This Data Processing Addendum (“DPA”) is incorporated into and forms a part of the agreement between Intelliboard Inc., a Delaware corporation (the “Company”) and Customer that governs Customer’s access to and use of the Services, or to the extent that no separate agreement exists, the Company’s Terms of Services (collectively, the “Agreement”). Capitalized terms not defined herein have the meaning given in the Agreement. To incorporate the following terms into your agreement with the Company for access to and use of the Services, please email the Company at DPA@intelliboard.net.
- Definitions. In this DPA, the following terms (and derivations thereof) have the meanings set out below:
“Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
“Customer” means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
“Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to the Services by Customer or Users and is Processed by the Company on behalf of Customer.
“Customer Personal Data” means Personal Data that is contained within Customer Content.
“Data Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.
“Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Customer Personal Data.
“Data Subject” means an identified or identifiable natural person.
“Parties” or “Party” means Customer and/or the Company as applicable.
“Personal Data” means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.
“Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
“Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
“Professional Services” means implementation, configuration, integration, training, advisory, and other professional services related to the Services that are provided by the Company and purchased by Customer specified in an Order or SOW.
“Services” means the Subscription Services, Professional Services, and any other online service or application provided or controlled by the Company for use with the Subscription Services.
“Company Personnel” means any individual authorized by the Company to Process Customer Personal Data.
“Subprocessor” means any individual or entity (including any third party but excluding the Company Personnel) appointed by or on behalf of the Company to Process Customer Personal Data in connection with the Agreement.
“Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
“User” means any individual authorized or invited by Customer or another User to access and use the Services under the terms of the Agreement.
- Roles of Parties.
2.1. Customer and the Company agree that, as between the Parties, Customer is a Controller and the Company is a Processor of Customer Personal Data and that each Party is solely responsible for its compliance with Data Protection Laws applicable to it and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities.
2.2. Customer as Controller.
- 2.2.1. Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires Customer Personal Data.
2.2.2. Customer’s instructions to the Company to Process Customer Personal Data will comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured.
2.3 Company as Processor.
- 2.3.1. Company will Process Customer Personal Data only: (a) as instructed by Customer in writing or as initiated by Users via an Services; (b) as necessary to provide the Services and prevent or address technical problems with an Services or violations of the Agreement or this DPA; or (c) as required by applicable law. Annex 1 (Details of Processing of Customer Personal Data) sets out a description of the Company’s Processing of Customer Personal Data.
2.3.2. Company will ensure that the Company Personnel: (a) access Customer Personal Data only to the extent necessary to perform the Company’s Processing obligations under this DPA and the Agreement; (b) are bound by confidentiality obligations with respect to Customer Personal Data substantially as protective as those set forth in this DPA and the Agreement; and (c) are subject to appropriate training relating to the Processing of Customer Personal Data.
2.3.3. Company will not disclose Customer Personal Data to a third party for monetary or other consideration except as otherwise permitted under this DPA or the Agreement.
2.3.4. At Customer’s written request and to the extent Customer is unable to access the relevant information on its own, the Company will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of the Company’s Processing of Customer Personal Data and the information available to the Company.
2.3.5. the Company will not assess the type or substance of Customer Content to identify whether it is Customer Personal Data or subject to any specific legal requirements.
- Security.
3.1. Company will implement and maintain technical, physical, and organizational measures and controls designed to protect and secure Customer Content (including the return and deletion thereof) in accordance with the Agreement.
3.2. Customer acknowledges that, through its Users, Customer: (a) controls the type and substance of Customer Content; and (b) sets User permissions to access Customer Content; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of an Services meets Customer’s required security obligations relating to Customer Personal Data under Data Protection Laws.
- Subprocessors.
4.1. Subprocessors will be identified at www.smartsheet.com/legal/subprocessors. Customer authorizes the Company to use any such Subprocessors subject to the terms and conditions of this Section 4.
4.2. Company will carry out appropriate due diligence on each Subprocessor and have a written agreement with each Subprocessor that includes provisions for Processing Customer Personal Data that are substantially as protective as those set out in this DPA.
