DPA - Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between Webie LLC (“Webie”) and Customer (jointly “the Parties”), forms a part of the Services Agreement between the Parties, and reflects the Parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.
By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Webie processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
This DPA is effective on the date that it has been duly executed by both Parties (“Effective Date”), and amends, supersedes, and replaces any prior data processing agreements that the Parties may have entered into. Any modifications to the terms of this DPA (whether handwritten or otherwise) will render this DPA ineffective unless Webie has separately agreed to those modifications in writing.
1.1. Affiliate - means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. Authorized Affiliate - means Customer's Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Services pursuant to the Agreement between Customer and Webie; and (c) have not signed their own Services Agreement with Webie and are not "Customers" as defined under this DPA.
1.3. CCPA - means the California Consumer Privacy Act of 2018 (California Civil Code sections 1798.100 - 1798.199) and its accompanying regulations.
1.4. Controller - means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Customer is the Controller. For the purposes of this DPA, all references to Controller shall also mean “business” as defined in the CCPA for CCPA purposes.
1.5. Covered Services or Services - means the services that are ordered by the Customer from Webie involving the Processing of Personal Data on behalf of the Customer.
1.6. Customer - means the entity that signed the Services Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the “Controller” of the Personal Data provided pursuant to this DPA.
1.7. Data Breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Data transmitted, stored, or otherwise Processed.
1.8. Data Protection Laws - means any applicable law, statute, law, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Services Agreement, including the laws of the European Union, the UK Data Protection Act 2018, the GDPR, and the CCPA, all as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Services Agreement.
1.9. Data Subject - means either: 1) the individual within the European Economic Area and the United Kingdom to whom Personal Data relates for GDPR purposes, or 2) a “consumer,” as such term is defined in the CCPA for CCPA purposes
1.10. GDPR - means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.11. Personal Data - means either: 1) data about a specific natural person within the European Economic Area or the United Kingdom from which that person is identified or identifiable, as defined in GDPR, or 2) “personal information” as defined in the CCPA for CCPA purposes, which is provided by or on behalf of Customer and Processed by Webie pursuant to the Services Agreement.
1.12. Processing - means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.13. Processor - means the entity which Processes Personal Data on behalf of the Controller. For purposes of this DPA, Webie, including its Affiliates, is the Processor. For the purposes of this DPA, all references to Processor shall also mean “service provider” as defined in the CCPA for CCPA purposes.
1.14. Regulator - means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
1.15. Services Agreement - means any services agreement including, but not limited to, Webie’s online terms between Webie and Customer under which Covered Services are provided by Webie to Customer.
1.16. Standard Contractual Clauses - means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).
1.17. Sub-processor - means any Processor engaged by Webie to Process Personal Data on behalf of Webie.
2. Services Agreement
This DPA supplements the Services Agreement and in the event of any conflict between the terms of this DPA and the terms of the Services Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA.
3. Data Protection Laws
3.1. Roles of the Parties - The Parties acknowledge and agree that Webie will Process the Personal Data in the capacity of a Processor and that Customer will be the Controller of the Personal Data.
3.2. DPO - The Parties, to the extent required by the GDPR, will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party where required by Data Protection Laws.
4. Controller Obligations
4.1. Instructions - Customer warrants that the instructions it provides to Webie pursuant to this DPA will comply with Data Protection Laws.
4.2. Data Subject and Regulator Requests - Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require Webie’s assistance, Customer shall immediately notify Webie in writing of the Data Subject’s or Regulator’s request.
4.3. Notice, Consent, and Other Authorizations - Customer agrees that the Personal Data it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon Webie’s request, Customer shall provide all information necessary to demonstrate compliance with these requirements
5. Details of Processing Activities
5.1. The following table sets out the details of Processing:
Purposes the Personal Data shall be processed • Webie will process Personal Data for the purpose of providing the Covered Services described in the Services Agreement. Customer may submit Personal Data to the Services and may request for its users (“End Users”) to submit Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion.
Description of the categories of the data subjects • Natural persons who submit personal data to Customer via use of the Services;
• Natural persons who are employees, representatives, or other business contacts of Customers.
Description of the Categories of Personal Data • Personal data processed includes name, email address, phone number, credit card, and/or other billing information;
• Personal data about End Users that the Customer provides to the Service or through the Customer’s End User’s interaction with the Services;
• Personal data from add-ons and other third-party services the Customer uses in conjunction with our Services;
• Data about Customers and End Users' use of the Services, including, but not limited to, interactions with the user interface to the Services, web browser or operating system details, and the Internet Protocol Address for the computers with which Customers and End Users use to connect to the Services.
