Data Processing Addendum
This Coconut Data Processing Addendum (“Addendum”) amends the Coconut Terms of Service and any other terms that incorporate by reference this Addendum (together, the “Agreement”) by and between you (“Client”) and Coconut Software Corporation with offices located at 102-121 Research Drive, Saskatoon, SK, Canada S7K 1K2 (“Coconut” or “Processor”).
WHEREAS
(A) The Client acts as a Data Controller.
(B) The Client wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, where applicable, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as the UK Data Protection Act 2018 (“UKDPA”), the UK General Data Protection Regulation as defined by the UKDPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the UKDPA, the “UK GDPR”), and any relevant law, statute, regulation, rule or other binding instrument which implements the above or otherwise relates to data protection, privacy, data security or the processing of Personal Data in any European member state or the United Kingdom, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.
IT IS AGREED AS FOLLOWS
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meaning:
1.1.1 “Client Personal Data” means any personal data Processed by the Processor (or a Subprocessor) on behalf of Client pursuant to the Addendum; shall be interpreted in accordance with European Data Protection Laws and US Data Protection Laws, as applicable, and relating to an identifiable or identified individual who visits or engages in through Client’s services (a “User”), which Processor Processes as a Data Processor or Service Provider (as defined under such laws) in the course of providing you, as a Data Controller or Business (as defined under such laws), with the Services. The term “Personal Data” shall also include “Personal Information” as defined under US Data Protection Laws.
1.1.2 “Data Protection Laws” means all applicable laws regarding the processing of Personal Data transferred by Client to Processor, including European Data Protection Laws and US Data Protection Laws;
1.1.X “European Data Protection Laws” means, collectively, GDPR and UKGDPR.
1.1.3 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.4 “Services” means the cloud-based enterprise level appointment scheduling, visitor management, video meeting, and related software services the Client receives from Processor.
1.1.5 “Subprocessor” means any person appointed by or on behalf of Processor to process Client Personal Data on behalf of the Client in connection with the Addendum.
1.1.6 “Processor Clauses” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as amended or replace.
1.1.7 “UKGDPR” means the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UKDPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
1.1.8 “US Data Protection Laws” “US Data Protection Laws” means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and other similar comprehensive state privacy laws that place obligations on a Business or Controller in relation to Personal Data (as defined under such laws), and any relevant regulation, rule or other binding instrument which implements such laws, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.
1.1.9 “US Consumer” means an individual that is a “consumer” as defined under US Data Protection Laws.
1.1.10 All other capitalized terms in this Addendum shall have the same definition as in the Agreement.
1.2 The terms, “Controller”, “Data Subject”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the European Data Protection Laws or the US Data Protection Laws, as appropriate, and shall be construed accordingly.
2. Processing of Client Personal Data
2.1 Client represents, warrants and covenants that it has provided all notices and obtained all necessary consents and authority required by and in accordance with applicable laws for the collection, use, transfer, storage, analyzing, disclosure and other processing of Client Personal Data in connection with the Agreement, and Client acknowledges that Processor has no obligation to review any notices or consents or determine the sufficiency of such processes under applicable laws. Processor may aggregate, anonymize or deidentify Client Personal Data and process such data for the purposes set out in this Addendum. To the extent that Processor receives from Client any Client Personal Data that has been deidentified, Processor will maintain and use the data only in a deidentified fashion.
2.2 Processor (a) will comply with all applicable Data Protection Laws in the Processing of Client Personal Data; and (b) will not Process Client Personal Data other than for the purposes of fulling its obligation in accordance with the Agreement and as otherwise on the documented instructions from the Client.
3. Processor Personnel
3.1 Processor will take reasonable steps to ensure the reliability of any employee, agent or any Subprocessor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable Data Protection Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account industry standards, the sensitivity of the Client Personal Data and the nature, scope, context and purposes of Processing as well as requirements under applicable Data Protection Laws, Processor shall, in relation to the Client Personal Data, implement and maintain throughout the term of this Addendum, commercially reasonable physical, administrative, technical and organizational measures, internal controls, and information security routines designed to protect Client Personal Data against loss, theft, destruction, or alteration; unauthorized disclosure or access; or unlawful processing.
5. Subprocessing
5.1 Processor shall not appoint (or share any Client Personal Data with) any Subprocessor unless required to deliver the Services or where authorized by the Client.
5.2 Processor shall ensure that each Subprocessor that has access to Client Personal Data is under appropriate obligations of confidentiality with respect to Client Personal Data.
6. Data Subject Rights
6.1 Processor (a) will promptly notify Client if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and (b) Processor will not respond to that request except on the documented instructions of Client or as required by applicable Data Protection Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by applicable Data Protection Laws, inform Client of that legal requirement before the Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Client without undue delay upon Processor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Client with sufficient information to allow the Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Client and take reasonable commercial steps as directed by Client to assist in the investigation, mitigation and remediation of such Personal Data Breach, at Processor’s reasonable cost and expense.
8. Deletion or Return of Client Personal Data
8.1 Subject to this section 8, Processor shall promptly upon the termination of the Agreement, return, destroy or anonymize all Client Personal Data, subject to backups made in the ordinary course of business and applicable legal requirements to maintain such Client Personal Data.
9. Audit rights
9.1 Subject to this section 9, Processor shall make available to the Client on request information reasonably necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by the Processor.
9.2 Information and audit rights of the Client only arise under section 9.1 to the extent that the Addendum does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
10. Data Transfer
10.1 If Client Personal Data processed under this Addendum is transferred from a country within a protected jurisdiction, to a country outside of that protected jurisdiction, the Parties shall ensure that the Client Personal Data are adequately protected. To achieve this, the Parties shall, where required by applicable law, rely on legally approved Processor Clauses for the transfer of Client Personal Data.
11. General Terms
11.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail, unless such provisions contradict a requirement under applicable law, in which case such requirement shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that Processor may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Processor’s website, and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to Processor’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.
11.2 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.
11.3 The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Province of Ontario with respect to any dispute or claim arising out of or in connection with this Addendum.
Data Privacy Contact
Coconut Software Corporation
Attn: Privacy Officer
102-121 Research Drive
Saskatoon, SK S7N 1K2
1-888-257-1309 x2000
Last updated on: July 1, 2023