Data Processing Terms
Between “You” as the Client of RealtimeCRM (“Controller”) and Cambridge Software Ltd (“Processor”)
Controller and Processor may be referred to as a “party” and collectively as “parties”.
This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions or other written or electronic agreement between Cambridge Software Ltd and the Customer for the purchase of online services (including “RealtimeCRM”) from Cambridge Software Ltd (identified either as “Services” or “Service” otherwise in the applicable agreement, and hereinafter defined as “Services”). This “DPA” reflects the parties’ agreement with regard to the Processing of Personal Data.
(A) The Controller processes Personal Data in connection with its business activities;
(B) The Processor processes Personal Data on behalf of other businesses and organisations;
(C) The Controller wishes to engage the services of the Processor to process personal data on its behalf;
THE PARTIES HEREBY MUTUALLY AGREE AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1 In this Agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:
“Data Protection Directive” shall mean Directive 95/46/EC of the European Parliament and Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
“Data Subject” shall mean an individual who is the subject of personal data.
“national law” shall mean the law of the Member State in which the Processor is established;
“personal data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;
“processing of personal data” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
“Effective Date” means the date upon which this Agreement is accepted by the Client;
“subprocessor” and “subprocessing” shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and “Sub Processor” shall mean the party to whom the obligations are subcontracted; and
“Technical and organisational security measures” shall mean measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing.
2.1 In consideration of the Controller engaging the services of Cambridge Software Ltd to process personal data on its behalf Cambridge Software Ltd shall comply with the security, confidentiality and other obligations imposed on it under this Agreement.
3. SECURITY OBLIGATIONS OF CAMBRIDGE SOFTWARE LTD
3.1 “Cambridge Software Ltd” shall only carry out those actions in respect of the personal data processed on behalf of the Controller as are expressly authorised by the Controller.
3.2 Cambridge Software Ltd shall take such Technical and Organisational Security Measures as are required under its own national law to protect personal data processed by “Cambridge Software Ltd” on behalf of the Controller against unlawful forms of processing. Such Technical and Organisational measures shall include, as a minimum standard of protection, compliance with the legal and practical security requirements set out in Appendix 1 of this Agreement.
4.1 “Cambridge Software Ltd” agrees that it shall maintain the personal data processed by “Cambridge Software Ltd” on behalf of the Controller in confidence. In particular, “Cambridge Software Ltd” agrees that, save with the prior written consent of the Controller, it shall not disclose any personal data supplied to “Cambridge Software Ltd” by, for, or on behalf of, the Controller to any third party.
4.2 “Cambridge Software Ltd” shall not make any use of any personal data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.
4.3 Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
5. CAMBRIDGE SOFTWARE LTD OBLIGATIONS
5.1 Personal data to which “Cambridge Software Ltd” may receive access concern the following data subjects (“Data Subjects”):
- 5.1.1 Controller’s directors, officers, employees, interns, trainees, agents, contractors, job applicants, customers, suppliers, subcontractors, business contacts;
- 5.1.2 Controller’s customers’ directors, officers, employees, interns, trainees, agents, contractors, customers or business contracts;
- 5.1.3 Any other individuals for which the Controller enters personal data or information into the service. Cambridge Software Ltd will not have any knowledge or control over the categories or identities of the Data Subjects whose Personal Data the Controller may elect to record or upload into the Service.
6. Data Processing
6.1 The data processing activities will generally include the following categories of personal data “Personal Data”:
- 6.1.1 Name, street address, email address, phone number, other contact information, company name, title;
- 6.1.2 Customer history;
- 6.1.3 IP Addresses;
- 6.1.4 References, meeting notes; and
- 6.1.5 Such categories of personal data pertaining to an identified or identifiable individual as the Controller or Controller’s representative may enter or upload from time to time into the Service.
Cambridge Software Ltd will not have any knowledge or control over the categories or identities of the Data Subjects whose Personal Data the Controller may elect to record or upload into the Service.
6.2 Cambridge Software Ltd will not collect, process or use any Personal Data made available to it for any purposes other than for the performance of the Services. Copies or duplicates of any Personal Data made available hereunder may only be compiled with the approval of the Controller.
6.3 Cambridge Software Ltd will notify Controller without undue delay if Cambridge Software Ltd is of the opinion that a written instruction received from Controller is in violation of applicable data protection law and/or in violation of contractual duties under this DPA.
