Data Processing Addendum

Last Updated: November 1, 2021

This Data Processing Addendum (“DPA“) supplements CommPeak’s Terms of Service available at: https://www.commpeak.com/legal-portal/terms-of-service/, the Master Service Agreement or other written or electronic agreements (including any exhibits, appendices annexes, terms, orders or policies referenced herein) (“Agreement”), entered by and between CommPeak Limited (“we”, “us”, “our”, CommPeak”) and the customer (collectively “you”, your”, “Customer“) into which it is incorporated by reference. 

By using and/or accessing CommPeak’s Website, user portal, and/or any of our services, including all associated features and functionalities (collectively “CommPeak’s Services” or “Services”), you are deemed to have read, understood, accepted, and agreed to be bound by this DPA.  

This Agreement is a legally binding agreement, if you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide CommPeak with any Personal Data.

1. Introduction

1.1. General

1.1.1. CommPeak and Customer are hereinafter collectively referred to as the “Parties” and individually as the “Party”.

1.1.2. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement, which is incorporated herein by reference.

1.1.3. The Customer entity signing this DPA must be the same as the Customer entity party to the Agreement. If the Customer entity signing this DPA is not a party to the Agreement directly with CommPeak but is instead a customer indirectly via an authorized reseller of CommPeak services, this DPA is not valid and is not legally binding. Such an entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required

1.1.4. CommPeak may revise this DPA as necessary to address changes to Applicable Data Protection Law or CommPeak policies, and such changes shall be binding and effective upon the earlier of (i) the date that is thirty (30) days after the posting of the revised DPA or (ii) the date that CommPeak provides notice to you of the revised DPA.

1.2 Definitions

 “Adequate Country” means (a) for data processed which is subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the GDPR; (b) for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018; and/or (c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.

Applicable Data Protection Law” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel, and the United States of America, as applicable to CommPeak in its role of Processing Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA; in each case, as amended, repealed, consolidated or replaced from time to time.

Controller” means the natural person or legal entity, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Customer Account Data” means personal data that relates to Customer’s relationship with CommPeak, including the names or contact information of individuals authorized by Customer to access Customer’s account or Services and billing information of individuals that Customer has associated with its account or Services. Customer Account Data also includes any data CommPeak may need to collect for identity verification, or as part of its legal obligation to retain End-User Records (as defined below).

Customer Content” means any and all personal data, files, information, or materials accessed, transmitted, uploaded, published, or exchanged as a result of Customer’s use of CommPeak’s Services and/or data stored on Customer’s behalf, including but not limited to communication logs.

Customer Data” means Customer Account Data, Customer Content, Customer Usage Data, and Sensitive Data, all as defined herein. 

Customer Usage Data” means data processed by CommPeak to transmit or exchange Customer Content, including data used to identify the source and destination of a communication, including but not limited to End-User’s telephone numbers, data on the location of the device generated in the context of providing CommPeak’s Services, and the date, time, duration and the type of communication, as well as activity logs, used to identify the source of Service requests, optimize and maintain the performance of the Services, and investigate and prevent fraud and system abuse.

Data Subject” means the identified or identifiable person to whom Personal Data relates. 

“GDPR” means the EU General Data Protection Regulation 2016/679.

Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer (“data subject”), and is protected under Data Protection Laws, this includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.

Privacy Policy” means CommPeak’s current privacy policy available at:  https://www.commpeak.com/legal-portal/privacy-policy/

processing” means any operation or set of operations which are performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction dissemination. “Process”, “Processes” and “Processed” will be interpreted accordingly.

Processor” means a natural person or an entity that Processes Personal Data on behalf of the Controller.

Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

Sensitive Data” means Personal Data that reveals such special categories of data as are listed in Article 9(1) of the GDPR or any other applicable law or regulation relating to privacy and data protection.

Services” means the generally available CommPeak’s services as described in the Service Schedule and Service Order and procured by Customer, and any other services provided by CommPeak to the Customer under the Master Service Agreement, or contracts that the Customer may use at its option and/or as it determines, including but not limited to support and technical services.

Standard Contractual Clauses” means the Standard Contractual Clauses, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes thereto.

