CalendarHero Data Processing Agreement
Effective Date: May 09, 2023
This Data Processing Agreement, including the terms referenced herein (“DPA”), is the express agreement between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and Vendasta Technologies Inc. (together with its subsidiary(ies) and affiliated entities, collectively “Processor”) and sets forth other terms that apply to the extent any information you provide to Processor pursuant to the DPA includes “Personal Data” (as defined below). This DPA is effective as of May 09, 2023. For clarity, this DPA overrides any previous agreement you had with Processor in regards to Personal Data. Customer and Processor each a “party”, together “parties”.
NOW, THEREFORE, in consideration of the mutual promises, covenants, representations, and warranties made herein and of the mutual benefits to be derived therefrom, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
1.0 Defined Terms. The following definitions are used in this DPA:
1.1 “Authorized Personnel” means (a) Processor’s employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable services; and (b) Processor’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA. The data importer pursuant to this DPA is Vendasta Technologies Inc., providing CalendarHero services,(“CalendarHero”).
1.2 “CCPA” means the California Consumer Privacy Act.
1.3 “Data Protection Laws” means all applicable federal, state, and foreign data protection, privacy, and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the EU Data Protection Laws and the CCPA but excluding, without limitation, consent decrees.
1.4 “EU Data Protection Laws” means data protection laws applicable in Europe, including: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (b) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (c) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (d) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.
1.5 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.)
1.6 “Personal Data” means any information relating to an identified or identifiable natural person that is submitted to, or collected by, CalendarHero in connection with the services provided by Processor, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Data Protection Law(s).
1.7 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
1.8 “Security Breach” means a confirmed breach of Processor’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Data Protection Law(s) governing the particular circumstances.
1.9 “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en as may be amended, superseded or replaced.
1.10 “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
1.11 “Vendasta Technologies Inc.” means the private corporation of the same name, incorporated in Saskatchewan, Canada, which is providing CalendarHero services.
2.0 Processing and Transfer of Personal Data.
2.1 Processor shall process Personal Data in accordance with Customer’s written instructions (unless waived in a written requirement) provided during the term of this DPA. The parties agree that this DPA constitutes Customer’s complete and final written instruction to Processor in relation to the Processing of Personal Data, and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Customer and Processor. In the event Processor reasonably believes there is a conflict with any Data Protection Law and Customer’s instructions, Processor will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
2.2 Except for usage of Personal Data as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Data Protection Laws, Processor shall not retain, use, sell, or disclose the Personal Data that is not de-identified or aggregated for analytics, for any purpose, including other commercial purposes, outside of the direct business relationship with Customer.
2.3 The parties acknowledge and agree that processing of the Personal Data will occur in the United States and perhaps other jurisdictions outside the residence of the data subjects, and Customer shall comply with all notice and consent requirements for such transfer and processing to the extent required by Data Protection Laws.
3.0 EU Data Protection Laws.
3.1 Transfers of EU Personal Data. Customer acknowledges and agrees that Processor is located in the United States and that Customer’s provision of Personal Data from the European Economic Area, Switzerland, and the United Kingdom (“EU”) to Processor for processing is a transfer of EU Personal Data to the United States. All transfers of Customer Personal Data out of the EU (“EU Personal Data”) to the United States shall be governed by the Standard Contractual Clauses. The terms of the Standard Contractual Clauses as set out in Appendix 1 are incorporated in this DPA solely as required with respect to EU Personal Data for the services provided by Processor for Customer under the DPA.
3.2 GDPR Contractual Requirements. Processor shall: (a) assist, to a reasonable extent, the fulfillment of Customer’s obligations to respond to requests for exercising a data subject’s rights with respect to Personal Data under Chapter III of GDPR; (b) assist, to a reasonable extent, Customer in complying with its obligations with respect to EU Personal Data pursuant to Articles 32 to 36 of GDPR; (c) make available to Customer information reasonably necessary to demonstrate compliance with its obligations as a Processor specified in Article 28 of GDPR; (d) maintain a record of all categories of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR; and (e) cooperate, on request, with an EU supervisory authority in the performance of the services under the DPA
3.3 Sub-processors. Customer grants a general authorization to Processor to appoint its affiliates as sub-processors. Customers may request to be notified by email regarding updates to the sub-processor list.
