Data Processing Agreement
This Data Processing Agreement (hereinafter referred to as the “DPA”) forms part of and is subject to the provisions of, the Terms of Service (“the Agreement”) between The Company (“Us”) and the Customer. In the event of a conflict between the terms of this DPA and the Terms (“The Agreement”), the terms and conditions of this Data Processing Agreement shall prevail concerning the subject matter of Processing of Personal Data.
1. Definitions
1.1. “Applicable Data Protection Law” covers any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity to protect the privacy rights of natural persons or households consisting of natural persons.
1.2 “Customer”, “You”, and “Data Controller” refers to the Entity that determines as a legal person alone or jointly with others the purposes and means of the processing of Personal Data. In the context of this Agreement, it refers to the Customer for whom we process personal data.
1.3. “Data Processor”, “We”, and “Us” refers to the entity that processes Personal Data on behalf of the Controller. Processor or “data importer” in this Agreement refers to Us.
1.4. “Customer Personal Data” / “End-customer Personal Data” means the personal data (as defined by Applicable Data Protection Law) that is processed when we provide our services.
1.5. “Data Subject” means individuals whose personal data are collected and provided to Us.
1.6. “Personal Data” means any information relating to an identified or identifiable natural person, including information that could be linked, directly or indirectly, with a particular Data Subject.
1.7. “Sub-Processor” means an authorised sub-processor engaged by Us that Processes Personal Data to provide Services.
1.8 “Services” refers to all the services we provide, as specified in the Service Agreement/Terms and Conditions we enter into with you.
2. Parties
| Data Controller | Data processor |
| Business Name: Name of the customer who signs up for our services | Business name: TextGrid LLC |
| Authorized individual: An individual who fills out the sign-up form on our website on behalf of the Data Controller | Authorised individual: Motti Stenge |
| Business Address: Registered address of the Data Controller that signs up for our services | Business Address: 66 West Flagler Street, Unit 900
Miami, FL 33130 |
3. Details of Data Processing
Subject Matter. The subject matter of the data processing under this DPA is the processing of personal data of Concerned Individuals such as phone numbers, content of text messages sent, name of the carrier.
Duration. The duration of the data processing under this DPA is for the lifetime of the relationship between parties.
Purpose. The purpose of the data processing under this DPA is to enable the Customer to send SMS as specified in the Service Agreement.
Categories of data subjects: Personal data of individuals provided by the Customer and/or processed by us.
Nature of the Processing: Processing of personal data through our Services.
4. Processing Roles
This DPA governs the collection, use, and processing of end-customers’ Data by Us.
In this regard, the Customer will act as a “Data Controller” and We will act as a “Data Processor”.
5. Description of the Data Processing Activities
You will use our Services to process personal data through our Services.
6. Obligations of the Data Processor
We shall process end-customer Personal Data only in accordance with the instructions received from You, including in accordance with the Agreement.
You can issue Instructions either in writing or via email.
The Customer shall only provide instructions to Us that comply with Applicable Law.
If We reasonably believe that an instruction issued by the Customer would violate any Applicable Data Protection Law, We shall promptly notify the Company.
If We cannot comply with the terms of this DPA for whatever reason, then it shall promptly inform the Customer of its inability to comply.
We hereby warrant that, upon the Customer’s request, We will cooperate with the Customer to enable the Customer to:
(a) comply with reasonable requests of access, rectification, and/or deletion of Personal Data arising from a Data Subject;
(b) enforce rights of Data Subjects under the Applicable Data Protection Law; and/or
(c) comply with all requests from a supervisory authority, including but not limited to in the event of an investigation.
We shall notify the Customer in the event We receive any request, complaint, or communication relating to the Customer’s obligations under Applicable Data Protection Law (including from data protection authorities and supervisory authorities).
7. Obligations of the Data Controller – Compliance with Laws
The Data Controller warrants that it will ensure that its instructions, its use, and any other processing of personal data provided by the Data Processor will comply with all Applicable Data Protection Laws, regulations, and rules applicable to the Data made available by the Company.
The Controller will also ensure that the processing of Personal Data in accordance with its instructions will not cause or result in the Data Processor or Data Controller breaching any laws, rules, or regulations.
The Data Controller warrants that it will use the Data Processor’s services and tracking technology in compliance with the applicable laws and regulations, including obtaining lawful consent as required by the applicable laws. The Data Controller assumes full liability for collecting and processing personal data in compliance with the applicable laws.
8. Notification of Personal Data Breach
In the event of a Personal Data Breach arising during the provision of the Services by the Data Processor, the Data Processor shall:
1. Notify the Customer about the Breach without undue delay, but in no event less than seventy-two (72) hours, after becoming aware of the Personal Data Breach; as part of the notification under Section of this DPA, to the extent reasonably available at the time of notice;
2. Describe the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of data records affected, the likely consequences of the Breach, and the risks to affected Data Subjects; promptly update Customer as additional relevant information becomes available;
3. Take all actions as may be required by Applicable Data Protection Law;
4. Maintain records of all information relating to the Breach, including the results of its investigations and authorities’ investigations as well as remedial actions taken.
9. Security Measures
The Data Processor shall take and implement appropriate technical and organizational security and confidentiality measures designed to provide a level of security appropriate to the risk to Personal Data against unauthorized use, modification, loss, compromise, destruction, or disclosure of, or access.
10. Sub-Processors
The Customer hereby provides the Data Processor with general written authorization to engage Sub-Processors to access and process Personal Data.
The Data Processor will impose contractual obligations on its Sub-Processors, and contractually obligate its Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Personal Data, which provide the same level of data protection for Personal Data in all material respects as the contractual obligations imposed in this DPA.
The Data Processor will notify the Customer at least 7 days in advance (by email and/or notice in the Service) of any changes to the list of Sub-Processors in place.
