BuzzStream Data Processing Addendum

Last Updated 5-22-2018

BuzzStream Customer Data Processing Addendum

This Data Processing Addendum (“DPA”) forms an agreement between Rel Equals, Inc. d/b/a/ BuzzStream and  Customer and shall be effective on the date both parties execute this DPA (“Effective Date”). Terms not explicitly detailed within this DPA will be covered within the BuzzStream Terms of Use.

  1. Definitions

 

  • Terms of Use – BuzzStream’s Terms of Use which govern the use of BuzzStream Services and which may be updated periodically.
  • Control – ownership of or a voting interest (of 50% or more of total interests) of the entity in question. The term Controlled should be construed accordingly.
  • Customer Data – Any data that BuzzStream processes on a customer’s behalf as a Data Processor in the course of providing Services.
  • Data Protection Laws – Means all laws pertinent to the processing of Personal Data including those related to EU Data Protection Law where applicable.
  • Data Controller – entity that determines the means and purposes of the processing of Personal Data.
  • Data Processor – entity that processes data on behalf of the Data Controller.
  • EU Data Protection Law – Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and Directive 2002/58/EC (“Directive”) concerning the processing of Personal Data and the protection of privacy.
  • EEA – European Economic Area, United Kingdom, and Switzerland
  • Personal Data – any information any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Privacy ShieldP– EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework program managed by the U.S. Department of Commerce.
  • Privacy Shield Principles – Privacy Shield Principles contained in Annex II to the European Commision Decision C(2016)4176 of July 12, 2016.
  • Process – defined as in the GDPR. All derivatives (process, processes, processed) shall be defined accordingly.
  • Security Incident – any unlawful or unauthorized breach which compromises, destroys, alters, discloses or provides other unauthorized access to Customer Data.
  • Services – products and services provided by BuzzStream to Customers as defined in the Terms of Use.
  • Sub-Processor – Data Processor used by BuzzStream to assist in providing services laid out in the Terms of Use or this DPA.

 

2. Relationship with this Agreement

2.1 Excepting distinct changes made by this DPA, the Terms of Use are still in full effect and enforceable as such. Noted exceptions in this DPA take precedence over conflicting items in the Terms of Use.

2.2 Claims related to this DPA are subject to all exclusions and limitations set forth in the Terms of Use.

2.3 Claims against BuzzStream covered by this DPA shall be brought solely against the entity that is a party to the Terms of Use. No party may limit its liability regarding individuals data protection rights under this DPA or other agreements. Customer agrees that any regulatory penalties brought against or incurred by BuzzStream related to Customer Data that result from or are connected to Customer’s inability or failure to comply with its obligations under this DPA or pertinent Data Protection Laws will be applied to Customer as though they were the full liability of the Customer under this agreement.

2.4 None other than the parties to this DPA shall have any right to enforce any of its terms.

 

3. Scope and Applicability of DPA

3.1 This DPA applies only to the processing of Customer Data that originates from the EEA or that is otherwise subject to EU Data Protection Law on behalf of Customer in the course of providing services laid out in the Terms of Use.

3.2 This DPA shall be applied to the processing of Customer Data from the Effective Date, excepting for universal GDPR obligations which take effect from May 25th, 2018.

 

4. Roles and Scope of Processing

4.1 Role of the Parties: Customer is the Data Controller of Customer Data. BuzzStream will process Customer Data as a Data Processor acting on behalf of Customer.

4.2 Customer Processing of Customer Data:  Customer agrees that it will comply with all obligations as a Data Controller under applicable Data Protection Laws concerning all processing of Customer Data and through any processing instructions issued to BuzzStream or which are utilized as part of the BuzzStream Services.

4.3 Notice and Consent for Customer Data: Customer affirms that it has provided notice and received consent, as well as providing for the application of all rights associated with and defined by applicable Data Protection Laws, for BuzzStream to process Customer Data and provide services laid out in the Terms of Use and this DPA.

4.4 BuzzStream Processing of Customer Data: BuzzStream will only process Customer Data for the purposes described in this DPA and Terms of Use and only according to the Customer’s lawful intended purpose. Any purposes not covered by this DPA and the Terms of Use will require prior written agreement between Customer and BuzzStream.

4.5 Specifics of Data Processing: Specifics of data processing are covered by the Terms of Use and detailed in Annex A of this DPA.

4.6 Customer agrees that BuzzStream has the right to use and/or disclose information as needed for the purposes of support and/or ongoing use of BuzzStream Services for lawful business purposes. These include account management, product development, technical support, sales, marketing, product development and billing. BuzzStream is considered Data Controller of all such data and will process said data in accordance with the BuzzStream Privacy Policy and Data Protection Laws.

4.7 Tracking: Customer agrees that BuzzStream may employ the use of tracking technologies including cookies, unique identifiers, device identifiers, and similar technologies for the purposes of adequate performance of its Services. These technologies will be implemented in full accordance with this DPA, the BuzzStream Terms of Use and Privacy Policy, and Data Protection Laws.

 

5. Sub-processors

5.1 Use of Sub-processors: Customer agrees that BuzzStream may use the services of Sub-processors on the behalf of its customers. The list of current Sub-processors may be found in Annex B.

5.2 Authorization and Requirements of Sub-processors: All Sub-processors will enter into a written agreement with BuzzStream requiring the Sub-processor to protect Customer Data to the standards required by applicable Data Protection Laws. BuzzStream will maintain responsibility for compliance with this DPA and the Terms of Use as related to any actions by the Sub-processor that may cause BuzzStream to breach this DPA.