Sub-Processor” means any other Data Processors engaged by CommPeak to (1) Process Customer Personal Data on behalf of Customer where Customer itself acts in its role as a processor and/or (2) process Customer Content in order to provide the Services to Customer. For the avoidance of doubt, telecommunication providers are not sub-processors.

“Supervisory Authority” shall have the meaning set in the GDPR. 

Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, law enforcement agencies, regulatory authorities, or third party.

End-User Records” means Customer Account Data containing proof of identification and/or proof of physical address necessary for CommPeak to attain in order to provide Customer or Customer’s customers (end-users) with certain Services. End-Users records may be shared with local telecommunications providers or local government authorities when CommPeak is required to do so in order to comply with law or regulation. 

The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

2. Scope and Applicability of this DPA 

2.1. This DPA applies where and only to the extent that CommPeak processes Personal Data on behalf of the Customer in the course of providing the Services. 

3. Role of the Parties

3.1. CommPeak as a Processor

3.1.1. In the course of providing Services to Customer, CommPeak may act as a Processor of Personal Data and the Customer may act as either the Controller or if the Customer is acting on behalf of a third-party Data Controller, then a Processor. 

3.1.2. To the extent applicable, the Customer appoints and authorizes CommPeak to act as Processor on the Customer’s behalf.

3.1.3. Where CommPeak acts as a processor on the Customer’s behalf, CommPeak will process Personal Data in accordance with the Customer’s instructions as outlined in Section 4.

3.2. CommPeak as a Controller

3.2.1. In exceptional circumstances, CommPeak may act as a Controller. Where and to the extent that CommPeak processes Customer Account Data and/or Customer Usage Data as a controller, the Customer is a Data Controller and CommPeak is an independent Data Controller, not a joint data controller.

3.2.2. CommPeak will process such Personal Data as a Data Controller:  

3.2.2.1. In order to manage the relationship with the Customer,

3.2.2.2. In order to carry out CommPeak’s business activities (e.g., accounting, billing, audit, and tax filing); provide, optimize, and maintain CommPeak’s Services and data security; 

3.2.2.3. identity verification; detect, prevent, or investigate security incidents, fraud, and other abuse or misuse,  wrongful or unlawful use of CommPeak’s Services; to comply with CommPeak’s legal or regulatory obligation to retain End-User Data;

3.2.2.4. as required by applicable law or regulations or as otherwise permitted under Applicable Data Protection Law and in accordance with this DPA, CommPeak’s Master Service Agreement, and Privacy Policy.

4. Customer Instructions

4.1. Customer hereby appoints CommPeak as a processor (and authorizes CommPeak to instruct each Sub Processor) to process Customer’s Personal Data on behalf of, and in accordance with the instructions of the Customer:

4.1.1. as set forth in the Agreement and this DPA;

4.1.2. as necessary to provide the Services to Customer, this may include preventing fraudulent activities, spam, network abuse, and investigating security incidents; 

4.1.3. as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and 

4.1.4. as otherwise agreed in writing between the parties (“Permitted Purposes”).

4.2. Customer warrants and represents that its instructions shall at all times comply with Applicable Data Protection Laws.

4.3. Customer shall be solely responsible for the legality of the Personal Data and for ensuring it has an appropriate lawful basis s to enable the collection and processing of Personal Data according to the terms of the Agreement and this DPA

4.4. Customer hereby acknowledges and agrees that CommPeak is neither responsible for determining which laws or regulations are applicable to the Customer’s business nor whether CommPeak’s provision of the Services meets or will meet the requirements of such laws or regulations. 

4.5. The Customer shall take all necessary measures to ensure that CommPeak’s processing of Customer Personal Data, when done in accordance with Customer’s instructions, will not cause Customer to violate any applicable law or regulations. 

4.6. CommPeak will inform the Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, or is otherwise unable to comply with an instruction.

4.7. The parties agree that the Master Service Agreement (including this DPA and other Service Documents) sets out the Customer’s complete and final instructions to CommPeak for the Processing of Customer Personal Data. Any Processing outside the scope of these instructions will require a prior written agreement between Customer and CommPeak.

