To the service agreement or master services agreement between company and client
This Data Processing Agreement (“DPA”) is hereby incorporated to the Service Agreement or Master Services Agreement (“Agreement”) between Anthology Inc. of Missouri (“Company”), a hosted constituent engagement portal, and the college, university, or other organization which has purchased the Services as described below, (“Client”), which shall remain in effect during the Term of the Agreement. All capitalized terms not deﬁned in this DPA shall have the meanings as set forth in the Agreement and EU Data Protection Law. In the event of any conflict between this DPA and any other provisions in the Agreement, this DPA will prevail.
1. General Scope of Description and Definitions
a. General Scope. Company has created this DPA in order to demonstrate its firm commitment to GDPR and to describe the support it provides to its clients for any use of our Services. Company provides licensing, maintenance and hosting of constituent engagement management software, as well as provides and maintains services associated to the use of this software as described in the Agreement. “Services” means Application Services and Professional Services, as fully described in the Statement of Work and any accompanying Work Order, and is subject to the terms of the Agreement. "Application Services" means the online, web-based Encompass service, including associated online modules, provided by Company via Client’s designated website hosted by Company. “Professional Services” means implementation services, training services, managed services, application consulting services, product enhancement services and other professional services, as set forth and described in the Agreement.
"Aﬃliate" means any entity that is directly controlling, or directly controlled by, or under common control with the subject entity. For purposes of this definition, “Control” means direct ownership or control or more than fifty percent (50%) of the voting interest of Company, or Client, as applicable.
“Client Data” collectively means any Content and User Information provided or submitted to Company through the Application Services by Client or its Users. “Content” means all text, data, graphics, artwork, designs, audio-visual components, recordings, films, photographs, and other information and materials that Client considers necessary for the design, development, and support of the Application Services. “User Information” means all information (including any Personal Data) sent, received, stored or created by the Client and its Users in the Application Services.
"Data Protection Laws" collectively means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law. "EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data. Furthermore, and for purposes of this DPA, Client is the Data Controller of Customer Data.
"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller. Furthermore, and for purposes of this DPA, Company shall process Client Data as a Data Processor acting on behalf of the Client.
“Users” means Client’s employees, representatives, agents, consultants, contractors, volunteers, constituents or alumni who has access to any of Company’s Services or Websites.
"Personal Data" means any information relating to an identiﬁed or identiﬁable natural person that Company may Process on Client’s behalf as part of the Services provided.
"Sub-processor" means any third-party Data Processor engaged by Company or its Aﬃliates, which may process Client Data strictly to assist in fulﬁlling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
2. Roles and Scope of Processing Personal Data
a. Data Controller. Client is responsible for compliance with its obligations as a Data Controller under the EU Data Protection Law. Such obligations may include: (i) processing instructions it issues to Company; (ii) processing notice and obtaining any required consents and/or authorizations; or (iii) otherwise securing an appropriate legal basis under the EU Data Protection Law.
b. Data Processor. Company is responsible for compliance with its obligations as a Data Processor under this DPA. Company, including its Affiliates and Sub-processors acting under the authority of Company, will process Client Data solely for providing the Services during the term of the Agreement. Company and Client agree this DPA and the Agreement provide Client’s complete and ﬁnal instructions to Company in relation to the processing of Client Data. Any processing outside the scope of these instructions shall require prior written agreement between Client and Company.
3. Data Processing
a. Data Subjects. Company may process a Data Subject’s Personal Data on behalf of the Client in order to perform the Services during the term of the Agreement. “Data Subjects” shall mean the Client and Users authorized to use the Company’s product and Services. The duration of the processing under this DPA is until the termination of the Agreement in accordance with its terms.
b. Categories of Client Data. For purposes in performing the Services as set forth in the Agreement, Company may process some or all of the following categories of Personal Data: personal contact information such as full name, address, email address, password, gender, city, state, country, and zip code. A User may also provide optional information, such as information such as nickname, birthday, occupation, company, spouse's name or photos.
c. Personally Identifiable Information (“PII”). Company does not support the collection, storage, or display of sensitive personal information in the product or Services. Client acknowledges and understands the Client Data shall not include any sensitive or Personally Identifiable Information. “Personally Identifiable Information” or “PII” shall mean: (i) Family Educational Rights and Privacy Act (FERPA); (ii) Health Insurance Portability and Accountability Act (HIPAA); or (iii) government issued identifications, including, but not limited to, Social Security Numbers, Driver License Numbers, and Individual Taxpayer Identification Numbers.
d.Use of Client Data. Client acknowledges that Company shall have a right to use and disclose Client Data to its Affiliates or Sub-processors relating to the operation, support and/or use of the product and Services for legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
e. Aggregated Anonymous Data. Company may aggregate Client Data in an anonymous manner to compile statistical and performance information related to the operation of the products and Services (“Aggregated Anonymous Data”). Company uses Aggregated Anonymous Data to create product and Service enhancements; provided, that such information does not incorporate any Client Data. To the extent any such data is considered Personal Data under Data Protection Laws, Company is the Data Controller of such data and accordingly shall process in accordance with the Privacy & Website Security Policy and EU Data Protection Law..