 

6. Security

6.1 Security Measures: BuzzStream will implement security measures as appropriate to protect against unauthorized or unlawful data access, modification, loss, or destruction. BuzzStream will ensure that all Customer Data is protected to industry standard and will maintain such security protocols to those standards throughout the term of this DPA and the Terms of Use. Further, BuzzStream ensures the resilience and confidentiality of all Services.

6.2 Secure Customer Use: The Customer agrees that with the exceptions listed in this DPA Customer is responsible for the secure use of all BuzzStream Services including account security, protection of Customer Data when transferring to/from BuzzStream, and encrypting/backing up data as necessary.

 

7. Confidentiality

7.1 Confidential Processing: BuzzStream ensures that all BuzzStream agents and Sub-contractors will maintain full confidentiality in relation to Customer Data. All of these described entities will undergo training related to confidential data handling and shall serve under and obligation of confidentiality as appropriate.

 

8. Data Breach

8.1 Response to Data Breach: BuzzStream will notify customer with all due haste in the event of a Security incident related to the compromise of Customer data. It shall provide information as requested in such an event and will work with customer as appropriate to handle the response.

 

9. Updates to Sub-processor list

9.1 BuzzStream will provide an updated list of sub-processors to customer on request. If desired, Customer may enroll in our list to be updated when BuzzStream modifies the list of Sub-processors through this link. If you have any issues please contact us at privacy@buzzstream.com.

9.2 Customer may object to the addition of a Sub-processor within five (5) days of update. If said objection is reasonable BuzzStream will attempt to work with Customer to accommodate their objection. If a mutually agreed upon accomodation cannot be reached, Customer will have the right to suspend or terminate their agreement to the Terms of Use.

 

10. Access to Data After Termination of Service

10.1 Upon termination of BuzzStream Services or voluntary end of agreement to the Terms of Use or this DPA, BuzzStream will at Customer request return or delete all Customer Data that is under BuzzStream control to the extent that it is appropriate and technically feasible, excepting that which is retained as required by law and that which is archived on back-up systems (which will be isolated from further process at the point of termination of BuzzStream Services or the Terms of Use).

 

11. Cooperation with Customer

11.1 BuzzStream Services provide tools that allow the Customer to collect, modify, delete, restrict or retrieve Customer Data. The Customer may use these tools to fulfill obligations as required under pertinent Data Protection Laws. If Customer is unable to access necessary Customer Data, BuzzStream will (at Customer expense) cooperate with Customer to access data.

11.2 BuzzStream will not respond to any individuals on the nature of Customer processing of their data or applicable data protection authorities on behalf of the Customer excepting where required by law. In such an event, BuzzStream will notify and forward such requests to Customer unless legally prevented from doing so.

 

12. Cooperation with Law Enforcement

12.1 If BuzzStream receives a request for Customer Data from a legitimate law enforcement agency, BuzzStream will attempt to redirect that request to the Customer directly. In doing so, BuzzStream may provide necessary contact details on behalf of Customer. If BuzzStream is legally required to disclose Customer Data BuzzStream will attempt to provide notice to Customer unless legally prevented from doing so.

12.2 BuzzStream shall provide information requested by a customer for the purposes of carrying out data impact assessments at Customer to the extent required by Data Protection Laws and at Customer expense.

 

9. Privacy Shield

9.1 BuzzStream has been certified to provide adequate protection for Customer Data transferred out of the EEA through it’s participation in the Privacy Shield framework and through its adherence to the Privacy Shield Principles. BuzzStream agrees to notify Customer if it is unable to maintain adherence to those Principles or if it exits the Privacy Shield framework.

 

————————————————————————-

 

Signed Copy of DPA

For a signed copy of this DPA please email us at privacy@buzzstream.com. Complete the form and send it to us to ensure full compliance.

————————————————————————-

 

Annex A: Data Processing Purpose and Details

  • Subject matter – The subject matter covered under this DPA is Customer Data.
  • Duration – The duration of data processing under this DPA is covered by the term of the Terms of Use.
  • Purpose – The purpose of data processing covered by this DPA is to allow for the use of BuzzStream services by Customer and other specific instructions given by Customer to BuzzStream in accordance with the Terms of Use and this DPA.
  • Nature of processing – BuzzStream provides contact management, email outreach, discovery, and reporting services as described in the Terms of Use.
  • Categories of data subjects – Any entity accessing BuzzStream through the Customer’s account (“User”), any entity stored as a contact within the Customer BuzzStream account, and entities materially related to those who receive emails sent from Users in Customer account for the purposes of lawful outreach as detailed in this DPA and the Terms of Use.
  • Types of Customer Data
  • Customer and users – Identification and contact data, financial information (including credit card and other payment information used in connect with payment for BuzzStream Services), attached social profiles, employment details, email history between BuzzStream representatives and Customer’s Users related to customer service, sales, or marketing engagements.
  • Contacts – Identification and contact data, affiliated websites, notes providing context to contact records for the purposes of personalized outreach, history or engagement between contact and Customer’s Users, publicly available social profiles, location data, custom data appended by user for the purpose of legitimate and lawful outreach.

 

————————————————————————-

Annex B: List of Current BuzzStream Subprocessors

 

Google Analytics

GoToMeeting

GoToWebinar

Zendesk

Intercom

Sendgrid

Unbounce

Mailchimp

Quickbooks

Amazon Web Services

Stripe

Authorize.net

Sumo