4.8. CommPeak’s obligations set forth in this DPA shall also extend to End-Users, subject to the following conditions:

4.8.1. Customer must communicate any additional Processing instructions from its customers (End-Users) directly to CommPeak;

4.8.2. Customer shall be responsible for End-Users’ compliance with this DPA and all acts and/or omissions by an End-user with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer; 

4.8.3. End-Users shall not bring a claim directly against CommPeak. If an End-User seeks to assert a legal demand, action, suit, claim, proceeding, or otherwise against CommPeak (“End-User Claim”): 

4.8.3.1. Customer must bring such End-User Claim directly against CommPeak on behalf of such End-User unless Data Protection Laws require the End-User be a party to such claim; and 

4.8.3.2 all End-User Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Master Service Agreement, including any aggregate limit of liability.

5. Customer Processing of Personal Data

5.1. Customer agrees that it: 

5.1.1. will comply with its obligations under Data Protection Laws with respect to its Processing of Customer or End-User’s Personal Data; 

5.1.2. has obtained all consents, permissions, and rights necessary under Data Protection Laws for CommPeak to lawfully Process Customer’s and End-User’s Personal Data for the Permitted Purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Data with third-parties via the Services. 

5.2. Each party shall appoint a Data Privacy Officer within its organization authorized to respond from time to time to inquiries regarding Personal Data, the parties shall make the Data Privacy Officer known to the other party, and the Data Privacy Officer shall deal with such inquiries promptly.

6. Limitation of Purpose

6.1. CommPeak will process personal data in order to provide its Services in accordance with the terms of the Master Service Agreement, Service Schedule, Service Order, and the Service Documents. SCHEDULE 1 provides further details and specifies the nature and purpose of processing, CommPeak’s processing activities, the duration of the processing, and the type of personal data and data subjects.

6.2. The Customer is responsible for ensuring the following:

6.2.1. That it has complied and will continue to comply with all Applicable Data Protection Laws throughout the use of CommPeak’s Services.

6.2.2. That it has and will continue to have the right to transfer and/or provide access to CommPeak to Personal Data for the purpose of processing the data in accordance with the terms of this DPA and the Agreement.

6.2.3. In no event shall the Customer configure the Services to collect or cause CommPeak to Process Personal Data that is beyond the scope set forth in SCHEDULE 1. 

7. Sub-Processing

7.1. The Customer generally authorizes the engagement of Sub-processors in accordance with this Section 5 and any restrictions in the Agreement and specifically consents to those listed at CommPeak’s Sub-processors list available at: https://www.commpeak.com/legal-portal/sub-processors-list/.

7.2. Upon written request, CommPeak shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements when required to satisfy Customer’s obligations under Applicable Data Protection Law.

7.3. CommPeak may update this Sub-Processor List periodically, by adding and/or removing Sub-Processors. Customers may subscribe to notifications of new Sub-processors used to Process Personal Data by sending an email to [email protected].

7.4. When Customer subscribes, CommPeak shall provide the Customer notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services. 

7.5. CommPeak shall provide such notification at least fourteen (14) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the “Objection Period”). 

7.6. During the Objection Period, the Customer may object to CommPeak’s appointment or replacement of a sub-processor, by providing a written objection to [email protected], provided such objection is based on reasonable grounds relating to data protection.

7.7. In such an event, the parties agree to discuss the Customer’s concerns in good faith to achieve resolution. 

7.8. If the parties cannot reach a resolution within ninety (90) days from the date of CommPeak’s receipt of Customer’s written objection, Customer, as its sole and exclusive remedy, may discontinue the use of the affected Services by providing written notice to CommPeak. Subsequently, CommPeak will refund the Customer any prepaid unused fees of such Order Form(s) following the effective date of termination with respect to such terminated Services.

7.9. If no objection has been raised during the Objection Period, CommPeak will deem the Customer to have authorized the new sub-processor.

7.10. For the avoidance of doubt, Section 7 constitutes the Customer’s general consent and authorization for CommPeak’s engagement of onward sub-processors under the Standard Contractual Clauses.

7.11. CommPeak shall restrict the Sub-processors access to Customers’ personal data to what is strictly necessary for the provision of Services shall enter into a written agreement with each Sub-processor imposing data protection obligations not less protection of Customer’s personal data as CommPeak’s obligations under this DPA to the extent applicable to the nature of Services provided by such Sub-processors and required by Applicable Data Protection Law. 