11. Limitations of Liability
The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.
12. Conflict and Termination of this Agreement
In the event of a conflict between this DPA and the Agreement, this DPA will prevail. This DPA shall continue in force until the termination of the Agreement.
13. Governing Law
This DPA shall be governed by and construed in accordance with the Laws of England and Wales. English Courts shall have exclusive jurisdiction to resolve disputes that arise out of or in relation to this DPA.
14. Deletion or return of Company Personal Data
Subject to this section and all applicable laws and regulations, the Processor shall promptly and in any event within 45 business days of the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data. Processor shall provide written certification to Company that it has fully complied with this section within 45 business days of the Cessation Date.
15. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely about Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
16. Audit rights
Subject to this section, the Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Sub-Processors. Information and audit rights of the Customer only arise under this section to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
The Data Controller shall give the Processor reasonable prior written notice of any audit or inspection to be conducted under this Section and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing any damage, injury, or disruption to the Data Processor.
The Data controller and the data Processor shall mutually agree upon the scope, timing, and duration of the audit or inspection and any reimbursement of expenses for which the Data Controller shall be responsible.
The scope of audit rights does not extend to physical premises where the Customer Data is processed.
17. Confidentiality
Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
The data processor shall ensure that any personnel whom it authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) concerning that Personal Data.
18. International Data Transfers
The Customer hereby authorises the Data Processor to make international data transfers of Personal Data in accordance with this DPA so long as Applicable Privacy Laws for such transfers are respected.
- Transfers out of the UK
The UK Data Transfer Addendum issued by the UK ICO applies to a transfer from the United Kingdom of Personal Data Processed under this DPA between you and us and is incorporated into this DPA.You agree that the UK Data Transfer Addendum is completed and supplemented as follows:
(a) You are the data exporter and We are the data importer;
(b) Table 1 of the UK Data Transfer Addendum is deemed to be populated with the information set out in Annex IA of Exhibit 2 of this DPA;
(c) for Table 2 of the UK Data Transfer Addendum, the version of the “Approved EU SCCs” (including the appendix information, modules, and selected clauses) appended to the UK Data Transfer Addendum is the EEA SCCs:
(d) the optional docking clause under Clause 7 of the EEA SCCs will not apply;
(e) option 2 under Clause 9 of the EEA SCCs applies and You generally authorize Us to engage Sub-processors according to Section 11 of this DPA;
(f) the optional redress language under Clause 11(a) of the EEA SCCs will not apply;
(g) Table 3 of the UK Data Transfer Addendum is deemed to be populated with the information set out in Annexes 1 and 2 of this DPA;
(h) The “importer” and “exporter” option applies for Table 4 of the UK Data Transfer Addendum;
(i) under Part 2, the mandatory clauses of the UK Data Transfer Addendum will apply; and
(j) By registering for and using our services, you will be deemed to have signed the UK Data Transfer Addendum.
- Transfers out of Switzerland
Concerning Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of the supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner. - Transfers out of the EEA
Concerning Personal Data transferred from the European Economic Area, the New EU SCCs issued by the EU Commission on 04.06.2021 are hereby incorporated by reference and shall apply, and take precedence over the rest of this DPA as set forth in the New EU SCCs.Module Three of the New EU SCCs, populated with Annex I, II, and III below, shall apply:
(i) In Clause 7, the optional docking clause will not apply;
(ii) Option 2 under Clause 9 of the EEA SCCs applies and we generally authorize you to engage Sub-processors according to Section 11 of this DPA;
iii) in Clause 11, the optional language is deleted;
(iv) In Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined by the ‘Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles);
(v) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and
(viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
ANNEX I
A. LIST OF PARTIES
Data exporter:
Name: Name of Customer / Data Controller who enters into a Service Agreement with Us.
Address: Business address of the Customer
Contact person’s name, position, and contact details: Contact details are provided when the Customer registers on our platform.
Activities relevant to the data transferred under these Clauses: provision of Data Processor’s Services.
Signature and date:
The data exporter will be deemed to have signed this Annex I on the transfer of Personal Data in connection with the Services.
Data importer
Name: Data Processor as specified in this DPA.
Address: As specified in this DPA.
Contact person’s name, position, and contact details: Contact details are specified in this DPA.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter following this DPA.
Signature and date:
The data importer will be deemed to have signed Annex I on the transfer of Personal Data in connection with the Services.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data subjects are individuals whose personal data are processed in the context of the provision of the Data Processor’s Services.
Categories of personal data transferred
Phone number, carrier, content of text messages.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Customer Personal Data may be transferred on a continuous basis until it is deleted in accordance with the DPA.
Nature of the processing
Collection, processing, storage, and transfer of personal data.
Purpose(s) of the data transfer and further processing
Provision of Services as specified in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the DPA.
For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing
As above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Irish Supervisory Authority – The Data Protection Commission, unless the data exporter notifies the data importer of an alternative competent supervisory authority.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
SSL Encryption
Two-factor authentication
Access control policy
Access logs
Confidentiality agreement with all staff
Data retention policy
Robust backup systems
Firewall
ANNEX III
LIST OF SUB-PROCESSORS
To learn the most updated, list please visit: https://textgrid.com/subprocessors/
SIGNATURES
| Data Controller | Data processor |
| Business Name: Name of the customer who signs up for our services | Business name: As specified above. |
| Authorized individual: An individual who fills out the sign-up form on our website on behalf of the Data Controller | Authorised individual: As specified above. |
| Business Address: Registered address of the Data Controller that signs up for our services | Business Address: As specified above |
| The Data Controller agrees to the execution of this Agreement in its entirety. | The Data processor agrees to the execution of this Agreement in its entirety. |