4. Client Instructions
a. Purpose of Instructions. At the direction of Client’s written instructions, Company will process Client Data, as specified in the Agreement and this DPA. This includes but is not limited to instructions on data transfers, blocking, correction or deletion of Client Data. Instructions may only be issued by an authorized individual who has authority to provide written instructions on behalf of the Client. Company will comply with all instructions to the extent necessary for Company to: (i) comply with its Data Processor obligations under the EU Data Protection Law; or (ii) assist the Client to comply with the Data Controller obligations under the EU Data Protection Law relevant to the use of the Services provided. If applicable, the parties will negotiate in good faith with respect to any additional fees which may incur with compliance of the Client’s instruction. Such additional fees may include costs associated with resources different from or in addition to those necessary to perform the Services under the Agreement.
Company will comply with all instructions to the extent necessary for Company to: (i) comply with its Data Processor obligations under the EU Data Protection Law; or (ii) assist the Client to comply with the Data Controller obligations under the EU Data Protection Law relevant to the use of the Services provided. If applicable, the parties will negotiate in good faith with respect to any additional fees which may incur with compliance of the Client’s instruction. Such additional fees may include costs associated with resources different from or in addition to those necessary to perform the Services under the Agreement.
b. Client Obligations. Client can submit a written request on behalf of their Users for: the right of access (“GDPR Data Request”), or the right to be forgotten (“GDPR Data Deletion Request”) via Anthology’s Application Support team by emailing email@example.com with the following written details: (i) an email subject title of either: “GDPR Data Request” or “GDPR Data Deletion;” and (ii) applicable Member ID(s) for those Users who are making this request. Be sure to include all applicable Member ID(s) in the request since a given constituent may have more than one Member ID based on non-member records.
Furthermore, Client acknowledges and understand that it shall only provide lawful instructions. To the extent required by any Data Protection Laws, Company will immediately notify the Client, and may suspend execution of the instruction concerned, if in its opinion, the Client’s instruction infringes any Data Protection Laws.
c. Company Obligations. Upon receipt of a written request as set forth in this Section 4, Company will promptly work on such instructions. If applicable, the parties will negotiate in good faith any additional fees which may incur, as set forth in Section 4(a) above.
If Company directly receives any User requests regarding Personal Data, it will promptly instruct the individual to contact the Client responsible for collecting their Personal Data. Also, in the event Company receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to the processing of Client Data (“Disclosure Request”), it will promptly pass on such Disclosure Request to Company without responding to it, unless otherwise required by applicable law.
5. Data Transfers and Sub-Processing
a. Sub-processors. In accordance with the provisions of this DPA and Agreement, Client acknowledges and agrees that Company or its Affiliates may engage Sub-processors to process Client Data on Client’s behalf, for purposes of providing Services under this DPA and Agreement. The Sub-processors currently engaged by Company and authorized by Client are listed in Annex A, as attached herein. In the event Company uses a Sub-processor, Company shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Client Data consistent with the terms of this DPA and Agreement; and (ii) remain responsible for its compliance with the obligations of this DPA and Agreement for any negligent acts or willful misconduct of the Sub-processor that cause Company to breach any of its obligations under this DPA. Client confirms this Section 5(a) constitutes general written authorization for the purposes of GDPR.
b. Changes in Sub-processors. Company shall notify Client, which email shall suﬃce, for any changes in Sub-processors processing Client Data at least ten (10) days prior to such changes. Client agrees to raise reasonable objection in writing to Company’s appointment of a new Sub-processor within ﬁve (5) calendar days of such notice, provided that such objection is based on grounds relating to data protection as set forth in this DPA. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution.
c. Data Transfer. Client acknowledges and agrees that Company may transfer Client Data to any country outside the European Economic Area (“EEA”), or to any country which has not been the subject of a European Commission or Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data; provided such transfer is made pursuant to an appropriate legal transfer mechanism, such as a valid certification under the EU-US Privacy Shield Framework, Swiss-US Privacy Shield Framework, EU Commission Model Clauses or any other legal transfer mechanism. Company agrees to protect such Client Data in accordance with the requirements of the Privacy Shield Principles. To the extent that the legal transfer mechanism relied on is declared invalid (by, for example, a competent court or authority), Company shall cooperate with Client in good faith to find an alternative legal transfer mechanism.
