Liner Book a pilot

Data Processing Addendum

This Data Processing Addendum (this "Addendum") is incorporated into and forms part of the Terms and Conditions (which govern all access to or use of the Services set forth in Orders referencing the Terms and form the parties "Agreement") between Civil Company Southmedia Marketing ("Southmedia") and the Client identified in the Agreement ("Client") and is effective as of the Effective Date (as defined in the Agreement).

Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement. Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Client Personal Data, if applicable.

1. Definitions

1.1 "Controller" means an entity that determines the purposes and means of the Processing of Personal Data.

1.2 "Client Personal Data" means Personal Data contained in Client Content that is Processed by Southmedia on behalf of Client to perform the Services under the Agreement.

1.3 "Data Protection Laws" means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Client Personal Data, including, in each case to the extent applicable, European Data Protection Laws and United States Data Protection Laws.

1.4 "Data Subject" means the identified or identifiable natural person who is the subject of Personal Data.

1.5 "European Data Protection Laws" means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Data Protection Act of 2018, and all other laws relating to data protection in the United Kingdom (collectively, "UK Data Protection Laws"); (c) the Swiss Federal Act on Data Protection ("Swiss FADP"); and (d) any other applicable law related to the protection of Client Personal Data in the European Economic Area, United Kingdom, or Switzerland.

1.6 "Personal Data" means information that constitutes "personal information," "personal data," "personally identifiable information," or similar term under Data Protection Laws.

1.7 "Process" means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.8 "Processor" means an entity that Processes Personal Data on behalf of a Controller.

1.9 "Security Incident" means a breach of Southmedia's security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data in Southmedia's possession, custody, or control.

1.10 "Standard Contractual Clauses" means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by the European Commission's implementing decision (C(2021)3972) of 4 June 2021.

1.11 "Subprocessor" means any Processor appointed by Southmedia to Process Client Personal Data on behalf of Client under the Agreement.

1.12 "Supervisory Authority" means an independent competent public authority established or recognized under Data Protection Laws.

1.13 "United States Data Protection Laws" means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"); (b) the Virginia Consumer Data Protection Act ("VCPDA"); (c) the Colorado Privacy Act ("CPA"); (d) the Utah Consumer Privacy Act ("UCPA"); (e) Connecticut SB6 ("CTDPA"); and (f) any other applicable law related to the protection of Client Personal Data in the United States.

2. Processing of Client Personal Data

2.1 Roles of the Parties; Compliance

The parties acknowledge and agree that, as between the parties, with regard to the Processing of Client Personal Data under the Agreement, Client is a Controller and Southmedia is a Processor. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Client Personal Data.

2.2 Client Instructions

Southmedia will Process Client Personal Data only in accordance with Client's documented instructions unless otherwise required by applicable law. Client hereby instructs Southmedia to Process Client Personal Data: (a) to provide the Services to Client; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Services.

2.3 Details of Processing

The parties acknowledge and agree that the nature and purpose of the Processing of Client Personal Data, the types of Client Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Client Personal Data are as set forth in Appendix 1.

2.4 Processing Subject to the CCPA

Southmedia will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement; or (c) combine Personal Information received from Client with Personal Data received from any third party. Southmedia hereby certifies that it understands the foregoing restrictions and will comply with them.

3. Confidentiality

Southmedia shall take reasonable steps to ensure that Southmedia personnel who Process Client Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Client Personal Data.

4. Security

4.1 Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Southmedia shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.

4.2 Security Incidents

Upon becoming aware of a confirmed Security Incident, Southmedia will: (a) notify Client within twenty-four (24) hours and provide an initial report within seventy-two (72) hours containing details required for regulatory notifications under PDPL/GDPR; and (b) take reasonable steps to identify the cause, minimize harm, and prevent a recurrence.

4.3 Client Responsibilities

Client agrees that Client is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk; and (b) securing any account authentication credentials, systems, and devices Client uses to access the Services.

5. Subprocessing

Client generally authorizes Southmedia to engage Subprocessors as Southmedia considers reasonably appropriate. A list of Southmedia's Subprocessors is available upon Client's request. Southmedia will notify Client of the addition or replacement of any Subprocessor at least 30 days prior to such engagement. Client may object on reasonable data protection grounds within 10 days. When engaging any Subprocessor, Southmedia will enter into a written contract containing data protection obligations not less protective than those in this Addendum.