4.3. Company is responsible for Subprocessors’ acts and omissions, including a Subprocessor’s appointment of another Subprocessor.
4.4. New Subprocessors; Right to Object.
4.4.1. Customer must e-mail the Company at DPA@intelliboard.net to receive notifications of new Subprocessor appointments by the Company. Following submission of such form, the Company will provide prior written notice to Customer if the Company intends to appoint new Subprocessors; provided, however, that the Company will notify Customer in writing without undue delay after the appointment of a new Subprocessor if direct involvement of such Subprocessor is necessary for maintaining the availability and security of the Services or Customer Content.
4.4.2. If Customer objects to a new Subprocessor on a reasonable basis related to the Processing of Customer Personal Data, Customer must notify the Company in writing within fifteen (15) days after receiving an appointment notice; otherwise, the Company will deem the appointment of the new Subprocessor authorized by Customer. Upon receipt of an objection notice from Customer, the Company will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable configuration or use of the Services to avoid the Processing of Customer Personal Data by the new Subprocessor. If the Company cannot address Customer’s objection pursuant to the foregoing efforts, the Company will notify Customer within fifteen (15) days of receipt of Customer’s objection notice. Customer may then, by written notice to the Company within thirty (30) days of the Company’s notice, terminate this DPA and any affected Services and receive a refund of prepaid fees covering the terminated portion of the applicable Services.
- Data Subject Requests.
5.1. Company will provide Customer access to Customer Personal Data via the Services to allow Customer to respond to Data Subject requests relating to Customer Personal Data.
5.2. Company will notify Customer in writing without undue delay of any requests the Company receives directly from a Data Subject relating to Customer Personal Data, and the Company may respond directly to a Data Subject request: (a) to confirm that such request relates to Customer; (b) as required by applicable law; or (c) with the written consent of Customer.
5.3. At Customer’s written request and to the extent Customer is unable to access Customer Personal Data on its own, the Company will provide reasonable assistance to Customer in accessing Customer Personal Data for Customer to respond to such Data Subject requests. To the extent legally permitted, Customer will be responsible for any expenses attributable to the Company’s assistance efforts outside the normal course of business.
- Data Breach.
6.1. Company will notify Customer in writing without undue delay upon the Company becoming aware of a Data Breach.
6.2. Company will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with the Company’s security incident policies and procedures (“Breach Management”).
6.3. Subject to the Company’s legal obligations, the Company will provide Customer with information available to the Company as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligations under Data Protection Laws as a result of a Data Breach.
6.4. If Customer requires information relating to a Data Breach in addition to the Breach Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, the Company will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.
- Audit Rights.
7.1. Subject to sections 7.2 and 7.3, the Company shall make available to Customer on request such information necessary to demonstrate compliance with this DPA and shall allow for, and contribute to, audits by a reputable auditor mandated by Customer in relation to the Processing of the Customer Personal Data by the Company.
7.2 To the extent the Company has undergone a third-party independent audit based on SOC 2, Type II or similar standards, then any audit right arising pursuant to section 7.1 shall be first satisfied by providing Customer with a report of such audit. If Customer, for reasonable reasons, is not satisfied by the independent audit report then Customer may request that a reputable auditor perform an audit pursuant to section 7.1 and subject to Section 7.3. If the Company does not agree to such additional audit or inspection, then Customer shall have the right to terminate the Agreement with immediate effect.
7.3 Customer shall give the Company reasonable prior written notice of any audit or inspection to be conducted under Section 7.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. All such audits shall be subject to the confidentiality obligations set forth in the Agreement. Customer and the Company shall mutually agree upon the scope, timing and duration of the audit or inspection in addition to any reimbursement of expenses for which Customer shall be responsible. Any such audits shall not occur more than once a year (except where required by law or due to a Personal Data Breach). Additionally, the Company need not give access to its premises for the purposes of such an audit or inspection: (a) to any individual unless he or she produces reasonable evidence of identity and authority; (b) to any competitor of the Company; or (c) outside the Company’s normal business hours.
- International Transfers.
8.1. The Parties acknowledge and agree that the Processing of Customer Personal Data by the Company may involve an international transfer of Customer Personal Data from Customer to the Company (“International Transfer”).
