Data Protection Addendum

This Data Protection Addendum (“Addendum”) forms an integral part of the Terms of Service (the “Agreement”) by and between Perimeter 81 Ltd. or any of its affiliates (“Perimeter 81”) and you, whether you are an existing customer who accepted the Agreement or a new customer accepting the Agreement now (“Customer”). Each of Perimeter 81 and Customer may be referred to herein as a “Party” and collectively the “Parties”.

Caapitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. The exhibits, annexes, appendices and schedules attached to this Addendum (each an “Annex”) form an integral part hereof and are expressly incorporated herein by this reference.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as supplemented by, and including, this Addendum.

1. Definitions

    1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulation.
      2. Customer Personal Data” means any Personal Data or Personal Information Processed by Perimeter 81 on behalf of Customer pursuant to or in connection with the Agreement; 
      3. EEA” means the European Economic Area;
      4. GDPR” means EU General Data Protection Regulation 2016/679;
      5. Services” means the Service and any other activities to be supplied to or carried out by or on behalf of Perimeter 81 for Customer pursuant to the Agreement;
      6. Standard Contractual Clauses” means the Standard Contractual Clauses (processors) or any subsequent version thereof released by the European Commission. The current Standard Contractual Clauses are located on the European Commission’s website at: https://ec.europa.eu/info/law/law-topic/data-protection_en.
    2. Subprocessor” means any person (including any third party, but excluding an employee of Perimeter 81 or any of its affiliates) appointed by or on behalf of Perimeter 81 to Process Personal Data in connection with the Agreement. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly. The term “Personal Information” shall have the same meaning as in the CCPA.
    3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

    1. Perimeter 81 will Process Customer Personal Data as a Processor, in accordance with Customer’s documented instructions, unless Processing is required by applicable laws to which Perimeter 81 is subject, in which case Perimeter 81 will, to the extent permitted by applicable laws, inform the Customer of that legal requirement before the relevant Processing of that Personal Data.
    2. Customer hereby:
      1. instructs Perimeter 81 to Process Customer Personal Data (including, by transferring Customer Personal Data to any country or territory) as reasonably necessary for the provision of the Services and in accordance with this Addendum; and
      2. warrants and represents that it is and will at all relevant times remain (a) duly and effectively authorized to give the instruction set out in section 2.2.1; (b) the Controller of the Customer Personal Data Processed by Perimeter 81; and (c) responsible for and in compliance with its obligations as a Controller of Customer Personal Data under applicable law (including the GDPR), in particular with respect to the justification of any Processing of Customer Personal Data by Perimeter 81.
    3. Perimeter 81 shall not retain, use, or disclose Customer Personal Data (a) for any purpose other than for the specific purpose of performing the Services or as otherwise strictly permitted under the Agreement or this Addendum; or (b) for any commercial purpose, other than for providing the Services; and shall not sell Customer Personal Data. Perimeter 81 hereby certifies that it understands the restrictions under this Section ‎2.3 and will comply with them.
    4. Notwithstanding the above, Customer will be solely responsible for: (a) providing any required notices, obtaining and documenting any required consents and/or authorizations to/from Data Subjects and/or other third parties, including obtaining explicit consent to the processing of special categories of data, all in accordance with Articles 7-9 and 12-14 of the GDPR; (b) securing an appropriate legal basis under applicable law, as necessary for Perimeter 81 to Process Customer Personal Data as a Processor on Customer’s behalf (including Processing under Annex 3 where applicable); (c) ensuring that Company Personal Data is accurate and up to date; and (d) Customer’s decisions and actions concerning the Processing of such Customer Personal Data.

3. Annex 1

to this Addendum sets out certain information regarding the Processing of the Customer Personal Data by Perimeter 81 and/or any Subprocessors as required by Article 28(3) of the GDPR. Nothing in Annex 1 confers any right or imposes any obligation on any Party to this Addendum.

4. Perimeter 81 Personnel

Perimeter 81 will ensure that Perimeter 81 employees authorized to process Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Perimeter 81 will in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Customer is solely responsible for implementing appropriate internal measures for securing Customer Personal Data held and/or Processed by the Customer, including in connection with Customer’s use of the Services, and for the secure transfer of Customer Personal Data to Perimeter 81. 

6. Subprocessing

    1. Customer authorizes Perimeter 81 to appoint (and permit each Subprocessor appointed in accordance with this section ‎6 to appoint) Subprocessors in accordance with this section ‎6 and any restrictions in the Agreement.
    2. Perimeter 81 may continue to use those Subprocessors already engaged by it at the date of this Addendum, as listed in Annex 2
    3. Customer authorizes Perimeter 81 to use additional Subprocessors, provided that Perimeter 81 will notify Customer of the addition of any Subprocessor and give the Customer an opportunity to object in writing thereto, within fourteen (14) days of receiving such notice.
    4. With respect to each Subprocessor, Perimeter 81 will ensure that such Subprocessor is required by written contract to abide by the same level of data protection and security as Perimeter 81 under this Addendum, as applicable to such Subprocessor’s Processing of Customer Personal Data.

