) helping to ensure security and integrity, to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes; (b) debugging to identify and repair errors that impair existing intended functionality; (c) performing the Services as described in the Agreement and carrying out the instructions set forth in Section 2.2, including providing the text message services outlined in the Agreement, providing customer service, processing or fulfilling transactions, and verifying Customer information; (d) undertaking internal research for technological development and demonstration; and (e) undertaking activities to verify or maintain the quality or safety of the Services, and to improve, upgrade, or enhance the Services.
The categories of Data Subjects to whom Customer Personal Data relates: The categories of Data Subjects to whom Customer Personal Data will be determined solely by Customer in its use of the Services and may include employees, customers, leads, and other business contacts.
The categories of Customer Personal Data Processed: The categories of Customer Personal Data Processed will be determined solely by Customer in its use of the Services and may include names, phone numbers, emails, contents of text messaging communications, sales and transaction history, and other Customer Personal Data submitted or received by Customer through the Services.