Data Processing Addendum (US and CA)
Last Updated: December 21, 2022
This Data Processing Addendum (“DPA”) is incorporated into, is a supplement to and forms part of, the Contentstack Master Agreement or other written or electronic agreement between Contentstack Inc. (“Contentstack”) and the Customer (each such agreement, the “Agreement”) in relation to the provision of Services and in each case where Contentstack processes Personal Information as part of performing Services for Customer under the Agreement.
By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Contentstack processes Customer Personal Information for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail (but only to the extent of such conflict), regardless of whether any language in the Agreement purports to state that the Agreement is the controlling document.
Capitalized words and expressions used in this DPA which are not defined in this DPA shall bear the meaning set out in the Agreement. For the purpose of this DPA, the following terms shall have these meanings:
1."Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the applicable party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
2.“Authorized Affiliate” means any Customer Affiliate that is subject to Data Protection Laws and permitted to use the Services under the Agreement.
3.“Customer Personal Information” means Personal Information provided to Contentstack by or on behalf of Customer pursuant to the Agreement where Customer is a Business or Controller and Contentstack is Processor or a Service Processor but excluding in all cases Prohibited Data.
4.“Data Protection Laws” means, as applicable to Contentstack’s processing of Customer Personal Information, the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Virginia Consumer Data Protection Act and any other applicable United States or Canadian federal, state or local law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution relating to data use, security, protection and/or privacy, that applies to Customer Personal Information accessed, generated, retained, or shared by the Parties under the Agreement or this DPA, and any implementing, derivative or related legislation, rule, and regulation as amended, extended, repealed and replaced, or re-enacted.
5.“Data Security Breach” or “Personal Data Breach” shall mean any accidental or unlawful destruction, loss, or alteration of Customer Personal Information, or any unauthorized use or disclosure of, or access to, Customer Personal Information.
6.“Personal Information” means “Personal Information,” “Personal Data,” or any similar term as defined under Data Protection Laws.
7.“Prohibited Data” means any data or information, including Personal Information transmitted to Contentstack through any Contentstack API or third party applications not licensed by Contentstack or otherwise uploaded into the Software, comprising: (i) payment card or other payment method data or confidential financial information; (ii) health information, including “Protected Health Information” as that term is defined under the United States Health Insurance Portability and Accountability Act; and (iii) “sensitive categories” of Personal Information as defined under Data Protection Laws including Sensitive Personal Information as defined under the CCPA or other similar state legislation in the US.
8.“Service Provider” means a “service provider” or “processor,” as such terms (or analogous variations thereof) are defined under Data Protection Laws, that process personal data or information on behalf of another company.
9.“User(s)” means a person Customer authorizes to use the Contentstack services for or on behalf of the Customer.
10.“Business”, “Commercial Purpose” and “Consumer” and “Sell” each have the meanings set forth in Data Protection Laws.
11.“Sub-processor” means any third party appointed by or on behalf of Contentstack to process Customer Personal Information on behalf of Contentstack or any Contentstack Affiliate in connection with the Services, including any other Contentstack Affiliate.
B. Customer Personal Information
1. Contentstack agrees to use and process Customer Personal Information only on behalf of Customer, according to the Agreement, this DPA and any other written directions set forth by Customer (provided such directions are in compliance with Data Protection Laws) and agreed by Contentstack. Contentstack will use the same level of privacy protection for the Customer Personal Information as is required by Data Protection Laws.
2. Contentstack acknowledges that it is a Service Provider, and as such Contentstack will not Sell, collect, retain, use or disclose Customer Personal Information of a Consumer, except as permitted by law, and only as necessary to perform the Business Purpose (as set out in Attachment 1 of this DPA) or for Contentstack to fulfil its obligations under the Agreement and this DPA.
3. Contentstack will not process Customer Personal Information for any purpose other than the Business Purpose) except as otherwise expressly permitted by law or otherwise agreed in writing. Notwithstanding the foregoing, Contentstack may retain and use Customer Personal Information for internal use to build or improve the quality of the services provided under the Agreement, provided that Contentstack will not use Customer Personal Information to perform services on behalf of another business.
4. Contentstack will not process Customer Personal Information outside of the direct business relationship between the Contentstack and Customer.
5. Contentstack will not combine Customer Personal Information with any other personal data or information it collects (directly or via any third party) other than as expressly permitted under Data Protection Law for Service Providers.
6. Contentstack certifies that it understands the requirements of being a Service Provider and will comply with Data Protection Laws and the restrictions contained herein with respect to such requirements. Contentstack will notify Customer without undue delay if it determines it can no longer meet its obligations under this DPA. Customer reserves the right, upon notice to Contentstack, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information, and Contentstack will promptly comply with any such steps.
7. Contentstack shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Information in accordance with requirements under Data Protection Laws, and as set forth at www.contentstack.com/securityaddendum. Contentstack will ensure that persons authorized by Contentstack to process any Customer Personal Information understand Contentstack’s obligation under this DPA.