7. International Transfer of Personal Data

    1. Perimeter 81 is allowed (and allowed to authorize its Subprocessors) to transfer Customer Personal Data outside of the EEA (including cloud storage in the United States) in the following cases: (a) Customer Personal Data is transferred to a country or scheme which is approved by the European Commission as ensuring an adequate level of protection (“Approved Jurisdictions”); (b) subject to the entry into the Standard Contractual Clauses by the transferor and the transferee with respect to the transfer of Customer Personal Data; or (c) if the transfer falls within a permitted derogation.
    2. To the extent that Perimeter 81 Processes Personal Data outside of the EEA and/or Approved Jurisdictions, then the Parties shall be deemed to enter into the Standard Contractual Clauses, in which event the Customer shall be deemed as the data exporter and Perimeter 81 shall be deemed as the data importer (as these terms are defined therein);

8. Data Subject Rights

Taking into account the nature of the Processing, Perimeter 81 will provide reasonable assistance to Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under the GDPR. 

9. Personal Data Breach

Perimeter 81 will notify Customer upon Perimeter 81 becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer, to the extent reasonable, with sufficient information to allow Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach. 

10. Data Protection Impact Assessment and Prior Consultation

Perimeter 81 will, at Customer’s expense, provide reasonable assistance to Customer with data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Perimeter 81, and taking into account the nature of the Processing and information available to Perimeter 81.

11. Deletion of Customer Personal Data

    1. Without derogating from the Agreement, at the choice of the Customer all Customer Personal Data are to be deleted or returned to the Customer after the end of the provision of Services.
    2. Notwithstanding Section ‎11.1, Perimeter 81 may retain Customer Personal Data to the extent and for such period as required by a subpoena or other judicial or administrative order, or if otherwise required by law. Perimeter 81 will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its retention and for no other purpose.

12. Provision of Information Demonstrating Compliance and Audits

Upon Customer’s request up to once per year, Perimeter 81 shall make available to Customer evidence that Perimeter 81 is in compliance with this Addendum. Perimeter 81 and Customer agree that such demonstration of compliance by Perimeter 81 is the preferred mechanism for meeting the requirements of article 28(3)(h) of the GDPR. Audit requirements shall be met upon Perimeter 81’s provision, provided that the parties have an applicable confidentiality agreement in place, of third party certification (which may include the then-current SOC2 report). Any request for additional audit rights shall be at Customer’s expense and Perimeter 81’ sole discretion.

13. General Terms

  1. Disclosure to competent authorities
    1. To the extent required by applicable law, Perimeter 81 may disclose Customer Personal Data if required by a subpoena or other judicial or administrative order, or if otherwise required by law, provided that Perimeter 81 will, prior to such disclosure and to the extent permitted by applicable law, notify Customer and provide Customer an opportunity to object to such disclosure.

      Severance
    2. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    3. This Addendum may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. In the event that a Party’s signature is delivered by facsimile transmission or by e-mail delivery of a “.pdf” format data file, such signature shall create a valid and binding obligation of such Party with the same force and effect as if such facsimile or “.pdf” signature page were an original thereof.

ANNEX 1

 DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data pursuant to Article 28(3) GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter of the Processing of Customer Personal Data is set out in the Agreement and the duration thereof is for the term of the Agreement. 

The nature and purpose of the Processing of Customer Personal Data

Perimeter 81 may Process Customer Personal Data for the purpose of providing the Services to the Customer, including: (i) providing maintenance services and technical and other support with respect to the Services; (ii) cloud storage services; (iii) analysis; (iv) complying with Customer’s documented written instructions; or (v) complying with applicable law. 

The types of Customer Personal Data to be Processed

Customer Personal Data typically includes name and work-related Personal Data, such as email address, IP address and contact details.

The categories of Data Subjects to whom the Customer Personal Data relates

 Customer personnel.

The obligations and rights of the parties

The obligations and rights of the Controller and Processor are set out in this Addendum.

ANNEX 2

AUTHORIZED SUB-PROCESSORS

Sub-Processor NamePurpose Of ProcessingEntity CountryType Of Data Processed
Amazon Web Services, Inc.Cloud Service ProviderUnited StatesAll data specified in Annex I 
Digital OceanCloud Service ProviderUnited StatesAll data specified in Annex I 
SendGrid, Inc.Email notification servicesUnited StatesAll data specified in Annex I 
Stitch DataData processingUnited StatesAll data specified in Annex I 
ZendeskCRM servicesUnited StatesAll data specified in Annex I 
SFDCCRM servicesUnited StatesAll data specified in Annex I 
SkyviaDatabase connectionCzech RepublicAll data specified in Annex I 
LiveChatOnline chat servicesUnited StatesAll data specified in Annex I 
G-Suite (Google Workspace)Email servicesUnited StatesAll data specified in Annex I
Looker Data SciencesBI servicesUnited StatesAll data specified in Annex I
Marketo Inc.Marketing databaseUnited StatesAll data specified in Annex I
Intercom Inc.Online chat servicesUnited StatesAll data specified in Annex I
JarvisInternal BI and CRMUnited StatesAll data specified in Annex I
Calendly LLC.Calendar servicesUnited StatesAll data specified in Annex I All data specified in Annex I
ChargebeeBilling and collection servicesUnited StatesAll data specified in Annex I
Zoom  Video CommunicationsOnline conferences servicesUnited StatesAll data specified in Annex I