8.2. With respect to any International Transfer from the European Economic Area or the United Kingdom that would be prohibited by applicable Data Protection Laws in the absence of a lawful data transfer mechanism, the Parties agree that the Standard Contractual Clauses issued by the European Commission under decision 2010/87/EU (“SCC”) will be in effect between the Parties, subject to the following clarifications:
- 8.2.1. for purposes of SCC Clause 5(a), Section 2.3 (the Company as Processor) of this DPA is deemed an instruction by Customer to Process Customer Personal Data;
- 8.2.2. for purposes of SCC Clauses 5(h) and 11, Section 4 (Subprocessors) of this DPA satisfies the Company’s obligations in such SCC clauses;
- 8.2.3. for purposes of SCC Clause 5(j), Customer must request in writing a copy of the Company’s Subprocessor agreements and the Company may remove all commercial information, or terms unrelated to the SCCs, from such copies;
- 8.2.4. for purposes of SCC Clause 5(f) and 12(2), Section 7 (Audit Rights) of this DPA satisfies the Company’s obligations in such SCC clauses;
- 8.2.5. for purposes of SCC Clause 12(1), the Company will provide certification of deletion only upon Customer’s written request;
- 8.2.6. for purposes of SCC Appendix 1, the information set forth in Annex 1 of this DPA will be deemed to complete such Appendix; and
- 8.2.7. for purposes of SCC Appendix 2, the security measures and controls set forth in the Agreement will be deemed to complete such Appendix.
8.3. If the SCC as clarified in Section 8.2 of this DPA fails as a lawful data transfer mechanism for an International Transfer, the Parties will act in accordance with Section 9.8 (Variations in Data Protection Laws) of this DPA.
- General.
9.1. Amendment; Waiver. Unless otherwise expressly stated herein, this DPA may be modified only by a written agreement executed by an authorized representative of each Party. The waiver of any breach of this DPA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.
9.2. Severance. If any provision of this DPA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this DPA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this DPA, the entire DPA will be considered null and void.
9.3. Order of Precedence. Regarding the subject matter of this DPA, in the event of any conflict between this DPA and any other written agreement between the Parties (including the Agreement), this DPA will govern and control. Any data processing agreements that may already exist between Parties are superseded and replaced by this DPA in their entirety.
9.4. Notices. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Agreement, provided that all such notices may be sent via email.
9.5. Governing Law and Jurisdiction. Unless prohibited by Data Protection Laws, this DPA is governed by the laws stipulated in the Agreement and the Parties to this DPA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this DPA.
9.6. Enforcement. Regardless of whether Customer or its affiliate(s) or a third-party is a Controller of Customer Personal Data, unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this DPA against the Company; and (b) the Company’s obligations under this DPA, including any applicable notifications, will be to only Customer.
9.7. Liability. As between the Parties to this DPA, each Party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.
9.8. Variations in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and the Company’s business operations.
9.9. Reservation of Rights. Notwithstanding anything to the contrary in this DPA: (a) the Company reserves the right to withhold information the disclosure of which would pose a security risk to the Company or its customers or is prohibited by applicable law or contractual obligation; and (b) the Company’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by the Company of any fault or liability.
9.10. Company as Controller. the Company may collect Personal Data directly from Data Subjects (which may be duplicative of Customer Personal Data) in accordance with the Company’s internal policies and publicly posted Privacy Notice available at www.smartsheet.com/legal/privacy, and nothing in this DPA will prohibit the Company from Processing such Personal Data as a Controller under Data Protection Laws, provided that the Company conspicuously notifies such Data Subjects that such information will be handled in accordance with the Company’s Privacy Notice.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Personal Data:
- The subject matter and duration of the Processing of Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Personal Data
- Processing of Personal Data by the Company is reasonably required to facilitate or support the provision of the Services as described under the Agreement and this DPA.
Type of Personal Data and Categories of Data Subjects:
- The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled by Customer in its sole discretion.
Obligations and Rights of the Controller:
- The obligations and rights of Customer are set out in the Agreement and this DPA.
Last Updated: August 31, 2020