Data Processing Addendum
This Data Processing Agreement (“DPA“) forms an integral part of and is subject to the agreement referencing this DPA (“Agreement“), entered into by and between InfiniGrow Ltd.
(“InfiniGrow“) and the customer identified in the Agreement (“Customer“). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
a. In the course of providing the Services under the Agreement, InfiniGrow may Process Customer Personal Data (both as defined below).
b. Customer and InfiniGrow would like to set out InfiniGrow’s obligations with respect to processing Customer Personal Data.
The parties therefore agree as follows:
- Definitions. The following terms shall have the meanings set forth below
1.1 “Applicable Law” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“), laws implementing or supplementing the GDPR and any laws applicable to InfiniGrow.
1.2 “Customer Personal Data” means any Personal Data Processed by InfiniGrow on behalf of Customer pursuant to or in connection with the Agreement.
1.3 “Sub-processor” means any entity or individual (excluding an InfiniGrow employee) appointed by InfiniGrow to Process Customer Personal Data.
1.4 The terms “Controller“, “Data Subject“, “”Personal Data” “Personal Data Breach“, “Processing”, “Processor“, and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.
- Processing of Customer Personal Data.
2.1 Customer is the Controller of the Customer Personal Data and InfiniGrow is a Processor on its behalf. Customer instructs InfiniGrow and InfiniGrow agrees to Process Customer Personal Data solely for the purpose of providing the Services and as set forth in the Agreement, in this DPA, and/or as otherwise directed by Customer.
2.2 Any other Processing will only be permitted where required by Applicable Law. In such case, InfiniGrow shall give Customer notice of that requirement, unless it is prohibited from doing so on important grounds of public interest.
2.3 Details of the Processing of Customer Personal Data to be carried out by InfiniGrow are set out in Schedule 1 (Details of Processing of Customer Personal Data).
- Controller. Customer represents and warrants that (i) its instructions about Processing Customer Personal Data are lawful; (ii) it has established a legal basis for the collection and Processing of Customer Personal Data, including obtaining consents if needed; (iii) it has provided all legally required notices; and (iv) it has the right to provide the Customer Personal Data to InfiniGrow and to allow InfiniGrow to Process as agreed in the Agreement and in this DPA.
- International Transfer of Personal Data. If InfiniGrow Processes Customer Personal Data in a country outside of the European Economic Area that does not provide an adequate level of data protection (as determined by the European Commission or other adequate authority), it shall ensure that appropriate transfer mechanisms are put in place. This may include, where needed, entering into the Standard Contractual Clauses approved by the European Commission.
- InfiniGrow Personnel. InfiniGrow shall take reasonable steps to ensure that access to the Customer Personal Data is provided on a need to know basis and that all InfiniGrow personnel that have access are subject to confidentiality obligations that relate to the Customer Personal Data.
- Security. InfiniGrow shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Customer Personal Data including, as appropriate, the measures referred to in Article 32(1) of the GDPR. InfiniGrow shall consider the risks presented by the Processing when assessing the appropriate security measures.
- Personal Data Breach.
7.1 InfiniGrow shall notify Customer without undue delay and, where feasible, not later than within 48 (forty eight) hours in the event that it becomes aware of Personal Data Breach affecting Customer Personal Data. In such event, InfiniGrow shall provide Customer with reasonable and available information to assist Customer in complying with its notification obligations, including the information set out in Section 33(3) of the GDPR. InfiniGrow will not inform any third parties of the Personal Data Breach unless legally required.
7.2 At the written request of the Customer, InfiniGrow shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of any Personal Data Breach.
Customer authorizes InfiniGrow to appoint (and permits each Sub-processor appointed in accordance with this Section to appoint) Sub-processors in accordance with this Section.
8.2 InfiniGrow may continue to use the Sub-processors listed on Schedule 1. InfiniGrow may appoint new Sub-processors, subject to Customer’s consent. InfiniGrow shall notify Customer of any intended appointment. If Customer does not provide a written objection within seven (7) days of the notice of a new Sub-processor, the Customer will be deemed to have given its consent. If Customer objects to the appointment and InfiniGrow is unable to continue providing the Services without use of such Sub-processor, either party may terminate the Agreement with immediate effect and the terminating party shall not bear any liability for such termination.