8. Disclosure to Third-Party 

8.1. In the event that CommPeak receives a request, direction, query, or other demand to retain, disclose, or otherwise, Process Customer Content for any third party, including, but not limited to law enforcement, regulatory or supervisory authority (collectively “Third-Party Request”), which relates in any way to the Personal Data Processed by CommPeak under this DPA then CommPeak shall attempt to redirect the Third-Party Demand to Customer. 

8.2. Notwithstanding Section 8.1 above, the Customer hereby agrees that CommPeak can provide information to such third parties as reasonably necessary to redirect the Third-Party Request. 

8.3. If CommPeak cannot redirect the Third-Party Request to Customer, then CommPeak shall notify the Customer, to the extent legally permitted to do so, via email sent to the email address associated with the Customer’s account of the Third-Party Request as promptly and as feasible under the circumstances to allow Customer to deal with the Third-Party Request.

9. Confidentiality of Processing

9.1. CommPeak shall ensure that any person who is authorized by CommPeak to process Personal Data (including its staff, agents, and subcontractors) shall be under appropriate obligations of confidentiality (whether contractual or statutory duty) with respect to such Personal Data.

10. Security

10.1. CommPeak has implemented and will maintain the appropriate technical and organizational security measures as set forth in CommPeak’s Master Service Agreement and SCHEDULE 2 to this DPA (“Security Measures”). 

10.2. Notwithstanding any provision to the contrary, CommPeak may review and update its Security Schedule from time to time, provided that any such updates shall not materially diminish the overall protection offered by the Security Measures.  

10.3. The Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings, availability of authentication on Customer’s account, etc. 

10.4. CommPeak shall have no obligation to assess the contents of Customer Personal Data to identify information subject to any specific legal requirements. 

10.5. The customer is responsible for reviewing the information made available by CommPeak relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under Applicable Data Protection Laws.

10.6. Notwithstanding the above, Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside CommPeak or CommPeak’s Sub processors’ systems. The customer is further responsible for properly configuring the Services and using features and functionalities made available by CommPeak to maintain appropriate security in light of the nature of Customer Data processed as a result of the Customer’s use of the Services.

10.7. If CommPeak becomes aware of a Security Incident, CommPeak shall: (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident impacting or involving Customer Data, and b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Further, at the Customer’s request, CommPeak shall promptly provide the Customer with such reasonable assistance as necessary to enable the Customer to notify relevant Security Incident to competent authorities and/or affected Data Subjects, if the Customer is required to do so under Data Protection Laws.

11. Customer Audit Rights

11.1. CommPeak shall, in accordance with General Data Protection Regulation (EU) 2016/679 and other applicable Data Protection Laws, make available to the Customer such information in CommPeak’s possession or control as the Customer may reasonably request with a view to demonstrating CommPeak’s compliance with the obligations of data processors under General Data Protection Regulation (EU) 2016/679, other Applicable Data Protection Laws and this DPA, insofar as CommPeak is acting as a processor on behalf of Customer. 

11.2. Upon written request at reasonable intervals, subject to reasonable confidentiality controls CommPeak shall provide Customer, or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing CommPeak’s compliance with its obligations under this DPA.

11.3. The Customer may also send, no more than once annually, a written request for an audit (including inspection) of CommPeak’s facilities. Following receipt by CommPeak of such a request, CommPeak and Customer shall mutually agree in advance on the details of the audit, including reasonable start date, scope, and duration of, and security and confidentiality control applicable to, any such audit. CommPeak may charge the Customer a fee (rates shall be reasonable, taking into account the resources expended by CommPeak) for any such audit. The Reports, audit, and any information arising therefrom shall be CommPeak’s Confidential Information.

11.4. Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with CommPeak before any review of Reports or an audit of CommPeak, and CommPeak may object in writing to such Auditor if, in CommPeak’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of CommPeak. Any such objection by CommPeak will require the Customer to either appoint another Auditor or conduct the audit itself. 

11.5. Expenses incurred by the Auditor in connection with any review of Reports or an audit shall be borne exclusively by the Auditor. 