4.0 Compliance with Data Protection Laws.
4.1 Representation and Warranty. Customer represents and warrants on behalf of itself and its employees that the Personal Data provided to Processor for processing under this DPA is collected and/or validly obtained and utilized by Customer and its employees in compliance with all Data Protection Laws, including without limitation the disclosure, informed affirmative consent and targeted advertising provisions of the CCPA and EU Data Protection Laws, including without limitation Chapter II of the GDPR, and Customer shall defend, indemnify and hold harmless Processor from and against all loss, expense (including reasonable out-of-pocket attorneys’ fees and court costs), damage, or liability arising out of any claim arising out of a breach of this Section 4.1.
4.2 Data Security. The Processor will utilize commercially reasonable efforts to protect the security, confidentiality, and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Notwithstanding the generality of the foregoing, Processor shall: (a) not use or disclose Personal Data for any purpose other than those purposes instructed or permitted by Customer; (b) only use and disclose Personal Data in a manner and to the extent permitted in this DPA or as otherwise agreed between the parties and observe all limitations as to such use or disclosure as Customer may notify to Processor; (c) employ reasonable administrative, physical, and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with Data Protection Laws as would be appropriate based on the nature of the Personal Data; (d) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data; (e) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by Processor’s retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes; and (f) upon receiving a request from Customer to correct an error or omission in the Personal Data about the individual that is in the possession or under the control of Processor, correct the Personal Data as soon as reasonably practicable.
4.3 Authorized Personnel; Sub-processors. The Processor shall ensure that Authorized Personnel has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA. In addition, Processor is authorized to use sub-processors provided that Processor shall enter into an agreement with the sub-processor containing data protection obligations that are at least as restrictive as the obligations under this DPA.
4.4 Security Breaches. After confirmation of a Security Breach, Processor will promptly, without undue delay: (a) notify Customer of the Security Breach; (b) investigate the Security Breach; (c) provide Customer with details about the Security Breach, and (d) take reasonable actions to prevent a recurrence of the Security Breach. Processor agrees to cooperate in Customer’s handling of the matter by (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Security Breach’s effects on Customer, as required to comply with Data Protection Laws.
4.5 Data Subject Requests. The Processor will cooperate with the Customer to address data subject rights and requests afforded by Data Protection Laws.
5.0 Audits and Certifications.
5.1 Within thirty (30) days of Customer’s written request, (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under Data Protection Laws), Processor shall make available to Customer (or a mutually agreed-upon third-party auditor) information regarding Processor’s compliance with the obligations set forth in this DPA, including reasonable documentation. A non-disclosure agreement in a form acceptable to the Processor may be required to receive this information.
6.0 Miscellaneous.
6.1 In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of another agreement between the parties, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data.
6.2 To the extent that it is determined by any data protection authority that this DPA is insufficient to comply with Data Protection Laws or changes to Data Protection Laws, Customer and Processor agree to cooperate in good faith to amend this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Data Protection Laws.
6.3 Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the DPA. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its appendices.
6.4 This DPA does not confer any third-party beneficiary rights, is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. This DPA only applies to the extent the Processor processes Personal Data on behalf of the Customer. This DPA is the final, complete, and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.
IN WITNESS WHEREOF, the parties have duly executed this DPA as of the Effective Date written on the first page.
Customer:_____________________________
Authorized Signature: ___________________
Date:__________________________________
Vendasta Technologies Inc.
Authorized Signature: __________________
Date:_________________________________
Appendix 1 - Standard Contractual Clauses are as follows:
Categories of data - Data exporter may submit Personal Data to CalendarHero, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) Connection data; (g) Localisation data; and (h) other data in an electronic form used by Customer in the context of the services.
Data exporter - Data exporter is Customer.
Data importer - The data importer is Vendasta Technologies Inc, providing CalendarHero services (“CalendarHero”)
Data subjects - Data exporter may submit Personal Data to CalendarHero, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the CalendarHero and /or https://CalendarHero.com website.
Processing operations - The objective of the processing of Personal Data by the data importer is the performance of the contractual services related to the DPA with the data exporter. The processes may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination, or otherwise making available data exporter’s data as necessary to provide the services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.)
Special categories of data (if appropriate) - None
The Processor will maintain reasonable administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of personal data transferred to the Processor as described in this DPA.
The description of the technical and organizational security measures implemented by the data importer can be found at https://CalendarHero.com/security.
The Processor will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data transferred to Processor as described in this DPA and in Processor’s Privacy Notice which is available at https://CalendarHero.com/privacy.