SmartBear Data Processing Addendum
Last Updated: January 14, 2020
SmartBear Data Processing Addendum
1.1 In this Data Processing Addendum, the following terms shall have the meanings set out below:
1.1.1 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union (“EU” or “Union”) or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Data Processing Addendum, Company shall be considered the Controller, except to the extent that SmartBear Processes as a Controller anonymized, de-identified, or otherwise obfuscated information, data, including metadata and aggregated data, for research and analytics and to support and improve the Services or Software in accordance with the Data Protection Laws and Regulations.
1.1.2 “Data Protection Laws and Regulations” means laws and regulations applicable to the Processing of Personal Data under the Agreement, including applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom, including without limitation Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC on Privacy and Electronic Communications (“e-Privacy Directive”) or, the superseding Regulation on Privacy and Electronic Communications (“e-Privacy Regulation”), once effective., and the California Consumer Privacy Act of 2018 (“CCPA”).
1.1.3 “Data Subject” means an identified or identifiable natural personal to whom Personal Data relates.
1.1.4 “Personal Data” means any personal information regulated by applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality, and/or security of such personal information, as defined by the applicable Data Protection Laws and Regulations. Unless otherwise specified by applicable law, hashed, anonymized, encrypted or otherwise obfuscated or de-identified IP addresses and email addresses, device IDs, or machine IDs, or other similarly obfuscated data, and city, regional or country level geo-location information, shall not be deemed to be Personal Data under this Data Processing Addendum.
1.1.5 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.1.6 “Process” “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.1.7 “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. For the purposes of this Agreement, SmartBear shall be considered a Processor for Data of the Company (except as to aggregated, hashed, anonymized, encrypted or otherwise obfuscated or de-identified data that SmartBear uses to monitor the use and performance of the Services or Software, or for analytics, in which case SmartBear shall be a Controller).
1.1.8 “Sensitive Personal Data” means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
1.1.9 “Subprocessor” means any Processor engaged by SmartBear in the provision of the SmartBear Services or Software to Company.
2. Protection of Personal Data
2.1 Processing by SmartBear: Company authorizes SmartBear to process the required Personal Data for providing the SmartBear Services or Software pursuant to the Agreement. The Parties expressly agree and stipulate that the Agreement, including applicable Orders, Service Level Agreements, or equivalent documents, shall constitute the Company’s written instructions to SmartBear. SmartBear shall Process Personal Data of Company to perform SmartBear’s obligations and as otherwise permitted under the Agreement and Data Protection Laws and Regulations. SmartBear shall not collect, retain, use, sell, disclose, or otherwise make available Personal Data, except as necessary to carry out its responsibilities pursuant to the Agreement or as required by the Data Protection Laws and Regulations. SmartBear shall not collect, retain, use, disclose, sell, or otherwise make available Personal Data for Service Provider’s own commercial purposes or in a way that does not comply with the Data Protection Laws and Regulations.
Notwithstanding the foregoing, SmartBear may use Personal Data for testing, research, analytics, and product development, including to develop and improve SmartBear’s Website, products, and services. SmartBear certifies that it understands this Agreement’s restrictions and prohibitions, as applicable, on selling personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it will comply with them as required by applicable law. SmartBear may aggregate, deidentify, or anonymize personal information, so it no longer meets the definition of Personal Data, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes as permitted by law. Notwithstanding the foregoing, SmartBear may process Personal Data of Company if required to do so by applicable law, in which case, SmartBear will inform Company of such legal requirement before processing unless otherwise prohibited by law.
2.2 Company Obligations: Company represents and warrants that Company has a legal basis for processing, and the authority and right, including consent where required, to lawfully transfer to SmartBear, all Personal Data, including Special Categories of Personal Data, if any, and any other data or information related to Company’s access or use of the SmartBear Services or Software. Company shall comply with all applicable Data Protection Laws and Regulations, including: (i) providing all required notices and appropriate disclosures to all Data Subjects regarding Company’s, SmartBear’s, and any third parties acting on Company’s behalf, collection, use, Processing and transfer of Personal Data; (ii) obtaining all necessary rights and enforceable consents from the Data Subjects to permit Processing by SmartBear of Personal Data for the purposes of fulfilling SmartBear’s obligations, or as otherwise permitted, under the Agreement, and (iii) obtaining express consents from Data Subjects and complying with all applicable Data Protection Laws and Regulations, including GDPR Article 9, if the Company collects or transfers any Sensitive Data. Company acknowledges that the SmartBear Services and Software are designed to be for content-neutral, general use and are not designed to collect Sensitive Personal Data.