11.6. For the avoidance of doubt, the exercise of audit rights under the Standard Contractual Clauses shall be as described in Section 11 (Customer Audit Rights).

12. Return and Deletion

12.1. Following termination of the Agreement and cessation of the Services, CommPeak shall delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described in the Agreement, in addition, CommPeak shall delete existing copies of such Personal Data unless Data Protection Laws or other applicable regulation require otherwise. 

12.2. To the extent authorized or required by applicable laws and/or regulations, CommPeak may also retain a copy of the Personal Data solely for evidence purposes and/or for the establishment, exercise, or defense of legal claims and/or for compliance with legal obligations. 

13. Data Transfers

13.1. The Customer hereby acknowledges and agrees that CommPeak and its Sub-processors may access, transfer, and Process Customer Data across international borders. 

13.2. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), the Customer hereby acknowledges and agrees for such transfer to take place, without any further safeguard being necessary.

13.3. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred to a country that has not been subject to a relevant Adequacy Decision and does not ensure an adequate level of data protection under Applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Standard Contractual Clauses approved by the EU authorities under General Data Protection Regulation (EU) 2016/679as follows: 

13.3.1. with regard to Personal Data for which Customer Acts as Controller, and CommPeak as a Processor, Module Two (Controller to Processor) will apply;

13.3.2. with regard to Personal Data for which Customer Acts as a Processor, and CommPeak as a Processor, Module Three (Processor to Processor) will apply;

13.4. For each Module, where applicable:

13.4.1. in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;

13.4.2. in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply

13.4.2.1. the time period for prior notice of sub-processor changes will be as set forth in Section 7  of this DPA;

13.4.3. in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;

13.4.5. in Clause 18(b) of the 2021 Standard Contractual Clauses, the Parties agree that disputed be resolved before the courts of Ireland;

13.4.4. in Clause 17 of the 2021 Standard Contractual Clauses, option 1 will apply and the Parties agree that the Standard Contractual Clauses shall be governed by the law of the Republic of Ireland;

13.4.6.  in Annex I, Part A of the 2021 Standard Contractual Clauses:

13.4.6.1. Data Exporter: Customer.

13.4.6.1.1. Address: The address stated in the Agreement or such other address as may be specified by the Customer by notice to CommPeak from time to time.

13.4.6.1.2. Contact Details: The email address(es) designated by Customer in Customer’s account.

13.4.6.1.3. Data Exporter Role: The Data Exporter’s role is set forth in Section 3 of this DPA.

13.4.6.1.4. Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

13.4.6.2. Data Importer: CommPeak Limited.

13.4.6.2.1. Address: 1906 Lee Garden One, 33 Hysan Avenue, Causeway Bay, Hong Kong

13.4.6.2.2. Contact Details: CommPeak’s Privacy team [email protected]

13.4.6.2.3. Data Importer Role: The Data Importer’s role is set forth in Section 3 of this DPA.

13.4.6.2.4. Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

13.4.7. in Annex I, Part B of the 2021 Standard Contractual Clauses (Description of Transfer):

13.4.7.1. The categories of data subjects whose personal data is transferred are described in Section 3 of this DPA.

13.4.7.2. The categories of personal data transferred are described in Section 4 of this DPA.

13.4.7.3. The frequency of the transfer is a continuous basis for the duration of the Agreement.

13.4.7.4. The nature of processing and purpose of the data transfer and further processing are described in Section 1 of this DPA.

13.4.7.5. The period for which the personal data will be retained as described in Section 5, SCHEDULE 1 of this DPA.

13.4.7.6. Transfers to sub-processors. including subject matter, nature and durations are set forth at Section 5 of this DPA.

13.4.8. in Annex, I, Part C of the 2021 Standard Contractual Clauses (Competent Supervisory Authority): The Irish Data Protection Commission will be the competent supervisory authority.

13.4.9. SCHEDULE 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the Standard Contractual Clauses (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data).

13.4.10. Sub-Processors List available at: https://www.commpeak.com/legal-portal/sub-processors-list/ serves as Annex III of the Standard Contractual Clauses (List of Sub-Processors). 