Description of Special Categories of Personal Data • Website visitors or End Users may submit special categories of Personal Data to the Customer via the Services, the extent of which is determined and controlled by the Customer. For clarity, these special categories of Personal Data may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation.
6. Processor Obligations Supplementing the Standard Contractual Clauses
6.1. Scope of Processing - Webie will Process the Personal Data on documented instructions from Customer in such manner as is necessary for the provision of Services under the Service Agreement, except as may be required to comply with any legal obligation to which Webie is subject. Webie may make reasonable efforts to inform customers if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Data Protection Laws. In the event Webie must Process or cease Processing Personal Data for the purpose of complying with a legal obligation, Webie will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
6.2. Disclosure to Third Parties - Except as expressly provided in this DPA, Webie will not disclose Personal Data to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Personal Data, to the extent legally permissible and practicable, Webie will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
6.3. GDPR Articles 32-36 - Taking into account the nature of the Processing and the information available to Webie, Webie will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
7.1. Scope - Webie will maintain records of its Processing activities carried out on behalf of Customer and will make available to Customer the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Webie may limit the scope of information made available to Customer if Customer is a Webie competitor, provided that such limitation does not violate Data Protection Laws or the Standard Contractual Clauses. Customer’s inspection rights under this DPA do not extend to Webie’s employee payroll, personnel records, or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties
7.2. Process - Subject to thirty (30) days prior written notice from Customer and at the Customer's additional expense (including all reasonable costs and fees for any and all time Webie expends on such audit, in addition to the rates for services performed by Webie), Webie and Customer shall mutually agree to appoint a third-party auditor to verify that Webie is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to Webie. Audits and inspections will be carried out at mutually agreed times during regular business hours. Customers shall be entitled to exercise this audit right no more than once every twelve (12) months. Customers shall not be entitled to an on-site audit of Webie’s premises without demonstrating a compelling need for such an on-site audit. The Parties shall mutually agree upon the duration of the audit.
7.3. Confidentiality - All information obtained during any such request for information or audit will be considered Webie’s confidential information under the Services Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Webie’s confidential information. The third-party auditor may only disclose to the Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
8. Contracting with Sub-processors
Customer hereby gives its general authorization for Webie to engage new Sub-processors in connection with the processing of the Personal Data as set forth in clause 9 of the Standard Contractual Clauses. Customers must sign up at the aforementioned URL to receive email notifications concerning the addition of new Sub-processors. Customers may reasonably object to the addition of any new Sub-processor within 15 calendar days of receiving such email notification, in which case Webie will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Sub-processor. If Webie is unable to provide an alternative, Customer may terminate the Services and shall pay Webie any fees or expenses not yet paid for all services provided pursuant to any Services Agreement. If Customer fails to sign up for these email notifications, Customer shall be deemed to have waived its right to object to the newly added Subprocessor(s).
9. Transfers Outside of the EEA (European Economic Area)
9.1. Transfer - Customer acknowledges that Webie may, without Customer’s prior written consent, transfer the Personal Data to a foreign jurisdiction provided such transfer is either (i) to a country or territory which has been formally recognized by the European Commission as affording the Personal Data an adequate level of protection or (ii) the transfer is otherwise safeguarded by mechanisms, such as Standard Contractual Clauses and other certification instruments, recognized and approved by the European Commission from time to time.
9.2. Standard Contractual Clauses - If Customer’s use of the Services involves Customer’s transfer of Personal Data from the United Kingdom or European Economic Area to Webie, or if entering into the Standard Contractual Clauses set forth in the Appendix to this DPA with Webie would otherwise help Customer satisfy a legal obligation relating to the international transfer of Personal Data, then (i) by entering into this DPA, the Parties are deemed to be signing such Standard Contractual Clauses, including each of its applicable Annexes and (ii) such Standard Contractual Clauses form part of this DPA and take precedence over any other provisions of this DPA to the extent of any conflict.
10. Additional Terms for California Data Subjects
To the extent that the CCPA applies, Webie agrees it will not: (a) sell California Data Subjects’ Personal Data (as “sell” is defined in the CCPA); (b) retain, use, or disclose California Data Subjects’ Personal Data for a commercial purpose other than providing the services specified in the Services Agreement; (c) retain, use, or disclose California Data Subjects’ Personal Data outside of the direct business relationship between Processor and Customer. Webie certifies that it understands these restrictions set out in this section and will comply with them.
11. Obligations Post-Termination
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA
12. Liability and Indemnity
Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Services Agreement.
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.
Made With Webie