You’re using an older browser version. Update to the latest version of Google Chrome, Safari, Mozilla Firefox, or Microsoft Edge for the best site experience.

Data Processing Agreement

Review Date: June 5, 2023

ATTENTION: YOU (THE “CUSTOMER”) HEREBY ASKED TO ACCEPT THE TERMS AND CONDITIONS OF THE DATA PROCESSING AGREEMENT (THE "AGREEMENT") WHICH WILL GOVERN THE PROCESSING OF THE CUSTOMER’S PERSONAL DATA BY ISPRING AND ITS AFFILIATES FURTHER DEFINED HEREIN AS “ISPRING”.

BY CLICKING THE BUTTON WHILE REGISTERING YOUR ISPRING ACCOUNT, YOU ARE CONSENTING TO BE BOUND BY THE TERMS OF THIS AGREEMENT AND ARE BECOMING A PARTY TO THIS AGREEMENT AND AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU ASSERT THAT YOU HAVE THE AUTHORITY TO BIND STATED ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO STATED ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE AND ACCEPT THE TERMS, YOU HAVE NO RIGHT TO USE THE ISPRING WEB SERVICES.

This Data Processing Agreement, including Annexes (the “DPA”) forms part of the iSpring Web Services Subscription Agreement or other written or electronic agreement between iSpring and Customer for the purchase of iSpring software products (including any software program, web service or services made available by iSpring for purchase) from iSpring (identified either as “Products” or otherwise in the applicable agreement, and hereinafter defined as “Products”) (the "Principle Agreement") to reflect the Parties’ agreement with regard to the Processing of Personal Data.

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Principal Agreement. In the course of providing the Products to Customer pursuant to the Principal Agreement, iSpring may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

This DPA consists of two parts: the main body of the DPA, and Annexes 1 and 2.

If the Customer entity entering into this DPA is a party to the Principle Agreement, this DPA is an addendum to and forms part of the Principal Agreement. In such case, the iSpring Customer that is party to the Principal Agreement is party to this DPA.

If the Customer entity entering into this DPA is not a party to the Principal Agreement directly with iSpring, but is instead a customer indirectly via an authorized reseller of iSpring Products, this DPA is not valid and is not legally binding. Such Customer entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.

1. Definitions

1.1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

    1.1.1. “Affiliate” means any person or entity that, directly or indirectly, controls, is controlled by, or is under common control with the subject entity; “control” (including, with its correlative meanings, “controlled by” and “under common control with”) means possession, directly or indirectly, of the power to direct or cause the direction of management or policies (whether through ownership of securities or partnership or other ownership interests, by contract or otherwise).

    1.1.2. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

    1.1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

    1.1.4. “Customer” means an individual consumer or a legal entity who activates the Product provided by iSpring and assumes payment responsibility for iSpring.

    1.1.5. “Customer Data” means electronic data and information (including Personal Data) submitted by or for Customer to the Products pursuant to or in connection with the agreement related to the provision of the Products by iSpring to Customer under the terms of the Principal Agreement;

    1.1.6. “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union (EU), the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom (collectively “Europe”) and the United States and its states, applicable to the Processing of Personal Data under the Principal Agreement as amended from time to time;

    1.1.7. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

    1.1.8. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

    1.1.9. “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

    1.1.10. “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    1.1.11. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

    1.1.12. “Public Authority” means a government agency or law enforcement authority, including judicial authorities.

    1.1.13. “Services” means the services and other activities to be supplied to or carried out by or on behalf of iSpring or its authorized Affiliates for the Customer;

    1.1.14. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj ;

    1.1.15. “Sub-processor” means any Processor (including any third party and any iSpring Affiliate, but excluding an employee of iSpring or any of its sub-contractors) engaged by or on behalf of iSpring or any iSpring Affiliate to Process Personal Data on behalf of Customer; and

1.2. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Authority

iSpring warrants and represents that, before any iSpring Affiliate Processes any Customer Data on behalf of the Customer, iSpring's entry into this DPA as agent for and on behalf of that iSpring Affiliate will have been duly and effectively authorized (or subsequently ratified) by that iSpring Affiliate.

3. Processing of Customer Data

3.1. The Parties undertake to comply with the applicable Data Protection Laws and Regulations.

    3.1.1. Customer, as Controller, appoints iSpring as a Processor to process Customer Data on Customer’s behalf.

    3.1.2. Customer remains responsible for all declarations, notifications and authorizations that may be necessary for the Processing of the Customer Data.

    3.1.3. as Processor, iSpring will only process the Customer Data on behalf of Customer and in compliance with Customer’s instructions.

3.2. iSpring and each iSpring Affiliate shall:

    3.2.1. comply with all applicable Data Protection Laws and Regulations in the Processing of Customer Data; and

    3.2.2. not Process Customer Data other than on the Customer’s documented instructions unless Processing is required by applicable Data Protection Laws and Regulations to which the relevant Processor is subject, in which case iSpring or the relevant iSpring Affiliate shall to the extent permitted by applicable Data Protection Laws and Regulations inform the Customer of that legal requirement before the relevant Processing of that Personal Data.

