Data Processing Addendum for US/CA
Effective Date: August 2022
This Data Processing Addendum (“DPA”) is incorporated into, is a supplement to, and forms part of, the Contentstack Master Agreement or other written or electronic agreement between Contentstack Inc. (“Contentstack”) and the Customer (each such agreement, the “Agreement”) in relation to the provision of Services and in each case where Contentstack processes Customer Personal Information as part of performing Services for Customer under the Agreement.
By signing the Order Form, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Contentstack processes Customer Personal Information for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail (but only to the extent of such conflict).
Capitalized words and expressions used in this DPA which are not defined in this DPA shall bear the meaning set out in the Agreement. For the purpose of this DPA, the following terms shall have these meanings:
1. "Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the applicable party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
2. “Authorized Affiliate” means any Customer Affiliate that is subject to Data Protection Laws and permitted to use the Services under the Agreement.
3. “Customer Personal Information” means Personal Information provided to Contentstack on behalf of Customer pursuant to the Agreement where Customer is a Business or Controller and Contentstack is Processor or a Service Processor but excluding in all cases Prohibited Data. In the context of Users, Customer Personal Information shall be limited to the username (first and last name), email ID, IP address, and browser signature. In the context of Consumers, this shall be limited to such Customer Personal Information that is accessed by Contentstack in the provision of the Services.
4. “Data Protection Laws” means, as applicable to Contentstack’s processing of Customer Personal Information, the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Virginia Consumer Data Protection Act and any other applicable United States or Canadian federal, state or local law, rule, regulation, decree, statute, or other enactments, order, mandate or resolution relating to data use, security, protection and/or privacy, that applies to personal information or data accessed, generated, retained, or shared by the Parties, and any implementing, derivative or related legislation, rule, and regulation as amended extended, repealed and replaced, or re-enacted.
5. “Data Security Breaches” or “Personal Data Breaches” shall have the meanings given to them under Data Protection Laws.
6. “Personal Information” means (i) “Personal Information” or “Personal Data,” as defined under Data Protection Laws, and (ii) any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information includes any information relating to an identified or identifiable person that is defined by Data Protection Laws as covered by the such or similar term, as well as information that would be publicly available where such would otherwise be protected as personal information by Data Protection Laws.
7. “Prohibited Data” means any Customer Data (including Customer Personal Data) transmitted to Contentstack through any Contentstack API or third party applications not licensed by Contentstack or otherwise uploaded into the Software, comprising: (i) payment card or other payment method data or confidential financial information; (ii) health information, including “Protected Health Information” as that term is defined under the United States Health Insurance Portability and Accountability Act; and (iii) “sensitive categories” of Personal Information as defined under Data Protection Laws including Sensitive Personal Information as defined under the CCPA or other similar state legislation in the US.
8. “Service Provider” “Business”, “Commercial Purpose” and “Consumer” and “Sell” each have the meanings set forth in the California Consumer Privacy Act and the California Privacy Rights Act.
9. “Sub-processor” means any third party appointed by or on behalf of Contentstack to process Customer Personal Information on behalf of Contentstack or any Contentstack Affiliate in connection with the Services, including any other Contentstack Affiliate.
B. Customer Personal Information
1. Contentstack agrees to use and process Customer Personal Information only on behalf of Customer, according to the Agreement, this DPA, and any other written directions set forth by Customer (provided such directions are in compliance with Data Protection Laws) and agreed by Contentstack. Contentstack will use the same level of privacy protection for the Customer's Personal Information as is required by Data Protection Laws.
2. Contentstack acknowledges that it is a Service Provider, and as such Contentstack will not Sell, collect, retain, use or disclose Customer Personal Information of a Consumer, except as permitted by law, and only as necessary to perform the business purpose (as set out in paragraph B.1 of this DPA) or for Contentstack to fulfill its obligations under the Agreement and this DPA.
3. Contentstack will not process Customer Personal Information for its own or any other purposes (including any Commercial Purposes) except as otherwise expressly permitted by law or otherwise agreed in writing; provided, however, that processing of Customer Personal Information by Contentstack ensures the security, operational maintenance, analysis, improvement, evaluation or development of the Services for the benefit of its customers without disclosing any Customer Personal Information and without having any adverse impact on the technical and organizational measures implemented by Contentstack to protect Customer Personal Information shall not constitute processing for Contentstack's own or any other purposes.
4. Contentstack certifies that it understands the requirements of being a Service Provider and will comply with Data Protection Laws and the restrictions contained herein with respect to such requirements.
5. Contentstack shall maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Personal Information as set forth at www.contentstack.com/legal/security-addendum.
6. Contentstack will make available to Customers on request information necessary to demonstrate compliance with this DPA as required by Data Protection Laws. Upon Customer’s written request at reasonable intervals during the Subscription Term and subject to the confidentiality obligations set forth in the Agreement, Contentstack shall provide a copy of its then most recent third-party audits or certifications, as applicable, or any summaries thereof or other information that Contentstack generally makes available to its customers at the time of such request evidencing Contentstack’s compliance with paragraph B.5 of this DPA.
7. To the extent required by Data Protection Laws, Contentstack will provide governmental authorities with all information and assistance reasonably necessary to investigate Data Security Breaches or Personal Data Breaches relating to Customer Personal Information or otherwise to demonstrate that the Services comply with Data Protection Laws to the extent that such inspections concern the processing of Customer Personal Information under the Agreement and this DPA.
