This Data Protection Addendum (“Addendum”) supplements the agreement between Customer and CallTrackingMetrics into which it is incorporated by reference (“Agreement”).
“Applicable Data Protection Law” refers to all laws and regulations applicable to CallTrackingMetrics’s processing of personal data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) (“GDPR”).
“controller”, “processor”, “data subject”, “personal data”, and“processing” (and“process”) have the meanings given in accordance with Applicable Data Protection Law.
“Customer Account Information” means personal data that relates to Customer’s relationship with CallTrackingMetrics, including the names and/or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Customer Account Information also includes any data CallTrackingMetrics may need to collect for the purpose of identity verification, or as part of its legal obligation to retain subscriber records.
“Customer Content” means (a) personal data exchanged by means of use of the Services, such as text, message bodies, voice and video media, images, email bodies, email recipients, and sound, and (b) data stored on Customer’s behalf such as communication logs within the Services or marketing campaign data Customer has uploaded to the SendGrid Services.
“Customer Data” has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content, and Sensitive Data, as defined in this Addendum.
“Customer Usage Data” means data processed by CallTrackingMetrics for the purposes of transmitting or exchanging Customer Content, including data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.
“Privacy Policies” means the then-current privacy policies for the Services available at https://www.calltrackingmetrics.com/legal/privacy/
“Security Controls” means the terms set forth in the Agreement outlining CallTrackingMetrics’s technical and organizational measures to protect Customer Data, or, if the Agreement has no such terms, then the CallTrackingMetrics Security Overview available at https://www.calltrackingmetrics.com/security/
“Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
“Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law relating to privacy and data protection.
“Services” means the products and services provided under a CallTrackingMetrics account.
Any capitalized term used but not defined in this Addendum has the meaning provided to it in the Agreement.
II. Controller and Processor
2. Relationship of the Parties.
2.1 CallTrackingMetrics as a Processor. The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and CallTrackingMetrics is a processor.
2.2 CallTrackingMetrics as a Controller of Customer Account Information. The parties acknowledge that, with regard to the processing of Customer Account Information, Customer may be a controller and CallTrackingMetrics is an independent controller, not a joint controller with Customer.
2.3 CallTrackingMetrics as a Controller of Customer Usage Information. The parties acknowledge that, with regard to the processing of Customer Usage Information, Customer may act either as a controller or processor and CallTrackingMetrics is an independent controller, not a joint controller with Customer.
3.Purpose Limitation. CallTrackingMetrics will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 further specifies the nature and purpose of the processing, and the types of personal data and categories of data subjects.
4.Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, the personal data to CallTrackingMetrics for processing in accordance with the terms of the Agreement and this Addendum.
III. CallTrackingMetrics as a Processor – Processing Customer Content
5. Customer Instructions. Customer appoints CallTrackingMetrics as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse); (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties (“Permitted Purposes”).
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that CallTrackingMetrics is not responsible for determining which laws are applicable to Customer’s business nor whether CallTrackingMetrics’ provision of the Services meets or will meet the requirements of such laws. Customer will ensure that CallTrackingMetrics’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause CallTrackingMetrics to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. CallTrackingMetrics will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement, an Order Form, or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to CallTrackingMetrics for carrying out those instructions.
6.1 Responding to Third Party Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory authority, or third party is made directly to CallTrackingMetrics in connection with CallTrackingMetrics’s processing of Customer Content, CallTrackingMetrics will promptly inform Customer and provide details of the same, to the extent legally permitted. Unless legally obligated to do so, CallTrackingMetrics will not respond to any such request, inquiry, or complaint without Customer’s prior consent except to confirm that the request relates to Customer.
6.2 Confidentiality Obligations of CallTrackingMetrics Personnel.CallTrackingMetrics will ensure that any person it authorizes to process the Customer Content has agreed to protect personal data in accordance with CallTrackingMetrics’s confidentiality obligations under the Agreement.
7.1 Sub-processors. Customer agrees that CallTrackingMetrics may use sub-processors to fulfill its contractual obligations under the Agreement. Where CallTrackingMetrics authorizes any sub-processor as described in this Section 7, CallTrackingMetrics agrees to impose data protection terms on any sub-processor it appoints that require it to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
7.2 General Consent for Onward Sub-processing. Customer provides a general consent for CallTrackingMetrics to engage onward sub-processors, conditional on the following requirements:
(a) Any onward sub-processor must agree in writing to only process data in a country that the European Commission has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses, or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities; and
(b) CallTrackingMetrics will restrict the onward sub-processor’s access to personal data only to what is strictly necessary to provide the Services, and CallTrackingMetrics will prohibit the sub-processor from processing the personal data for any other purpose.