2.3 European Data: If Personal Data is transferred under the Agreement from the EU, European Economic Area, or Switzerland by Company as Controller to SmartBear as Processor, or otherwise by SmartBear as Processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, has determined does not ensure an adequate level of protection of Personal Data, then SmartBear will subscribe to an appropriate legal instrument for the international transfer of data (such as the EU-U.S. Privacy Shield Framework) or take such other measures as may be required under applicable Data Protection Laws and Regulations.
2.4.1 Consent to Subprocessors: Company acknowledges and agrees that SmartBear may engage Subprocessors worldwide in connection with the provision of the SmartBear Services or Software. However, personnel of SmartBear, whether employees or contractors, shall not be deemed to be “Subprocessors” for purposes of the following subsections in this Agreement (2.4.2 and subsequent sections).
2.4.2 Use of Subprocessors: Upon Company’s request or as otherwise required by applicable Data Protection Laws and Regulations, SmartBear shall make available information about Subprocessors who, to SmartBear’s actual knowledge, will Process Personal Data of Company, including their functions relevant to the performance of SmartBear Services or Software and locations. This information may be made available by SmartBear online at a URL provided by SmartBear to Company and may be updated by SmartBear from time to time.
2.4.3 Engagement of Subprocessors: When engaging any new Subprocessor, SmartBear will enter into a written agreement with each Subprocessor containing data protection obligations no less protective than those in this Data Processing Addendum or as may otherwise be required by applicable Data Protection Laws and Regulations. SmartBear shall remain fully liable to Company for the performance of any Subprocessor’s data protection obligations in relation to the Services or Software. For the avoidance of doubt, SmartBear may continue to use those Subprocessors already engaged by SmartBear as at the date of this Agreement.
2.4.4 Opportunity to Object: SmartBear will inform Company of any new Subprocessor who, to SmartBear’s actual knowledge, will be Processing Personal Data of Company and who is engaged during the term of the Agreement, including by updating the URL or Customer portal or account information or by emailing Company before the new Subprocessor processes Personal Data and thereby give Company a reasonable opportunity to object to such changes. If Company can reasonably show that the appointment of a new Subprocessor will have a material adverse effect on SmartBear’s ability to comply with applicable Data Protection Laws and Regulations, then Company must promptly notify SmartBear in writing within fifteen (15) business days thereafter of its reasonable basis for objection to the use of a new Subprocessor. Upon receipt of Company’s written objection, Company and SmartBear will work together without unreasonable delay to recommend an alternative arrangement. If the following conditions apply: a) a mutually acceptable and reasonable alternative arrangement is not found; b) Company has a termination right under applicable Data Protection Laws and Regulations, and c) Company has provided prompt written notice under this Section, then Company may terminate the Service Agreement only with respect to those services that cannot be provided by SmartBear without the use of the new Subprocessor. Unless prohibited by applicable Data Protection Laws and Regulations, in the event of such early termination by Company, SmartBear can retain or require payment for Services or Software through the end of Company’s current contract term for the terminated services.
2.5 Children; Sensitive Data: Company is responsible for compliance with all applicable Data Protection Laws and Regulations regarding its content, including without limitation those that regulate content directed toward children (as defined under applicable Data Protection Laws and Regulations; for example, under 13 years old in the United States or under 16 years old in certain other countries in accordance with applicable laws).
3. Data Integrity
3.1 To the extent Company does not have the ability to access Personal Data to correct, amend, delete it, refrain from Processing it, or provide it in portable form, upon request from a Data Subject (to the extent that such Data Subject is entitled to such rights under applicable Data Protection Laws and Regulations) in connection with the SmartBear Service, SmartBear will assist Company with any reasonable request to do so. If a Data Subject should apply directly to SmartBear to request access to, correction or deletion of Personal Data in connection with the Services or Software provided to Company by SmartBear, SmartBear will promptly notify Company of the request and will provide Company with reasonable assistance in processing any such request. Otherwise, SmartBear shall assist Company to the extent required by applicable Data Protection Laws and Regulations.
4. Investigations and Audits
4.1 SmartBear shall reasonably assist and support Company in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to the collection, maintenance, use, processing, or transfer of Personal Data under this Agreement.
4.2 If required by applicable Data Protection Laws and Regulations, then, upon reasonable notice (not less than thirty (30) days in advance) and at mutually agreed times no more than once per year, SmartBear shall provide to Company, its authorized representatives, and/or independent inspection body designated by Company (i) access to records of SmartBear’s Processing of Personal Data or other information required by applicable Data Protection Laws and Regulations; and (ii) reasonable assistance and cooperation of SmartBear 's relevant staff for the purpose of auditing SmartBear's compliance with its obligations under this Agreement. SmartBear reserves the right, in its sole discretion, to restrict access to its proprietary information, including but not limited to its network architecture, internal and external test procedures, results and remediation plans. Company will use best efforts to minimize disruption to the SmartBear Service or business operations. Company further agrees that (i) personnel (or designated third parties) performing said audits will be bound by confidentiality obligations; (ii) all findings will be deemed SmartBear’s Confidential Information; (iii) Company will share all findings with SmartBear; and (iv) SmartBear will classify and remediate findings in accordance with its risk management program.
