SmartBear Data Processing Addendum
(Worldwide (includes GDPR and CCPA))
Capitalized terms used but not defined have the meaning given in the Agreement. Other terms in this Addendum, which are not defined in the Agreement or this Addendum, shall have meanings consistent with any corresponding terms in Data Protection Law.
a. “Data Protection Law” means any applicable law relating to data security, data protection and/or privacy including, without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of that data (“EU GDPR”), Retained Regulation (EU) 2016/679 (the “UK GDPR”, and together with the EU GDPR, the “GDPR”)) and the UK Data Protection Act of 2018, and the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et. seq.) (“CCPA”), and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.
b. “Personal Data” means any information relating to, that describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable natural person (“Data Subject”), and which is Processed by SmartBear on behalf of Customer pursuant to the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
c. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
d. “Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
e. “Services” means the provision of SmartBear products and services as set forth in the Agreement.
f. “Standard Contractual Clauses” means, with respect to (i) the UK GDPR, the standard contractual clauses (controller to processor module) set out in the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as modified by the UK Addendum to the EU standard contractual clauses (effective 21 March 2022), and (ii) the EU GDPR, the standard contractual clauses (controller to processor module) set out in the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament as may be amended or replaced by the European Commission from time to time.
g. “Subprocessor” means any third party which Processes Personal Data on behalf of SmartBear.
3. Scope; Role of the Parties
a. This Addendum applies only to the extent Personal Data subject to Data Protection Laws is Processed by SmartBear. The Parties acknowledge and agree that for purposes of the GDPR, with regard to the Processing of Personal Data, (i) Customer is the Data Controller, (ii) SmartBear is a Data Processor, and (iii) SmartBear may engage Subprocessors pursuant to the requirements set forth in Section 5 below. Further details of the Processing activities under this Addendum are set forth in Schedule 1.
b. Customer represents and warrants that it has a legal basis for Processing Personal Data, and the authority and right, including consent where required, to lawfully transfer Personal Data to SmartBear. Customer shall comply with all applicable Data Protection Laws in connection with the Personal Data, including without limitation in connection with providing all required notices, and obtaining all required consents, regarding the Processing and transfer of Personal Data. Customer acknowledges and agrees that the Services are designed to be for content-neutral, general use and are not designed to Process sensitive or special category data.
4. Obligations of SmartBear
a. Limitations on Use; Instructions. SmartBear shall, and shall require that Subprocessors shall, Process Personal Data only: (i) on behalf of Customer and in accordance with Customer’s documented instructions (which shall, for purposes of this DPA, constitute the instruction to Process Personal Data for purposes of performing the Services in accordance with the Agreement, or such other instructions as may be agreed in writing between the Parties), including with regard to transfers of Personal Data to a third country or an international organization; (ii) when required to do so by applicable law to which SmartBear is subject. In such case, SmartBear will inform Customer of that legal requirement before processing, unless prohibited by applicable law; and (iii) in compliance with this Addendum and all applicable Data Protection Law.
b. Security. SmartBear has implemented and will maintain commercially reasonable technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Having regard to the state of the art and the cost of their implementation, SmartBear agrees that such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of Personal Data to be protected. SmartBear may update the technical and organizational measures from time to time in light of technical development.
c. Confidentiality. SmartBear will treat all Personal Data as confidential information in accordance with the Agreement. SmartBear will take reasonable steps to ensure that its personnel who have access to the Personal Data are obligated to keep such Personal Data confidential.
d. Notice of Certain Events. SmartBear will promptly notify Customer about: (i) any instruction which, in its opinion, infringes Data Protection Law; (ii) any complaint, communication or request received directly by SmartBear or a Subprocessor from a Data Subject and pertaining to their Personal Data, or from a regulatory authority in connection with the Personal Data, in each case without responding to that request unless it has been otherwise instructed and authorized to do so by Customer or is required to do so by applicable law; or (iii) any change in legislation applicable to SmartBear or a Subprocessor which is likely to have a substantial adverse effect on SmartBear’s ability to comply with its obligations under this Addendum.
e. Breach Response. SmartBear shall notify Customer without undue delay after becoming aware of a Personal Data Breach, and SmartBear shall take reasonable steps to prevent any further Personal Data Breach and to mitigate any resulting damage to Personal Data resulting from the same. SmartBear shall take appropriate steps to provide Customer with prompt cooperation and assistance in relation to any notifications that Customer is required to make as a result of the Personal Data Breach. Further, upon written request, SmartBear shall provide Customer with reasonable assistance in relation to any data protection impact assessment or regulatory consultation that Customer is legally required to make in respect of Personal Data.
f. Data Subject/Supervisory Authority Request. SmartBear will provide Customer with reasonable cooperation and assistance in relation to any complaint, communication or request received from a Data Subject or a data protection supervisory authority. Notwithstanding any provision herein to the contrary, the SmartBear’s obligations as set forth in this Section shall apply only to the extent Customer does not have the ability to access the required information directly through the applicable SmartBear service.
g. Audit and Certifications. To the extent required by applicable Data Protection Laws, and upon Customer’s reasonable written request (not less than 120 days in advance) and at mutually agreed upon times no more than once in any 12 month period, and subject to the confidentiality obligations set forth in the Agreement, SmartBear shall make available to Customer reasonable written information, in the form of access to SmartBear’s books and records, regarding SmartBear’s compliance with the obligations set forth in this Addendum. Customer shall use its best efforts to minimize disruption to SmartBear and its business operations.
h. Return or Disposal. The Parties agree that upon termination of the Services in so far as they relate to Personal Data, SmartBear shall, and shall require all Subprocessors to, at the choice of Customer, return all Personal Data and copies thereof to Customer, or securely destroy all Personal Data and certify to Customer that they have done so, unless prohibited by applicable law.