13.5. To the extent, there is any conflict between the Standard Contractual Clauses, and any other terms in this DPA, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail. 

14. Data Subject Rights and Cooperation

In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third-Party Request relating to the processing of Personal Data conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third-Party Request and fulfill their respective obligations under Applicable Data Protection Law.

15. Disclaimer

COMMPEAK MAKES NO REPRESENTATION OR WARRANTY THAT THIS ADDENDUM IS LEGALLY SUFFICIENT TO MEET CUSTOMERS’ NEEDS UNDER APPLICABLE LAW, INCLUDING THE GDPR, UK GDPR, AND CCPA. COMMPEAK EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE THAT THIS ADDENDUM WILL COMPLY WITH OR SATISFY ANY OF THE CUSTOMER’S OBLIGATIONS UNDER APPLICABLE LAW, INCLUDING THE GDPR, UK GDPR, AND THE CCPA. THE CUSTOMER FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS ADDENDUM WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.

16. Relationship with the Agreement

16.1. The parties agree that this DPA shall replace and supersede any existing data processing DPA, attachment, or exhibit (including the Standard Contractual Clauses (as applicable)) that CommPeak and Customer may have previously entered into in connection with the Services.

16.2. Except as provided by this DPA, the Master Service Agreement remains unchanged and in full force and effect. In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.

16.3. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

16.4. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting either of the parties obligations under the Agreement, each party agrees that any regulatory penalties incurred by the one party (the “Incurring Party”) in relation to the Customer Personal Data that arise as a result of, or in connection with, the other party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were a liability to the other party under the Agreement.

16.5. In no event shall this DPA or any party restrict or limit the rights of any Data Subject or any competent supervisory authority.

17. Relationship with the Agreement

17.1. No failure or delay by any Party to exercise any right, power or remedy will operate as a waiver of it nor will any partial exercise preclude any further exercise of the same or of some other right to remedy.

18. Updates

18.1. CommPeak may update the terms of this DPA from time to time; provided, however, that it will provide at least thirty (30) days prior written notice to the Customer when an update is required as a result of changes in Applicable Data Protection Law; a merger, acquisition, or other similar transaction; or the release of new products or services or material changes to any of the existing Services.

SCHEDULE 1

SUBJECT MATTER AND DETAILS OF PROCESSING

This SCHEDULE 1 includes certain details of the Processing of Personal Data as required by the GDPR.

1. Subject Matter of Processing

1.1. The context for the Processing of Personal Data is CommPeak’s provision of Services under the Agreement and this DPA. 

2. The nature and purpose of the Processing

2.1. Providing the Services to Customer;

2.2. Performing the Master Service Agreement, the Agreement, this DPA, relevant Schedule Order, and/or other contracts executed by the Parties;

2.3. Acting upon Customer’s instructions, as set forth in Section 3,  where such instructions are consistent with the terms of the Master Service Agreement and this DPA;

2.4. Sharing Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);

2.5. Complying with applicable laws and regulations;

2.6. All tasks related to any of the above.

3. Categories of Data Subjects to whom the Personal Data of Special Categories of Personal Data relates:

Customers may submit Personal Data to the Services which may include but is not limited to, Personal Data relating to the following categories of Data Subjects:

3.1. Employees, agents, advisors, freelancers of Customer (who are natural persons)

3.2. Prospects, customers, business partners, and vendors of Customers (who are natural persons)

3.3. Employees or contact persons of Customer’s prospects, customers, business partners, and vendors

3.4. Any other third party individual authorized by Customer to access Customer’s CommPeak account or make use of the Services received from CommPeak and/or individual with whom Customer decides to communicate through the Services.

4. Type of Personal Data 

4.1. The Personal Data may concern the following categories of data: identification data including name, address, telephone or mobile number and email address; billing information; details of services which customer have purchased or enquired about; IP address; CommPeak ID; names and/or contact information of individuals authorized to access Customer’s account; data stored on Customer’s behalf such as communication logs within the Services; Customer other data, including contract details (pricing plan, date, and duration of subscription, Service Schedule, Service Order) and other information collected and provided by Customer in connection with the use of the Services. 