4.3 Taking into account the nature of the Processing and the information available to SmartBear, SmartBear shall, upon Company’s written request, provide Company with reasonable cooperation and assistance needed to fulfil Company’s obligations under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Company’s use of the SmartBear Services or Software. Such cooperation and assistance is provided to the extent Company does not otherwise have access to the relevant information, to the extent such information is available to SmartBear, and that it will not compromise the security of SmartBear’s systems or the data of other SmartBear customers. To the extent required by applicable Data Protection Laws and Regulations, SmartBear shall provide reasonable assistance to Company in respect of Company’s prior consultations with data protection authority.
5. Notice of Non-Compliance
5.1 If required by applicable Data Protection Laws and Regulations, in the event that SmartBear is unable to comply with its obligations stated in this Data Processing Addendum, SmartBear shall promptly notify Company, and Company may take any one or more of the following actions: (i) suspend the transfer of Personal Data to SmartBear; (ii) require SmartBear to cease Processing Personal Data; or (iii) demand the return or destruction of Personal Data. Unless Company has additional rights or remedies under applicable law, this is the full extent of Company’s remedies.
6.1 SmartBear will ensure that all individuals with access to Personal Data are subject to written obligations of confidentiality.
6.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SmartBear shall in relation to the Personal Data implement appropriate technical and organizational measures designed to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
6.3 In assessing the appropriate level of security, SmartBear shall take account in particular of the risks that are presented by Processing the Personal Data.
6.4 If SmartBear knows of a Personal Data Breach, SmartBear shall (i) promptly, and without undue delay following SmartBear’s discovery and confirmation thereof, notify Company of such Personal Data Breach, (ii) investigate, remediate, and mitigate the effects of the Personal Data Breach, (iii) reasonably cooperate with Company’s investigation of the Personal Data Breach to the extent that such cooperation does not compromise SmartBear’s security, (iv) take any additional actions and provide any additional cooperation with Company as may be required under applicable Data Protection Laws and Regulations, including providing reasonable assistance to Company in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and information available to SmartBear, and (v) upon resolution, provide Company with a written incident report describing the breach, actions taken during the response, and plans for future actions to prevent a similar breach from occurring in the future.
7. Legal Effect and Termination
7.1 Upon termination or expiration of the Agreement or this Data Processing Addendum, and at any time at Company’s reasonable written request, SmartBear shall: return to Company or destroy all Personal Data, except that, to the extent permitted by applicable Data Protection Laws and Regulations, SmartBear may retain a copy of any Personal Data (or permitted portion thereof) for SmartBear’s business records (including for billing and auditing purposes), for research, analysis and support purposes, and as otherwise required for compliance with applicable Data Protection Laws and Regulations.
7.2 Unless earlier terminated by either party in accordance with the Agreement, this Data Processing Addendum will terminate automatically when the Agreement terminates or expires, without further action required by either party.
8. Details of Processing
8.1. Categories of Data Subjects. Company may submit Personal Data to SmartBear, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to Company’s contacts and other end users including Company’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Company’s end users.
8.2 Types of Personal Data. Personal Data includes:
(a) Personal identifiers, which includes name, postal address (including billing and shipping address), telephone numbers, email address, fax number, screen name, user ID and Password, IP address or MAC address;
(b) Commercial information, which includes payment or financial information, purchasing or consuming histories or tendencies;
(c) Information relating to Internet activity or other electronic network activity, which includes browsing history, search history and information regarding an individual’s interaction with an internet web site, application, or advertisement;
(d) Educational information;
(d) Professional information, such as employer or organizational affiliation for a customer or partner;
(e) Geolocation data;
(f) Audio, electronic, or visual information, which includes screen sharing;
(g) Characteristics of protected classifications under California or federal law, to the extent applicable; and
(h) other information including the contents of Company’s communications with SmartBear.
8.3 Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Data by SmartBear is the provision of the SmartBear Services and/or Software to
Company that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement.
8.4 Purpose of the Processing. Personal Data will be Processed for purposes of providing, enhancing, and offering the SmartBear Services and Software, set out, as further instructed by Company in its use of the SmartBear Services, and otherwise agreed to, in the Agreement.
8.5 Duration of the Processing. Personal Data will be Processed for the duration of the Agreement unless otherwise required by law or SmartBear’s data retention policies.
Changes: This Data Processing Addendum may change from time to time. SmartBear will post any changed or updated versions on the website and, if appropriate provide email notification or login notification of such updates.