a. Customer hereby generally authorizes SmartBear to appoint Subprocessors for purposes of Processing Personal Data pursuant to the Agreement.
b. Upon Customer’s request, or as otherwise required by applicable Data Protection Laws, SmartBear shall make available information about Subprocessors which, to SmartBear’s actual knowledge, will Process Personal Data. This information may be made available by SmartBear online via a URL provided by SmartBear to Customer and shall be updated by SmartBear from time to time.
c. SmartBear will inform Customer of any new Subprocessor which, to SmartBear’s actual knowledge, will be Processing Personal Data and is engaged during the term of the Agreement, including by updating the URL or Customer portal or account information or by emailing Customer before the new Subprocessor commences Processing of Personal Data. If Customer can reasonably show that the appointment of a new Subprocessor will have a material adverse effect on Customer’s ability to comply with applicable Data Protection Laws, then Customer must promptly notify SmartBear in writing within fifteen (15) business days thereafter of its reasonable basis for objection to the use of the applicable new Subprocessor. Upon receipt of Customer’s written objection, Customer and SmartBear will work together without unreasonable delay to agree upon an alternative arrangement. If a mutually acceptable and reasonable alternative arrangement is not found,, then Customer may terminate the Agreement only with respect to those Services that cannot be provided by SmartBear without the use of the new Subprocessor. Unless prohibited by applicable Data Protection Laws, in the event of such early termination by Customer, SmartBear may retain or require payment under the Agreement through the end of Customer’s current contract term for the terminated Services.
d. In the event SmartBear engages Sub-Processors in connection with the Services, SmartBear shall place the same or similar obligations as those in this Addendum on such Sub-Processors or other obligations required by applicable Data Protection Law, and shall remain fully liable to Customer for the acts or omissions of such Sub-Processors, as if they were the acts or omissions of SmartBear.
6. International Transfers of Personal Data.
Any transfers (whether between Customer and SmartBear, or SmartBear and a Sub-Processor) of Personal Data protected by the GDPR, and/or the UK GDPR, to a country outside the European Economic Area (“EEA”) or United Kingdom ("UK") that does not offer adequate protection for such Personal Data, shall be subject to the applicable Standard Contractual Clauses, which are incorporated herein by reference. In the event of inconsistencies between the provisions of the Standard Contractual Clauses and this Addendum or other agreements between the Parties, the Standard Contractual Clauses shall take precedence, but only with respect to Personal Data transferred outside of the EEA or UK. The information set forth in Schedule 1 constitutes the information required to be included in the schedules and appendices to the Standard Contractual Clauses, and the Parties’ signatures to this Addendum are deemed to also constitute signature of the Standard Contractual Clauses to the extent the same may be required to be separately executed.
7. CCPA Compliance
To the extent applicable and pursuant to the CCPA, with respect to “personal information” as defined by the CCPA which SmartBear may Process in connection with its performance of the Services, SmartBear agrees and certifies that it will not:
a. Sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such personal information to another business or a third party for monetary or other valuable consideration; or
b. Retain, use, disclose, collect, sell, use, or otherwise process such personal information (i) for any purpose other than for the specific purpose of, and as necessary for, performing Services for Customer pursuant to the Agreement, or (ii) as otherwise permitted by the CCPA.
SmartBear further agrees to cooperate and assist Customer in fulfilling and complying with any consumer rights request pursuant to the CCPA.
8. Legal Requests
Unless prohibited by applicable law, in the event that SmartBear is required by law, court order, warrant, subpoena, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer (including, without limitation, pursuant to any US government surveillance order of which SmartBear is aware), SmartBear shall notify Customer promptly and shall provide all reasonable assistance to Customer, at Customer’s cost, to enable Customer to respond or object to, or challenge, any such Legal Requests. SmartBear shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so under applicable law and has otherwise complied with the obligations in this Section.
The Parties acknowledge and agree that the limitations and exclusions of liability set forth in the Agreement shall also apply with respect to this Addendum.
Upon termination of the Agreement, SmartBear’s relevant obligations under this Addendum shall survive to the extent SmartBear continues to Process Personal Data. To the extent a conflict exists between this Addendum and the Agreement, the terms of this Addendum shall prevail.
Details of the Processing of Personal Data
1. The nature and purpose of the Processing:
SmartBear’s performance of its Services under the Agreement.
2. The duration of the Processing:
The duration of the Processing is for so long as SmartBear performs the Services for Customer, or Processes Personal Data received from Customer, or in the context of providing the Services under the Agreement.
3. The types of personal data:
Personal Data Processed relating to the following categories of data: all categories of data related to the Processing associated with the Services provided by SmartBear for or on behalf of Customer. Personal Data Processed does not include special categories of Personal Data.
4. The categories of data subjects:
Personal Data Processed relating to the following categories of Data Subjects: Employees and other personnel of Customer.
5. Processing Instructions:
Personal Data Processed shall be subject to the following Processing activities in addition to any activities set forth the Agreement: Processing by SmartBear (or Sub-Processors) related to the provision of the Services to Customer, in accordance with the terms and conditions of this Addendum and the Agreement.
6. Obligations and Rights Of Customer:
The obligations and rights of Customer are set forth in the Agreement and this Addendum.
7. Technical and Organizational Measures:
SmartBear implements and maintains industry standard technical and organizational measures to protect the security of Personal Data that it processes in connection with its Services. Such measures include, as appropriate to the nature of the Personal Data processed, but are not limited, to:
- Firewall protections
- Access controls
- Protections against viruses and malware
- Implementation of security settings
- Implementation of updates to fix bugs and security vulnerabilities
- Regular data backups
This Data Processing Addendum was last updated on May 17, 2022.