6.4 Cambridge Software Ltd will notify Controller without undue delay if Cambridge Software Ltd becomes aware that Cambridge Software Ltd’s employees have violated any data protection law, or the provisions of the Agreement if the violation occurs in the course of the processing of the data by Cambridge Software Ltd. Furthermore, if Cambridge Software Ltd is of the opinion that Personal Data have been or might have been illegally transferred or otherwise illegally disclosed to or accessed by a third party, Cambridge Software Ltd will notify Controller thereof without undue delay. In case of any loss of, or unauthorized access to Personal Data stored on the Service, Cambridge Software Ltd will inform Controller without undue delay, and assist Controller in fulfilling its statutory obligations under applicable data protection laws.
6.5 Cambridge Software Ltd will use reasonable efforts to fully cooperate and to comply with any instructions, guidelines and orders received from the relevant supervisory authority when such instructions, guidelines or orders pertain to the Personal Data.
7. Obligations of Controller
7.1 Controller will be responsible for the evaluation of the admissibility of the data processing and for ensuring the rights of the data subjects concerned.
7.2 Controller will be entitled to issue written instructions regarding the scope and the procedure of the data processing.
8. Data Subject Rights and Requests
8.1 To the extent permitted by law, Cambridge Software Ltd will inform Controller of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Cambridge Software Limited regarding Controller Personal Data. Controller shall be responsible to respond to such requests of Data Subjects. Cambridge Software Ltd will reasonably assist Controller in responding to such Data Subject requests.
8.2 If a Data Subject brings a claim directly against Cambridge Software Ltd for a violation of the Data Subject rights, Controller will indemnify Cambridge Software Ltd for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that Cambridge Software Limited notified Controller about the claim and given Controller the opportunity to cooperate with Cambridge Software Ltd in the defence and settlement of the claim.
9.1 Cambridge Software Ltd shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller of Cambridge Software Limited processing Controller personal data in accordance with the following procedures:
- 9.1.1 Cambridge Software Ltd will reasonably cooperate with Controller by providing available additional information concerning its technical and organisational measures (TOMs), in order to help the Controller better understand such TOMs.
- 9.1.2 If further information is needed by Controller to comply with its own or a competent Supervisory Authority's request, Controller will inform Cambridge Software Ltd in writing to enable Cambridge Software Ltd to provide such information or to grant Controller access to it.
9.2 Each party will bear its own costs in respect of paragraphs 9.1.1 and 9.1.2 of Section 9.
10.1 Cambridge Software Ltd currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Cambridge Software Ltd performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.
10.2 Cambridge Software Ltd may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:
|Entity Name||Subprocessing Activities||Entity Country|
|Amazon Web Services, Inc.||Cloud Service Provider||United States|
|Google Inc.||Cloud Service Provider||United States|
|Mailgun Technologies, Inc.||Email Service Provider||United States|
|Clearbit||Data Enrichment||United States|
|mLab||Cloud Service Provider||United States|
|Heroku||Cloud Service Provider||United States|
The Controller has access to the following Subprocessors whom they may enable via the Integrations page in RealtimeCRM:
|Entity Name||Subprocessing Activities||Entity Country|
|Xero Limited||API Integration for Finance Data||New Zealand|
|VoIP Services||API Integration for Telephone Services||United Kingdom|
|MailChimp||API Integration for Email Services||United States|
10.3 As Cambridge Software Ltd’s business grows and evolves, the Subprocessors Cambridge Software Ltd engages may also change. Cambridge Software Ltd will endeavor to provide the Controller with notice of any new Subprocessors to the extent required under the Agreement.
11. Term and Termination
This Agreement commences on the Effective Date. This Agreement shall continue in full force and effect for so long as Cambridge Software Ltd is processing personal data on behalf of the Controller.
Upon termination or expiration of this agreement Cambridge Software Ltd will delete Controller personal data in its possession as set out by the applicable law.
Appendix 1 to Data Processing Addendum
Technical and Organisational Measures
1.1 Cambridge Software Ltd will oblige its employees to process and use the Personal Data only in accordance with this Data Processing Agreement, including its appendix, and any written instructions received from Controller.
2. Transmission Control Cambridge Software Ltd will implement suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorised parties during the transmission thereof or during the transport of the data media. This will be accomplished by:
2.1 Using a Service that is hosted on cloud providers who use state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels.
2.2 Using a Service that is only accessible via HTTPS, providing end to end encryption using TLS.
3. Access control to Data Processing Systems Cambridge Software Ltd will implement suitable measures to prevent its data processing systems from being used by unauthorized persons. This will be accomplished by:
3.1 identification of the terminal user to the Controller.
3.2 Cambridge Software Ltd takes advantage of cloud based data centres to ensure availability, redundancy and physical restrictions to access data processing systems. For a complete description of security measures for the underlying systems please read the following documentation.
4. Input Control Cambridge Software Ltd will implement suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This will be accomplished by:
4.1 authentication of the authorized personnel;
4.2 utilization of user codes (passwords);
4.3 an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
4.4 protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data.