3.3. Customer:

    3.3.1. instructs iSpring and each iSpring Affiliate (and authorizes iSpring and each iSpring Affiliate to instruct each Sub-processor indicated in Annex 2 “List of Sub-Processors” and any other Sub-processor which shall be commissioned by iSpring according to the requirement set forth in Section 6.4. of this DPA) to:

      3.3.1.1. Process Customer Data; and

      3.3.1.2. in particular, transfer Customer Data to any country or territory, as reasonably necessary for the provision of the Products. Transfer of personal data to third countries may only take place if the requirements of applicable Data Protection Laws and Regulations are met accordingly; and

    3.3.2. warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.3.1.

3.4. Details of the Processing. The subject-matter of Processing of Personal Data by iSpring is the provision of the Products pursuant to the Principal Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 to this DPA. Customer may make reasonable amendments to Annex 1 by written notice to iSpring from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 4) confers any right or imposes any obligation on any party to this Agreement.

4. iSpring and iSpring Affiliate Personnel

iSpring and each iSpring Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Processor who may have access to the Customer Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Data, as strictly necessary for the purposes of providing the Products, and to comply with the applicable Data Protection Laws and Regulations in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, iSpring and each iSpring Affiliate shall in relation to the Customer Data implement and maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the iSpring Web Services: Overview of the Security Processes. iSpring regularly monitors compliance with these measures. iSpring will not materially decrease the overall security of the Products during a subscription term.

6. Subprocessing

6.1. Customer authorizes iSpring and each iSpring Affiliate to appoint (and permit each Sub-processor appointed in accordance with this section 6 to appoint) Sub-processors in accordance with this section 6.

6.2. iSpring and each iSpring Affiliate may use those Sub-processors already engaged by iSpring or any iSpring Affiliate as at the date of this DPA and appoint new Sub-processors, subject to iSpring and each iSpring Affiliate in each case as soon as practicable meeting the obligations set out in section 3.

6.3. iSpring or an iSpring Affiliate has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.

6.4. iSpring may only commission Sub-processors with the prior express written or documented consent of the Customer. The iSpring is obliged to carefully select Sub-processors according to their suitability and reliability. The iSpring has to engage Sub-processors in accordance with the provisions of this DPA and ensure that the Customer can exercise its rights under this DPA (in particular its audit and control rights) directly towards the Sub-processors.

6.5. In this respect, the Customer has so far agreed to commission the Sub-processors indicated in Annex 2 “List of Sub-Processors” under the condition of a contractual agreement as required by the applicable Data Protection Laws and Regulations.

6.6. If the Sub-processor provides the agreed performance outside the EU/EEA, iSpring must ensure that the respective Sub-processor provides an adequate level of data protection within the meaning of Art. 44 et seq. GDPR.

7. Data Subject Rights

7.1. Taking into account the nature of the Processing, iSpring and each iSpring Affiliate shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the applicable Data Protection Laws and Regulations.

7.2. iSpring shall:

    7.2.1. promptly notify Customer if any Processor receives a request from a Data Subject under any applicable Data Protection Laws and Regulations in respect of Customer Data; and

    7.2.2. ensure that the Processor does not respond to that request except on the documented instructions of Customer or as required by applicable Data Protection Laws and Regulations to which the Processor is subject, in which case iSpring shall to the extent permitted by applicable Data Protection Laws and Regulations inform Customer of that legal requirement before the Processor responds to the request.

8. Customer Data Incident

8.1. iSpring shall notify Customer with 24 (twenty-four) hours upon iSpring or any Sub-processor becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by iSpring or its Sub-processors of which iSpring becomes aware (the “Customer Data Incident”) affecting Customer Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Customer Data Incident under the applicable Data Protection Laws and Regulations.

8.2. iSpring shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

9.1. iSpring and each iSpring Affiliate shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Public Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by the applicable Data Protection Laws and Regulations, in each case solely in relation to Processing of Customer Data by, and taking into account the nature of the Processing and information available to, the Processors.

9.2. Government Access Requests

iSpring requirements. In its role as a Processor, iSpring shall maintain appropriate measures to protect Personal Data in accordance with the requirements of the applicable Data Protection Laws and Regulations, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defense and public security. If iSpring receives a legally binding request to access Personal Data from a Public Authority, iSpring shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent iSpring is prohibited by law from providing such notification, iSpring shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable iSpring to communicate as much information as possible, as soon as possible. Further, iSpring shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. iSpring shall pursue possibilities of appeal. When challenging a request, iSpring shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. iSpring agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. iSpring shall promptly notify Customer if iSpring becomes aware of any direct access by a Public Authority to Personal Data and provide information available to iSpring in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require iSpring to pursue action or inaction that could result in civil or criminal penalty for iSpring such as contempt of court.

Sub-processors requirements. iSpring shall ensure that Sub-processors involved in the Processing of Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.

10. Deletion or return of Customer Data

10.1. Subject to sections 10.2 and 10.3 iSpring and each iSpring Affiliate shall promptly and in any event within thirty (30) days of the date of cessation of any Products involving the Processing of Customer Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Data.