6. Data Subject Rights

Southmedia will, taking into account the nature of the Processing and the functionality of the Services, provide reasonable assistance to Client as necessary for Client to fulfill its obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. If Southmedia receives a request from a Data Subject, Southmedia will advise the Data Subject to submit the request to Client.

7. Assessments and Prior Consultations

In the event that Data Protection Laws require Client to conduct a data protection impact assessment or prior consultation with a Supervisory Authority, Southmedia shall use reasonable commercial efforts to provide relevant information and assistance to Client.

8. Relevant Records and Audit Rights

8.1 Review of Information and Records

Upon Client's reasonable written request, Southmedia will make available all information reasonably necessary to demonstrate compliance with Data Protection Laws. Such information will be made available no more than once per calendar year.

8.2 Audits

At Client's sole expense, Southmedia will allow for reasonable assessments and audits by Client or a mandated auditor, subject to reasonable advance written notice, Southmedia approval of the auditor, and conduct during normal business hours.

8.3 Results of Audits

Client will promptly notify Southmedia of any non-compliance discovered and provide any reports generated in connection with any audit.

9. Data Transfers

9.1 Data Processing Facilities

Southmedia may Process Client Personal Data anywhere Southmedia or its Subprocessors maintains facilities. For Client Personal Data subject to UAE PDPL, Processor shall not transfer such data outside the UAE unless the recipient country provides an adequate level of protection, Client has given explicit written consent, or appropriate safeguards are in place.

9.2 European Transfers

If Client transfers Client Personal Data subject to European Data Protection Laws, the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer.

9.3 Other Jurisdictions

If Client transfers Client Personal Data subject to Data Protection Laws other than European Data Protection Laws which require standard contractual clauses, the applicable terms approved by the relevant Supervisory Authority shall automatically apply.

10. Deletion or Return of Client Personal Data

Southmedia will delete or return Client Personal Data in accordance with the terms of the Agreement.

11. Modifications to this Addendum

Southmedia may modify this Addendum by notifying Client at least 30 days before the change will take effect. If Client objects, Client may immediately terminate this Addendum and the Agreement by giving written notice within 30 days.

12. General Terms

This Addendum will remain in effect until Southmedia's deletion or return of all Client Personal Data. To the extent of any conflict between this Addendum and the Agreement in relation to Client Personal Data, this Addendum will govern. This Addendum will be governed by the governing law provisions in the Agreement, unless required otherwise by Data Protection Laws.

Appendix 1: Details of Processing

Subject matter and duration: As described in the Agreement and the Addendum.

Nature and purpose: Activities reasonably required to facilitate or support the provision of the Services.

Categories of Data Subjects: Client's Authorized Users, call center agents, and Clients (individuals engaging with Client's Contact Center).

Categories of Client Personal Data: First and last name, login information, phone numbers, call event data, and recordings of communications (e.g., voice, chat, SMS, and email).

Sensitive data: The categories of sensitive data, if any, are determined by the Client.

Frequency of transfer: On a continuous basis for the term of the Agreement.

Retention period: As set forth in the Addendum or the Agreement.

Appendix 2: Standard Contractual Clauses

1. Application of Modules

If Client is acting as a Controller, "Module Two: Transfer controller to processor" shall apply. If Client is acting as a Processor to a third-party Controller, "Module Three: Transfer processor to processor" shall apply.

2. Sections I-V

The parties select Option 2 in Clause 9(a); the optional language in Clause 11(a) is omitted; the parties select Option 1 in Clause 17 with the governing law of the Republic of Ireland; and in Clause 18(b), the parties select the courts of the Republic of Ireland. The choice of Irish law and courts applies solely to disputes under the SCCs.

3. Annexes

The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority shall be the Irish Data Protection Authority unless otherwise determined.

4. Transfers from the United Kingdom

The UK Addendum issued by the Information Commissioner's Office shall be incorporated by reference and shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply.

5. Transfers from Switzerland

The Standard Contractual Clauses shall also protect the data of legal entities under the Swiss FADP. References to the GDPR shall also be interpreted to include the Swiss FADP. The supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.