5. Duration of Processing

5.1. The duration of the processing is for the duration of the Agreement except where otherwise required by applicable law or legal obligation, or for CommPeak to protect its rights or those of a third party.

5.2. Contact information (company, email, phone, physical business address)

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

As from the Effective Date, CommPeak will implement and maintain the Security Measures described in this SCHEDULE 2. 

1. Security Measures

1.1. Data importer/sub-processor has implemented and shall maintain a security program in accordance with industry standards. 

More specifically, the data importer/sub-processor’s security program shall include:

2. Access Control of Processing Areas

2.1. Data importer/sub-processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers, and related hardware) where the personal data are processed or used, including:

2.1.1. establishing security areas;

2.1.2. protection and restriction of access paths;

2.1.3. establishing access authorizations for employees and third parties, including the respective documentation;

2.1.4. all access to the data center where personal data are hosted is logged, monitored, and tracked; and

2.1.5. The data center where personal data are hosted is secured by a security alarm system and other appropriate security measures.

3. Access Control to Data Processing Systems

3.1. Data importer/sub-processor implements suitable measures to prevent their data processing systems from being used by unauthorized persons, including:

3.1.1. use of adequate encryption technologies;

3.1.2. identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems;

3.1.3. automatic temporary lock-out of user terminal if left idle, identification and password required to reopen;

3.1.4. automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and       

3.1.5. all access to data content is logged, monitored, and tracked.

4. Access Control to Use Specific Areas of Data Processing Systems

4.1. Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied, or modified or removed without authorization. This shall be accomplished by various measures including:

4.1.1. employee policies and training in respect of each employee’s access rights to the personal data;

4.1.2. allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;

4.1.3. monitoring capability in respect of individuals who delete, add, or modify the personal data;

4.1.4. release of data only to authorized persons, including allocation of differentiated access rights and roles;

4.1.5. use of adequate encryption technologies; and

4.1.6. control of files, controlled and documented the destruction of data.

5. Availability Control

5.1. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including:

5.1.1. infrastructure redundancy; and

5.1.2. backup is stored at an alternative site and available for restore in case of failure of the primary system.

6. Transmission Control

6.1. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including:

6.1.1. use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels;

6.1.2. certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and

6.1.3. providing user alert upon incomplete transfer of data (end to end check); and

6.1.4. as far as possible, all data transmissions are logged, monitored, and tracked.

7. Input Control

7.1. Data importer/sub-processor implements suitable input control measures, including:

7.1.1. an authorization policy for the input, reading, alteration, and deletion of data;

7.1.2. authentication of the authorized personnel;

7.1.3. protective measures for the data input into memory, as well as for the reading, alteration, and deletion of stored data;

7.1.4. utilization of unique authentication credentials or codes (passwords);

7.1.5. providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked;

7.1.6. automatic log-off of user ID’s that have not been used for a substantial period of time; and

7.1.7. proof established within data importer/sub-processor’s organization of the input authorization; and

7.1.8. electronic recording of entries.

7.2. Separation of Processing for different Purposes

7.2.1. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including:

7.2.1.1. access to data is separated through application security for the appropriate users;

7.2.1.2. modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function;

7.2.1.3. at the database level, data is stored in different normalized tables, separated per module, per Data Controller Customer or function they support; and

7.2.1.4. interfaces, batch processes, and reports are designed for only specific purposes and functions, so data collected for specific purposes are processed separately.

8. Documentation

8.1. Data importer/sub-processor will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Data importer/sub-processor shall take reasonable steps to ensure that persons employed by it and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this SCHEDULE 2.

9. Monitoring

9.1. Data importer/sub-processor shall implement suitable measures to monitor access restrictions to data importer/sub-processor’s system administrators and to ensure that they act in accordance with instructions received. This is accomplished by various measures including:

9.1.1. individual appointment of system administrators;

9.1.2. adoption of suitable measures to register system administrators’ access logs to the infrastructure and keep  them secure, accurate, and unmodified for at least six months;

9.1.3. yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by the data importer/sub-processor, and applicable laws;

9.1.4. keeping an updated list with system administrators’ identification details (e.g. name, surname, function, or organizational area) and tasks assigned and providing it promptly to data exporter upon request.