8.3 InfiniGrow shall take reasonable steps to ensure that each Sub-processor is committed and able to provide the level of protection for Customer Personal Data required by this DPA, for instance by way of reviewing privacy policies and shall ensure that the arrangement between InfiniGrow and the Sub-processor is governed by a written contract with terms that provide a materially similar level of protection for Customer Personal Data as those set out in this DPA.
8.4 InfiniGrow will be fully liable to the Customer for the performance of any Sub-processor’s obligations.
- Data Subject Rights.
9.1 Customer is responsible for complying with legal obligations relating to the exercise of Data Subject (e.g., for access, rectification, deletion of Personal Data, etc.). InfiniGrow shall, at Customer’s sole expense, use commercially reasonable efforts to assist Customer in fulfilling such obligations, as required under Applicable Laws, including implementing technical and organization measures where required.
9.2 If InfiniGrow receives a request from a Data Subject relating to Customer Personal Data, InfiniGrow shall promptly notify Customer of the request and shall not respond to such request except where Customer directs InfiniGrow to do so or where InfiniGrow is required to do so by Applicable Law, in which case, if permitted, it will notify Customer of such requirement.
- Data Protection Impact Assessment and Prior Consultation. At Customer’s request and expense, InfiniGrow shall reasonably assist Customer with any data protection impact assessments or prior consultations with Supervisory Authorities relating to Customer Personal Data and any Processing activities under this DPA and/or the Agreement, as required under any Applicable Laws.
11. Deletion or Return of Customer Personal Data. InfiniGrow shall promptly and in any event within 60 (sixty) days of termination of the Agreement, delete, return, or anonymize all copies of Customer Personal Data, provided that InfiniGrow may retain Customer Personal Data solely as permitted by applicable law.
12. Audit Rights.
12.1 Subject to this Section 13, InfiniGrow shall make available to an auditor appointed by Customer information as reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections conducted by Customer or an auditor it has appointed.
12.2 Customer shall coordinate any audit or inspection with InfiniGrow in advance and shall bear all associated expenses. The parties shall agree on the reimbursement rate payable to InfiniGrow. Customer and/or the auditor shall use best efforts to minimize or avoid damage or disruption to InfiniGrow’s premises and business and not to interfere with InfiniGrow’s day-to-day business. Audits or inspections shall not be conducted more than once per year unless Customer reasonable considers it necessary due to a genuine concern of breach of this DPA or where required to be conducted by Applicable Law or a regulatory authority.
12.3 Audits shall be subject to InfiniGrow’s reasonable security policies and the results of any audit or inspection shall be considered the confidential information of InfiniGrow and subject to the confidentiality provisions under the Agreement.
13. General Terms.
13.1 The general terms of the Agreement, including provisions regarding indemnification, limitation of liability, and governing law and jurisdiction shall apply to this DPA.
13.2 In the event of inconsistencies between the Agreement and this DPA, the provisions of this DPA shall prevail.
13.3 In the event of changes to Applicable Laws or decisions of any competent authority that would require a change to this DPA, the parties shall make commercially reasonable efforts to modify this DPA to accommodate such requirements.
Schedule 1: Details of Processing of Customer Personal Data
This Schedule 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data.
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement, in InfiniGrow’s Privacy Notice (“Privacy Notice“) and this DPA.
The nature and purpose of the Processing of Customer Personal Data:
Rendering Services in the nature of a marketing and analytics platform, as detailed in the Agreement and the DPA.
The types of Customer Personal Data to be Processed are as follows:
- Last Name
- Email address
- Company name
- Phone number, and/or any other Personal Data provided by Customer through InfiniGrow’s platform, according to its configuration of settings within the platform and as reflected in its dashboard.
The categories of Data Subject to whom the Customer Personal Data relates to are as follows:
Data Subjects who are end users or customers of the Customer’s web application services.
The obligations and rights of Customer.
The obligations and rights of Customer are set out in the Agreement and this DPA.
|Name of Sub-Processor||Services Performed||Sub-Processor Location|
|Amazon AWS||Cloud Services||USA|
|ObjectLabs Corporation (mLab)||Database||USA|
|APIHub, Inc. (Clearbit)||Data enrichment||USA|
|Twilio SendGrid||Transactional emails||USA|