8. If Customer discloses, or enables Contentstack to access, any Customer Personal Information that has been de-identified, then Contentstack will: (a) not attempt to re-identify any such data; and (b) use reasonable technical and organizational measures to prevent any re-identification of any such data or any inadvertent release of any such data.
9. Contentstack will make available to Customer on request information necessary to demonstrate compliance with this DPA and Data Protection Laws. Upon Customer’s written request at reasonable intervals during the Subscription Term and subject to the confidentiality obligations set forth in the Agreement, Contentstack shall provide a copy of its then most recent third-party audits or certifications, as applicable, or any summaries thereof or other information that Contentstack generally makes available to its customers at the time of such request evidencing Contentstack’s compliance with this DPA. To the extent required by applicable Data Protection Laws, Contentstack will allow for and contribute to audits, including but not limited to inspections, ongoing manual reviews, automated scans, regular assessments conducted by Customer (or another auditor mandated by Customer that is reasonably acceptable to Contentstack), in accordance with the terms of this Section 9. Any such audit must be tailored to what is reasonably necessary to verify Contentstack’s compliance with this DPA, and must occur during Contentstack’s normal business hours. In connection with any such audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by Contentstack; (b) comply with reasonable and applicable on-site policies and procedures provided by Contentstack, and (c) not unreasonably interfere with Contentstack’s business activities. The results of the audit will be the confidential information of Contentstack. Unless otherwise required by a supervisory authority, Customer will provide no less than thirty (30) days' advance notice of its request for any such audit and will cooperate in good faith with Contentstack to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party).
10. To the extent required by Data Protection Laws, Contentstack will provide governmental authorities with information and assistance reasonably necessary to investigate Data Security Breaches or Personal Data Breaches relating to Customer Personal Information or otherwise to demonstrate that the Services comply with Data Protection Laws to the extent that such inspections concern the processing of Customer Personal Information under the Agreement and this DPA.
11. Contentstack shall have the right to delete Customer Personal Information stored pursuant to the Agreement in the ordinary course of business, pursuant to its retention schedules. Contentstack shall, upon request, disclose its retention schedules that apply to Customer Personal Information to Customer. Contentstack’s obligations in relation to the return or destruction of Customer Personal Information following termination or expiry of the Agreement and all Order Forms are set out in section 7.6 of the Agreement. Upon the earlier of any request by Customer or immediately following termination of the Agreement, Contentstack will (or will enable Customer itself via the Services to) delete or return (and will delete existing copies of) all Customer Personal Information in its possession or control, unless retention of the Customer Personal Information is required by applicable law. If Contentstack believes retention is required by applicable law, Contentstack will notify Customer of such requirement and the data it will retain and for how long.
12. Customer shall have sole responsibility and liability for the accuracy, quality, and legality of Customer Personal Information, obtaining necessary consents (if necessary under Data Protection Laws), and the means by which Customer acquired Customer Personal Information before and after processing. Customer shall provide all required privacy notices and opt-out in accordance with Data Protection Laws.
13. Customer shall promptly notify Contentstack of any change in the applicability of Data Protection Laws to Customer or Customer Personal Information that may affect the Agreement, this DPA and/or Contentstack's ability to perform its obligations thereunder or under this DPAand/or the Agreement.
14. Customer shall serve as a single point of contact on behalf of all Customer Affiliates for Contentstack and be solely responsible for the internal coordination, review and submission of instructions or requests of Customer Affiliates that may be permitted by Customer under the terms of the Agreement to use the Services. Contentstack is discharged from any obligation to inform or notify such Customer Affiliates when Contentstack has provided applicable information or notice to Customer. Contentstack is entitled to refuse any requests or instructions provided directly by Customer Affiliates.
15. Customer represents that (i) it will not upload Prohibited Data into the Software; and ii) its Users will be located in the United States and Canada. Customer shall ensure that no Customer Personal Information provided to Contentstack for processing under this Agreement, Order Forms and this DPA is from individuals located in the European Economic Area, United Kingdom, Switzerland or any other country where the transfer of Personal Information outside of its borders is restricted by laws, rules or regulations or otherwise requiring standard contractual terms to permit such transfer or processing, or other mandatory provisions to be included. Customer agrees that it will be fully liable for any breach of this paragraph B.12.]
C. Consumer Requests and Data Processing Assistance
1.Contentstack will provide assistance to Customer as reasonably requested by Customer to facilitate Customer’s compliance with requirements under Data Protection Laws in connection with Contentstack’s processing of Customer Personal Information, to the extent Contentstack is legally required to do so, including but not limited to assisting with data protection impact assessments, audits, and consultations with regulatory bodies.
D. Consumer Requests
1. To the extent that Customer is required by Data Protection Laws to provide any individual(s) with access to, or reporting about the collection, use, disclosure and sale of, Customer Personal Information and Customer does not have access to the Customer Personal Information, Contentstack shall reasonably assist Customer with the collection of Customer Personal Information in its possession and provide the Customer Personal Information requested by Customer relating to such individual(s). Any requests from Customer for assistance with responding to an inquiry shall be submitted via email to [email protected].