8. Contentstack shall have the right to delete Customer Personal Information stored pursuant to the Agreement in the ordinary course of business, pursuant to its retention schedules. Contentstack shall, upon request, disclose its retention schedules that apply to Customer Personal Information to Customer. Contentstack’s obligations in relation to the return or destruction of Customer Personal Information following termination or expiry of the Agreement and all Order Forms are set out in section 7.6 of the Agreement.
9. Customer shall have sole responsibility and liability for the accuracy, quality, and legality of Customer Personal Information, obtaining necessary consents (if necessary under Data Protection Laws), and the means by which Customer acquired Customer Personal Information before and after processing.
10. Customer shall promptly notify Contentstack of any change in the applicability of Data Protection Laws to Customer or Customer Personal Information that may affect the Agreement, this DPA, and/or Contentstack's ability to perform its obligations thereunder or under this DPA and/or the Agreement.
11. Customer shall serve as a single point of contact on behalf of all Customer Affiliates for Contentstack and be solely responsible for the internal coordination, review, and submission of instructions or requests of Customer Affiliates that may be permitted by Customer under the terms of the Agreement to use the Services. Contentstack is discharged from any obligation to inform or notify such Customer Affiliates when Contentstack has provided applicable information or notice to the Customer. Contentstack is entitled to refuse any requests or instructions provided directly by Customer Affiliates.
12. Customer represents that (i) it will not upload Prohibited Data into the Software, and ii) its Users will be located in the United States and Canada. Customer shall ensure that no Customer Personal Information provided to Contentstack for processing under this Agreement, Order Forms and this DPA is from individuals located in the European Economic Area, United Kingdom, Switzerland, or any other country where the transfer of Personal Information outside of its borders is restricted by laws, rules or regulations or otherwise requiring standard contractual terms to permit such transfer or processing, or other mandatory provisions to be included. The customer agrees that it will be fully liable for any breach of this paragraph B.12.
13. Without undue delay, but no later than 24 hours after discovery by Contentstack, inform Customer of any Personal Data Breach or Data Security Breach relating to Contentstack’s processing of Customer Personal Information, to the extent Contentstack is legally permitted or required to do so.
C. Consumer Requests
1. To the extent that Customer is required by Data Protection Laws to provide any individual(s) with access to, or reporting about the collection, use, disclosure, and sale of, Customer Personal Information, Contentstack shall assist Customer with the collection of Customer Personal Information in its possession and provide the information requested by Customer about Contentstack use of the Customer Personal Information of such individual(s). Any requests from Customers for assistance with responding to an inquiry shall be submitted via email to firstname.lastname@example.org.
2. Contentstack shall, to the extent legally permitted or required, and to the extent, Contentstack has been able to identify that the request comes from a Consumer whose Customer Personal Information was submitted to the Software or Services, notify the Customer if it receives a request from a Consumer in relation to the exercise of that person’s rights under Data Protection Laws. Contentstack shall not respond to any such Consumer request except as required under Data Protection Laws, and Contentstack shall (at Customer’s expense) provide Customer with reasonable cooperation and assistance in relation to its handling of a Consumer’s request according to Data Protection Laws, to the extent legally permitted and to the extent Customer cannot handle the request itself through its use of the Services or Software.
3. Contentstack may charge Customer for reasonable time and expenses associated with responding to requests sent to Contentstack by Customer under this Section.
1. Customer acknowledges, agrees, authorizes and herewith consents that: (i) Contentstack Affiliates may act as Sub-processors; and (ii) Contentstack and Contentstack Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A current list of Sub-processors (and the subject matter/nature and location of applicable processing) is available at www.contentstack.com/legal/subprocessors. To the extent required by Data Protection Laws, the Customer will be notified of changes to this list via the Service and/or via a mechanism that the Customer must be a subscriber to in order to receive notifications of new Sub-processors for each applicable Service.
2. To the extent required by Data Protection Laws, Contentstack will enter into written agreements with Sub-processors containing, in substance, data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Information to the extent applicable to the nature of the services provided by such Sub-processor. Customer agrees that: (i) copies of Contentstack’s data processing agreements with Sub-processors, provided to Customer by Contentstack upon request, will have confidential information and other business secrets removed by Contentstack beforehand; and (ii) such copies will be provided by Contentstack in a manner to be determined by Contentstack and subject to the confidentiality obligations set forth in the Agreement.
1. The liability and limitation of liability provisions set out in the Agreement shall apply to each party’s liability (including its Affiliates) to the other party under or in connection with this DPA. To the maximum extent permitted by Data Protection Laws, any reference in such provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
2. Authorized Affiliates may only exercise any rights as a Business in respect to this DPA, through the Customer entity which has signed the Agreement. Any communications relating to any complaint, allegation, or claim arising in connection with this DPA, may only be communicated to and discussed with Contentstack by the Customer entity that has signed the Agreement with Contentstack. This DPA does not establish direct rights of Authorized Affiliates regarding the provision of the Services, or any other obligations as detailed in the Agreement.
F. Governing Law
1. Except as required under Data Protection Laws: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
2. Changes in Data Protection Laws. Either party may propose variations to this DPA if and as they may apply to a particular Data Protection Law, which such party believes in good faith is required as a result of any change in, or decision of a competent authority under, that Data Protection Law. In the event of such a proposal, the parties agree to work together in good faith to implement mutually agreed changes. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Contentstack to protect Contentstack, its Affiliates, and/or Sub-processors against additional risks associated with such changes.
3. Legal Effect. This DPA shall only become legally binding between Customer and Contentstack when the DPA has been executed via digital signature or other legally binding mechanisms such as (but not limited to) acceptance of this DPA electronically or in an Order Form.