6. Security Measures and Audit Rights
a. Security Measures. Company has implemented and will maintain appropriate technical and organizational security measures for the processing of Client Data. Company employs Information Security Governance through its IT control standards and policies. Such policies include data classification; security awareness training; risk assessment; and risk analysis to identify the threats, classify assets, and rate their vulnerabilities so that effective security controls can be implemented. Security measurements consider the nature, scope and purposes of processing as specified in this DPA, and are intended to protect Client Data against the risks inherent to the processing of Personal Data in the performance of the Services. Furthermore, Company has implemented the physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls. Such information is described in more detail in our Data Security Exhibit to the Agreement.. Client can submit a written request to review our Data Security Exhibit (“Data Security Exhibit Request”) via Anthology’s Application Support team by emailing firstname.lastname@example.org.
b. Confidentiality of Client Data. All Company, Affiliates, as well as any Sub-processors that may have access to Client Data are subject to appropriate confidentiality arrangements.
c. Audit Reports. Client acknowledges and understands that Company is regularly audited against PCI DSS standards, and that Company’s datacenters hosting Company’s Application Services platform are audited against SSAE 16 standards by independent third-party auditors and internal auditors (collectively, “Reports”). Company shall have a current attestation of compliance with PCI DSS industry standards, by meeting all security requirements to ensure commerce-based transaction data is protected, no less than annually. As part of Company’s policy, Company’s datacenters hosting the Application Services platform must maintain their own annual SSAE 16 audit. Upon request and on a confidential basis, Company shall provide Client or its appointed audit firm (Auditors) the following Reports: (i) Company’s current attestation of compliance for PCI DSS; or (ii) the datacenter used for Company’s Application Services platform, a certified SSAE 16, or equivalent review.
d. Additional Audit Requests. Company shall also provide written responses, on a conﬁdential basis, to all reasonable requests for information made by Client, including responses to information security and audit questionnaires that are necessary to conﬁrm Company’s compliance with this DPA, provided that Client shall not exercise this right more than once per year.
If the above responses to information security/audit questionnaires or Reports are not sufficient to meet Client’s needs of Company adhering to this DPA; then Client shall have the right to request an audit or review to verify Client Data is properly handled, upon Company’s receipt of sixty (60) days’ advanced notice. Client may engage third-party Auditors at their own expense to perform such audit, provided; however, such third-party Auditors abide and sign Company’s Mutual Non-Disclosure Agreement (“NDA”). Audit requests shall not exceed more than one (1) per calendar year, and shall not require Company to provide more than two (2) business days’ assistance. Additional fees may apply in the event Client requires access to Company personnel at then-current hourly rate. Client may acquire Professional Services at Company’s then-current billing rates pursuant to a separately executed Work Order or Statement of Work.
7. Security Incident Notification
a. Security Incident.Company promptly evaluates and responds to any unauthorized access to the processing of Client Data (“Security Incident”). All Company, employees, and Affiliates that have access to or process Client Data are instructed on responding to Security Incidents, including prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant evidence.
b. Emergency Management Team.In the event of a Security Incident, the operational personnel will take the appropriate initial action and contact all the following members: “Emergency Management Director,” operations, data base management, production management, local network/server management, application support, client support, and marketing (“Emergency Management Team”). The goal of the Emergency Management Team is to restore the confidentiality, integrity, and availability of the Services and the Client Data that may be contained therein, and to establish root causes and remediation steps. Depending on the nature and scope of the Security Incident, Company may also involve and work with Client and outside law enforcement to respond to the Security Incident.
c. Notification of Breach. To the extent Company becomes aware and determines a Security Incident qualifies as an actual breach of Company’s security obligations, or other event requiring notification under Company policy or applicable law, Company agrees to as follows: (i) notify Client by telephone and/or e-mail of such an event within twenty-four (24) hours of discovery; and (ii) inform all such individuals in accordance with Company policies or applicable law; (iii) provide Client a description of the nature and reasonably anticipated consequences in the breach of Client Data; (iv) the measures taken to mitigate any possible adverse effects and prevent a recurrence; (v) where possible, the categories of Client Data and Data Subjects including an approximate number of Client Data records and Data Subjects that were directly impacted by the breach of Client Data; and (vi) other information concerning the breach of Client Data reasonably known or available to Company that Client may be required to disclose to a Supervisory Authority or affected Data Subject(s).
8. Return or Deletion of Client Data
Upon termination or expiration of the Agreement, Company shall return or destroy all Client Data and Confidential Information within thirty (30) days of termination or expiration from Company’s main server. Data deletion shall not apply to the extent: (i) Company is required by applicable law to retain some or all of the Client Data; or (ii) Client Data archival and back-up files except in line with Company’s data deletion schedule, as permitted under the Data Protection Law.
ANNEX A - List of Company Sub-Processors
Company uses its Aﬃliates and a range of third-party Sub-processors which may process Client Data to assist in providing the Services as set forth in the Agreement. These Sub-processors set out below have access to Client Data by providing hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.
FUNCTION ENTITY NAME CORPORATE LOCATION
Data Center Amazon Web Services (AWS) Washington, USA
Data Center NetStandard Kansas, USA
Data Center Microsoft (Azure) Washington, USA
Email Delivery SendGrid California, USA
Email Reporting Pivotal Software California, USA