Data Processing Addendum
Effective Date: January 1, 2020
Last Updated on May 08, 2020
THIS DATA PROCESSING ADDENDUM (this “DPA”) supplements and is a part of the AttractROI Subscriber Terms of Service entered into between Digital President, LLC, the owner and operator of the AttractROI platform (“Digital President”, “we”, “us” and “our”), and the individual or entity who purchased subscription rights to the AttractROI platform via the Subscriber Terms of Service (“Subscriber”, “you” and “your”). Certain words and phrases in this DPA have special meanings that are provided either where they first appear as indicated by bold text, or in Section 6, as indicated by text link where they first appear. This English language version controls regardless of any translation.
1. SCOPE AND PURPOSE.
1.1 Subscriber Personal Data. The AttractROI platform provides our subscribers with templates and other tools they can use to create sales-focused, lead generation web sites to market and sell their own products and services to end users. When you first subscribed to the AttractROI Platform, you agreed to our Subscriber Terms of Service and allowed us to collect from you certain subscription-related data, including some limited personal data such as your name, email address and payment information. We act as the controller of that Subscriber Personal Data.
1.2 End User Personal Data. After you subscribed to our AttractROI Platform and used it to design your own web sites, you then put those sites to work, generating leads for your business, and converting those leads to sales. When doing so, you collect data from your own end users including whatever personal data you feel is needed for your business. You act as the controller of that End User Personal Data you collected. We, in turn, act as your processor when you use the feature of our AttractROI Platform that allows you to store End User Personal Data on our systems.
1.3 Purpose; GDPR and CCPA. The two-fold purpose of this DPA is to supplement the Subscriber Terms of Service by establishing the parties’ respective rights and obligations under the GDPR and CCPA with respect to: (a) the Subscriber Personal Data of which you are the data subject and with respect to which we act as controller; and (b) the End User Personal Data for which your end users are the data subjects, you act as controller and we act as your processor.
2. OUR CONTROLLER OBLIGATIONS.
When we act as the controller of your Subscriber Personal Data, we process it in furtherance of our legitimate interests such as issuing you log-in credentials, accepting and processing your payments, securing and improving our AttractROI Platform and detecting and preventing fraud. We do not sell any of your personal data to third parties, use it for any purpose other than as stated in the preceding sentence, nor do we use it for automated decision making. We share your Subscriber Personal Data with the parties and for the reasons described in our general privacy statement, which you can read about here.
We afford you the data subject access and related rights described in our privacy statement. To the extent Subscriber Personal Data includes the personal information of your workforce, it is entirely your responsibility to ensure you have a legitimate interest or other appropriate lawful basis to collect it, and to further ensure that the notices and other required portions of this DPA are provided to those affected members of your workforce.
We do, however, make a variation from the above described terms (including the privacy statement terms to which we linked) if the Subscriber Personal Data we share/transfer is strictly limited to business contact information. Business contact information is exempt from all or substantially all of the requirements of certain data privacy laws including the CCPA. Therefore, in order to effectively manage our privacy and data security program without undue burden while still balancing data subject rights and freedoms, for purposes of the GDPR we follow its Article 24, assess the risk to the affected data subjects’ and, where appropriate, modify the measures we take for business contact information such as excluding it from individual/natural person data subject requests and accepting from our processors/transferees summary statements (including sometimes via email confirmation) regarding their compliance with GDPR Article 28 or equivalent obligations.
3. YOUR CONTROLLER OBLIGATIONS.
As between Digital President and you, you are solely responsible for all controller obligations with respect to End User Personal Data. That means you will, among other things, determine your legitimate interests or other lawful bases for processing End User Personal Data, provide all required notices, and manage and respond to all data subject attempts to exercise their rights. To the extent your end user data subjects make any claim that you failed to do the foregoing, or any investigation or action is commenced against us as a result of your processing, sharing or transferring of End User Personal Data (except if caused by our failure to fulfill our obligations under Section 4 of this DPA) you will indemnify, defend and hold us and our agents and representatives harmless.
When you store End User Personal Data on our systems, it is automatically transferred outside of both your home jurisdiction and the overall European Economic Area to the United States. Those transfers occur under Article 45 of the GDPR including when the destination is the U.S. as we have self-certified to the EU-US and Swiss-US Privacy Shield. More information regarding the Privacy Shield, as well as evidence of our certification can be found by visiting https://www.privacyshield.gov/.