2. Contentstack shall, to the extent legally permitted or required, and to the extent Contentstack has been able to identify that the request comes from a Consumer whose Customer Personal Information was submitted to the Software or Services, notify Customer if it receives a request from a Consumer in relation to the exercise of that person’s rights under Data Protection Laws. Contentstack shall not respond to any such Consumer request except as required under Data Protection Laws, and Contentstack shall (at Customer’s expense) provide Customer with reasonable cooperation and assistance in relation to its handling of a Consumer’s request according to Data Protection Laws, to the extent legally permitted and to the extent Customer cannot handle the request itself through its use of the Services or Software.
3. Contentstack may charge Customer for reasonable time and expenses associated with responding to requests sent to Contentstack by Customer under this Section.
4. Contentstack will notify Customer without undue delay after becoming aware of a Personal Data Breach that requires notification under Data Protection Laws. In any such notice, Contentstack will include: (a) a description of the Personal Data Breach, (b) a summary of the incident that caused the Personal Data Breach and any ongoing risks that the Personal Data Breach poses, (c) a description of the measures proposed or taken by Contentstack to address the Personal Data Breach, (d) any other information required under Data Protection Laws, and (e) any other information reasonably requested by Customer relating to the Personal Data Breach. If and solely to the extent it is not possible to provide the above information at the same time, the information may be provided in phases without undue delay. Contentstack will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any of its notification obligations imposed under Data Protection Laws in connection with any Personal Data Breach
1. Customer acknowledges, agrees, authorizes and herewith consents that: (i) Contentstack Affiliates may act as Sub-processors; and (ii) Contentstack and Contentstack Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A current list of Sub-processors (and the subject matter/nature and location of applicable processing) is available at www.contentstack.com/subprocessors. To the extent required by Data Protection Laws, Customer will be notified of changes to this list via the Service and/or via a mechanism that Customer must be a subscriber to in order to receive notifications of new Sub-processors for each applicable Service. To the extent required by Data Protection Laws, Contentstack will only add a Subprocessor after providing Customer with reasonable prior notice and an opportunity to object.
2. To the extent required by Data Protection Laws, Contentstack will enter into written agreements with Sub-processors containing data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Information to the extent applicable to the nature of the services provided by such Sub-processor. Customer agrees that: (i) copies of Contentstack’s data processing agreements with Sub-processors, provided to Customer by Contentstack upon request, will have confidential information and other business secrets removed by Contentstack beforehand; and (ii) such copies will be provided by Contentstack in a manner to be determined by Contentstack and subject to the confidentiality obligations set forth in the Agreement. Contentstack will remain liable for any acts or omissions of its Subprocessors.
1. The liability and limitation of liability provisions set out in the Agreement shall apply to each party’s liability (including its Affiliates) to the other party under or in connection with this DPA. To the maximum extent permitted by Data Protection Laws, any reference in such provisionsto the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
2. Authorized Affiliates may only exercise any rights as a Business in respect to this DPA, through the Customer entity which has signed the Agreement. Any communications relating to any complaint, allegation or claim arising in connection with this DPA, may only be communicated to and discussed with Contentstack by the Customer entity that has signed the Agreement with Contentstack. This DPA does not establish direct rights of Authorized Affiliates regarding the provision of the Services, or any other obligations as detailed in the Agreement.
G. Governing Law
1. Except as required under Data Protection Laws: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
2. Changes in Data Protection Laws. Either party may propose variations to this DPA if and as they may apply to a particular Data Protection Law, which such party believes in good faith are required as a result of any change in, or decision of a competent authority under, that Data Protection Law. In the event of such a proposal, the parties agree to work together in good faith to implement mutually agreed changes.
3. Legal Effect. This DPA shall only become legally binding between Customer and Contentstack when the DPA has been executed via digital signature or other legally binding mechanism such as (but not limited to) acceptance of this DPA electronically or in an Order Form.
Description of Processing
(a) Subject Matter, Nature and Business Purpose: Contentstack processes the Customer Personal Information to perform the Services on behalf of the Customer, including maintaining or servicing Customer’s accounts and as further described in the Agreement.
(b) Types of Customer Personal Data: Consumers include the individuals about whom data is provided to Contentstack via the Services by (or at the discretion of) the Customer. This may include, but is not limited to, Personal Information relating to the Customer’s Users.
(c) Categories of Consumers: Customer may submit Personal Information to the Services, the extent of which is determined and controlled by Customer. Personal Information submitted to, stored on, or sent via the Services may include, without limitation, the following categories of data: first and last name, title, position, IP addresses, browser agents, postal addresses, email addresses, phone number, user names, browser and operating system identifiers, and any other Personal Information that Customer chooses to send to Contentstack during the course of Contentstack’s provision of the Services and technical support but cannot include Prohibited Data.
(d) Duration of Processing: The processing will continue for the duration of the term of the Agreement.
(e) Retention Period: The Personal Information will be retained for the period of time needed for Contentstack to provide the Services and complete its obligations under the Agreement.