7.3 Current Sub-processors and Notification of New Sub-processors. If CallTrackingMetrics Customer consents to CallTrackingMetrics engaging additional third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that CallTrackingMetrics maintains an up-to-date list of its sub-processors at https://www.calltrackingmetrics.com/legal/subprocessors/ , which contains a mechanism for Customer to subscribe to notifications of new sub-processors. If Customer subscribes to such notifications, CallTrackingMetrics will provide details of any change in sub-processors as soon as reasonably practicable.
7.4 Objection Right for new Sub-processors. Customer may object to CallTrackingMetrics’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercial reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days, Customer may suspend or terminate the affected service in accordance with the termination provisions of the Agreement. Such termination will be without prejudice to any fees incurred by Customer prior to suspension or termination. If no objection has been raised prior to CallTrackingMetrics replacing or appointing a new sub-processor, CallTrackingMetrics will deem Customer to have authorized the new sub-processor.
7.5 Sub-processor Liability. CallTrackingMetrics will remain liable for any breach of this Addendum that is caused by an act, error or omission of its sub-processors.
8. Data Subject Rights.
8.1 CallTrackingMetricsServices. As part of the CallTrackingMetrics Services, CallTrackingMetrics provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Content, which may be used by Customer to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the CallTrackingMetrics Services at no additional cost. In addition, upon Customer’s request, CallTrackingMetrics will provide reasonable additional and timely assistance (at Customer’s expense only if complying with the Customer’s request will require CallTrackingMetrics to assign significant resources to that effort) to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.
9.Impact Assessments and Consultations. CallTrackingMetrics will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require CallTrackingMetrics to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
10. Return or Deletion of Customer Content. CallTrackingMetrics will delete or return to Customer any Customer Content stored in the Services no more than 60 days after their Account is Cancelled.
10.1 Extension of Addendum. Upon termination of the Agreement, CallTrackingMetrics may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing), provided that CallTrackingMetrics will ensure that Customer Content is processed only as necessary for the Permitted Purposes, and Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, CallTrackingMetrics may retain Customer Content or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
IV. Security and Audits
11.1 Security Measures. CallTrackingMetrics has implemented and will maintain the technical and organizational measures set out in the Security Controls to protect personal data from a Security Incident. Additional information about the technical and organizational security measures involving (a) the CallTrackingMetrics Services are described at https://www.calltrackingmetrics.com/security/.
11.2 Determination of Security Requirements. Customer acknowledges that the Services include certain features and functionalities that Customer may elect to use that impact the security of the data processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Services account. Customer is responsible for reviewing the information CallTrackingMetrics makes available regarding its data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by CallTrackingMetrics to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Services.
11.3 Security Incident Notification. CallTrackingMetrics will provide notification of a Security Incident in the following manner:
- CallTrackingMetrics will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after, CallTrackingMetrics’s confirmation or reasonable suspicion of a Security Incident impacting Customer Data of which CallTrackingMetrics is a processor;
- CallTrackingMetrics will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which CallTrackingMetrics is a controller; and
- CallTrackingMetrics will notify the email address of the Customer’s account owner.
CallTrackingMetrics will make reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by CallTrackingMetrics, remediate the cause of such Security Incident. CallTrackingMetrics will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.
12. Audits. The parties acknowledge that Customer must be able to assess CallTrackingMetrics compliance with its obligations under Applicable Data Protection Law and this Addendum, in so far as CallTrackingMetrics is acting as a processor on behalf of Customer. CallTrackingMetrics will permit Customer, following a Personal Data Breach, and on at least 5 days’ prior notice, to inspect and audit the facilities used by CallTrackingMetrics for the processing of Customer Personal Data, subject to Customer bearing CallTrackingMetrics’ reasonable costs.
V. International Provisions
13. International Transfers: Customer expressly acknowledges that CallTrackingMetrics’ processing facilities are located in the United States of America. To ensure compliance under the Data Protection Laws, Customer (as “data exporter”) and CallTrackingMetrics (as “data importer”), with effect from the commencement of the relevant transfer, hereby enter into the Standard Contractual Clauses in respect of any transfer from Customer to CallTrackingMetrics (or onward transfer) where such transfer would otherwise be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address Data Protection Laws).
13.1 Appendix 1 to the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 1 to these Terms and the processing operations are deemed to be those described in these Terms.
13.2 Appendix 2 to the Standard Contractual Clauses shall be deemed to be pre-populated with the following “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood for the rights and freedoms of natural persons, CallTrackingMetrics shall implement appropriate technical and organizational measures as set forth in these Terms.
14. Where the CCPA applies, if CallTrackingMetrics receives any Personal Information (as such term is defined by the CCPA) from or on behalf of Customer, then:
14.1 CallTrackingMetrics will only process such Personal Information for the purpose of CallTrackingMetrics providing the Services;
14.2 CallTrackingMetrics will not retain, use, or disclose such Personal Information: (i) for any purpose other than to perform the Services or (ii) outside of the direct business relationship between Customer and CallTrackingMetrics;
14.3 CallTrackingMetrics will not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate such Personal Information to any third party for monetary or other valuable consideration; and
14.4 CallTrackingMetrics certifies that it understands the restrictions on CallTrackingMetrics’ processing such Personal Information as set forth in this section.