10.2. Subject to section 10.3, Customer may in its absolute discretion by written notice to iSpring within thirty (30) days of the Cessation Date require iSpring and each iSpring Affiliate to (a) return a complete copy of all Customer Data to Customer by secure file transfer in such format as is reasonably notified by Customer to iSpring; and (b) delete and procure the deletion of all other copies of Customer Data Processed by any Processor. iSpring and each iSpring Affiliate shall comply with any such written request within thirty (30) days of the Cessation Date.

10.3. Each Processor may retain Customer Data to the extent required by the applicable Data Protection Laws and Regulations and only to the extent and for such period as required by the applicable Data Protection Laws and Regulations and always provided that iSpring and each iSpring Affiliate shall ensure the confidentiality of all such Customer Data and shall ensure that such Customer Data is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws and Regulations requiring its storage and for no other purpose.

11. Audit rights

11.1. Subject to section 11.2, iSpring and each iSpring Affiliate shall make available to Customer on a written request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute one (1) remote audit during a current calendar year by Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Data by the Processors.

11.2. Information and audit rights of the Customer only arise under section 11.1 to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the applicable Data Protection Laws and Regulations (including, where applicable, article 28(3)(h) of the GDPR).

12. International transfers

12.1. Customer authorizes iSpring to transfer Customer Data when strictly necessary in providing Products to Customer. As of the Effective Date of the Principal Agreement, iSpring has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data prevent iSpring from fulfilling its obligations under this DPA. If iSpring reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, iSpring shall use reasonable efforts to recommend a commercially reasonable change to Customer’s configuration or use of the Products to facilitate compliance with the Local Laws without unreasonably burdening Customer.

12.2. Europe Specific Provisions

GDPR. iSpring will Process Personal Data in accordance with the GDPR requirements directly applicable to iSpring’s provision of its Products.

Customer Instructions. iSpring shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if iSpring is unable to follow Customer’s instructions for the Processing of Personal Data.

Transfer mechanisms for data transfers. If, in the performance of the Products, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of Europe, the transfer mechanisms listed in the Standard Contractual Clauses shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the Data Protection Laws and Regulations of Europe.

13. General Terms

Governing law and jurisdiction

13.1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:

    13.1.1. the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

    13.1.2. this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

    13.1.3. if the Principal Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Germany; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

Order of precedence

13.2. Nothing in this DPA reduces iSpring's or any iSpring Affiliate’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits iSpring or any iSpring Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13.3. Subject to section 13.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

Severance

13.4. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

List of Annexes

Annex 1: Details of Processing of Customer Data

Schedule 2: List of Sub-processors

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER DATA

This Annex 1 includes certain details of the Processing of Customer Data.

Subject matter and duration of the Processing of Customer Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement and this DPA.

The nature and purpose of the Processing of Customer Data

Hosting, caching, routing, transmitting, storing, copying, performing, displaying, erasure of Customer Personal Data for the provision of the Services for Customer pursuant to the Principal Agreement

The categories of Data Subject to whom the Customer Data relates

Customer may submit Personal Data to the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons);
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors;
  • Employees, agents, advisors, freelancers of Customer (who are natural persons);
  • Customer’s Users authorized by Customer to use the Products.

The categories of Personal Data Transferred

Customer may submit Personal Data to the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Contact information (company, email, phone)

Sensitive Data Transferred (Not Applicable)

Sub-processors Transfers

Sub-processor will Process Personal Data as necessary to provide the Products pursuant to the Principal Agreement for the duration of the Principal Agreement, unless otherwise agreed in writing.

The obligations and rights of Customer and Customer Affiliates

The obligations and rights of Customer and Customer Affiliates are set out in the Principal Agreement and this DPA.

Technical and Organizational Measures

iSpring will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to iSpring Products, as described in the iSpring Web Services: Overview of the Security Processes applicable to iSpring web services purchased by Customer. Data Subject Requests shall be handled in accordance with section 7 of this DPA.

ANNEX 2: LIST OF SUB-PROCESSORS

EXPLANATORY NOTE:

This Annex must be completed for Modules Two and Three of the Standard Contractual Clauses, in case of the specific authorization of Sub-processors (Clause 9(a), Option 1).

The controller has authorized the use of the following Sub-processors:

1. SendGrid, Inc.

Address: 889 Winslow St, Redwood City, CA 94063, USA

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): email services

2. Amazon Web Services, Inc.

Address: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Data Center

3. Ringcentral, Inc.

Address: 20 Davis Dr, Belmont, CA 94002, USA

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): communication services

4. First Colo GmBH

Address: Kruppstraße 105, 60388 Frankfurt am Main, Germany

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Data Center

5. Avoxi, Inc.

Address: 1000 Circle 75 Parkway, Suite 500, Atlanta GA 30339, USA

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): communication services

6. Telephonic Solutions OU

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): communication services

7. Liquid Web, LLC

Address: 2703 Ena Dr. Lansing, MI 48917, US

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Data Center

8. Leaseweb USA, Inc.

Address: 9301 Innovation Drive / Suite 100 Manassas, VA 20110

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Data Center