4. OUR PROCESSOR OBLIGATIONS.
We act as your processor when you use the feature of our AttractROI Platform that allows you to store End User Personal Data on our systems. The subject-matter of our processing is the End User Personal Data you provide to us. The duration of our processing is at your discretion, generally commensurate with the duration of your contractual relationship with us. The nature and purpose of our processing is limited to storage for retrieval by you. We do not typically conduct read-access to End User Personal Data in connection with the provision of the AttractROI Platform. The types of personal data processed are determined by you, as are the categories of data subjects who become your End Users. All of our processing of End User Personal Data further adheres to the following obligations:
4.1 Appropriate measures. We will implement appropriate technical and organizational measures in such a manner that our processing on your behalf will meet the requirements of applicable law.
4.2 Appointment of Subprocessors. We will not engage another processor (sometimes called a “subprocessor”) without your prior specific or general written authorization. In the case of general written authorization, we will inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes.
4.3 Processing Governed by Law and Contract. Our processing will be governed by this DPA under EU or Member State law. Your rights and obligations as controller are set forth in the Subscriber Terms of Service and this DPA. In addition to the general statement above, we specifically will:
(a) process End User Personal Data only on your documented instructions including with regard to transfers to a third country or an international organization, unless our actions are required by applicable law to which we are subject; in such a case we will inform your before processing, unless prohibited by that law;
(b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required under GDPR Article 32;
(d) respects the conditions referred to in Sections 4.2 and 4.4 for engaging another processor;
(e) taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests for exercising the data subject's rights under applicable law;
(f) assist you in ensuring compliance with your obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to us;
(g) at your election, delete or return all End User Personal Data to you at end of our relationship under the Subscriber Terms of Service, and delete existing copies unless applicable law requires storage of the personal data; and
(h) make available to you all information necessary to demonstrate our compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
We will immediately inform you if, in our opinion, an instruction you gave us infringes the GDPR.
4.4 Obligations of Subprocessors. If we engage a subprocessor to carry out specific processing activities on your behalf, the same obligations in this DPA will be imposed on that other processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. If the subprocessor breaches those obligations, we will be responsible to you.
4.5 End User Requests. We will, to the extent legally permitted, promptly notify you if an End User seeks to exercise its data subject access and related rights under applicable law through us instead of you, and we will reasonably cooperate with you to fulfill your obligations provided that you are responsible for any reasonable costs arising therefrom.
4.6 Breach Notification. We will notify you without undue delay after becoming aware that there has been a breach of the security of our systems leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the End User Personal Data transmitted, stored or otherwise processed by us. Such notification will include that information a processor must provide to a controller under GDPR Article 33(3) to the extent such information is reasonably available to Digital President.
5. PRECEDENCE; BINDING CONTRACT.
Conflicts between the Subscriber Terms of Service and/or our general Privacy Statement on the one hand, and this DPA on the other hand, with respect to a party’s rights or obligations governing, related to, or arising out of Subscriber Personal Data and End User Personal Data shall be resolved in favor of this DPA. By continuing to use the AttractROI Platform following the Effective Date of this DPA, Subscriber will have affirmatively manifested its intent to be bound to the terms and subject to the conditions of this DPA.
6. GLOSSARY; INTEPRETATION.
“Business contact information” means data that may otherwise be considered personal data, but is corporate or business in nature such as an email address using only a corporate domain, business telephone number, business street address, name and business title and is used solely for the purpose of issuing credentials to the AttractROI Platform and/or communicating or facilitating communication with the data subject in relation to the Subscriber Terms of Service.
“CCPA” means the California Consumer Privacy Act and its implementing regulations, as each are amended from time to time.
“AttractROI Platform” means the AttractROI platform owned and operated by Digital President, LLC.
"Controller" has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Business” as defined in the CCPA.
"Data subject" has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Consumer” as defined in the CCPA.
“End user” means any natural person from whom you collect personal data including visitors to your web sites and the actual and prospective customers of your goods and services.
“End User Personal Data” means certain personal data you collect from the prospective and actual customers of the goods and services you promote using web sites created with our AttractROI Platform.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and all national legislation implementing or supplementing it, as the foregoing are amended from time to time.
“Legitimate interests” has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Business purpose” as defined in the CCPA.
“Personal data" has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Personal information” as defined in the CCPA.
“Process”/"Processing" has the meaning given to it in the GDPR with substantially the same meaning under the CCPA.
"Processor" has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Service provider” as defined in the CCPA.
“Sell” has the meaning given to it in the CCPA.
“Subscriber Personal Data” means certain personal data we collect from you and your workforce when you subscribe to our AttractROI Platform.
“Subscriber Terms of Service” means the AttractROI Terms of Service found here.