CallTrackingMetrics may disclose Personal Information to CallTrackingMetrics’ service providers in connection with such service providers providing services to CallTrackingMetrics; and CallTrackingMetrics may permit such service providers to process Personal Information as necessary for CallTrackingMetrics to provide the Services to Customer.
15 Use of Aggregated Data: Customer acknowledges that CallTrackingMetrics collects and uses data from across its customer base in order to improve its products and services for its customers, and to carry out related research. CallTrackingMetrics takes steps to aggregate or otherwise de-identify any Customer data used for these purposes, and therefore does not knowingly process any personal data. However, to the extent that any such data is held to be personal data (or the equivalent term) in a particular jurisdiction, CallTrackingMetrics shall be the Controller (or the equivalent term) for the purposes of the applicable laws.
16. Cooperation and Data Subject Rights. In the event that either party receives: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator or other third party, (collectively, “Correspondence“) then, where such Correspondence relates to processing of Customer Account Data or Customer Usage Data conducted by the other party, it will promptly inform such other party and the parties agree to cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Applicable Data Protection Law.
17. Sensitive Data. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process any Sensitive Data via the Services.
18.Notification Cooperation. Customer acknowledges that CallTrackingMetrics, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Usage Data. If the regulatory authority requires CallTrackingMetrics to notify impacted data subjects with whom CallTrackingMetrics does not have a direct relationship (e.g., Customer’s end users), CallTrackingMetrics will notify Customer of this requirement. Customer will provide reasonable assistance to CallTrackingMetrics to notify the impacted data subjects.
19. GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
21. Failure to Perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement’s termination provisions.
22.Updates. CallTrackingMetrics may update the terms of this Addendum from time to time; provided, however, CallTrackingMetrics will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.
Details of Processing
1. Nature and Purpose of the Processing. CallTrackingMetrics will process personal data as necessary to provide the Services under the Agreement. CallTrackingMetrics does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.
1.1 Customer Content. CallTrackingMetrics will process Customer Content in accordance with Section 5 (Customer Instructions) of this Addendum.
1.2 Customer Account Data. CallTrackingMetrics will process Customer Account Data as a controller (a) in order to manage the relationship with Customer; (b) carry out CallTrackingMetrics’s core business operations, such as accounting and filing taxes; and (c) in order to detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of the Services.
1.3 Customer Usage Data. CallTrackingMetrics will process Customer Usage Data as a controller in order to carry out the necessary functions as a communications service provider, such as: (a) CallTrackingMetrics’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services and platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; and/or (d) as required by applicable law.
Duration of the Processing
2.1 Customer Content.
2.1.1 Prior to the termination of the Agreement, CallTrackingMetrics will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the CallTrackingMetrics Services. Prior to the termination of the Agreement, Customer agrees that it is solely responsible for deleting Customer Content via the CallTrackingMetrics Services.
2.1.2 Upon termination of the Agreement, CallTrackingMetrics will (i) provide Customer thirty (60) days after the termination effective date to obtain a copy of any stored Customer Content via the CallTrackingMetrics Services; (ii) automatically delete any stored Customer Content thirty (60) days after the termination effective date; and (iii) automatically delete any stored Customer Content on CallTrackingMetrics’s back-up systems sixty (90) days after the termination effective date. Any Customer Content archived on CallTrackingMetrics’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law.
3 Customer Usage Data. Upon termination of the Agreement, CallTrackingMetrics may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. CallTrackingMetrics will anonymize or delete Customer Usage Data when CallTrackingMetrics no longer requires it for the purposes set forth in Section 1.3 of this Schedule 1.
ANNEX 1: DESCRIPTION OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex includes certain details of the Processing of the Customer Personal Data as required by Article 28(3) of the GDPR.
- Subject matter and duration of the Processing of the Customer Personal Data: The subject matter and duration of the Processing of the Personal Data are set out in the Terms.
- The nature and purpose of the Processing of the Customer Personal Data: CallTrackingMetrics is engaged to provide the Services to Customer which involve the Processing of Customer Personal Data. The scope of the Services are set out in the Terms, and the Customer Personal Data will be Processed by CallTrackingMetrics to deliver those Services and to comply with the Terms.
- The types of the Customer Personal Data to be Processed: Any personal data introduced by Customer, or Customer’s users, onto the CallTrackingMetrics’ platform, including (by way of example) names, telephone numbers, contents of telephone conversations.
- The categories of Data Subject to whom the Personal Data relates: Customer’s employees or users, or the customers or employees of Customer’s users.
- The obligations and rights of Customer: The obligations and rights of Customer are set out in these Terms.