Data Processing Addendum
Last Updated: 19 August 2024
For the previous version of our DPA, click here
Table of Contents
This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Enterprise Terms (the “Agreement”) between Helpshift, Inc. (“Helpshift”) and the customer entity that is a party to the Agreement (“Customer”). This DPA supplements the Agreement only when and to the extent that a user of Helpshift’s Services provides Helpshift with Personal Data that is subject to Data Protection Laws. We may update this DPA from time to time, and we will provide reasonable notice of any such updates. If you are accessing the Services on behalf of your employer, you represent and warrant that you have the authority to agree to this DPA on its behalf and the right to bind your employer thereto. If either you or your employer do not unconditionally agree to all the terms and conditions of this DPA, you have no right to use Helpshift’s Services and must navigate away from this page. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. In consideration of the provision of such Services and the corresponding payment, the Parties agree to the below terms.
1. Commencement and Term
1.1 This DPA takes effect on the date identified as such in a SOW or Order Form or, in the event no such date is identified in a SOW or Order Form, the date when Helpshift first started providing the Services (the “Effective Date”) and shall continue until the Agreement expires or as otherwise agreed (the “Term”). The obligations herein apply in addition to those included in the Agreement.
2. Definitions and Interpretations
2.1 In this DPA the following words shall have the following meanings:
Applicable Law means any applicable laws, regulations, orders or directions issued from time to time by any court, government or other competent regulatory authority.
Data Protection Laws means all applicable laws relating to the processing of personal data, as amended, extended, reenacted or replaced from time to time, including the following: (a) the UK’s Data Protection Act 2018 and the UK GDPR; (b) the GDPR; (c) EC Directive 2002/58/EC on Privacy and Electronic Communications; (d) the California Consumer Privacy Act of 2018 (“CCPA”); (e) effective January 1, 2023, the California Privacy Rights Act (including its regulations) (“CPRA”) and (f) all local laws or regulations implementing or supplementing the EU legislation mentioned in (b)-(c) above.
EEA means the European Economic Area and UK means the United Kingdom of Great Britain and Northern Ireland.
GDPR means Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and UK GDPR has the meaning given in the Data Protection Act 2018.
International Transfer Requirements means the requirements of Chapter V of the GDPR (Transfers of Personal Data to third countries or international organisations).
Personal Data means personal data as defined by GDPR, which has been: (a) supplied to Helpshift by or on behalf of Customer; and/or (b) obtained by, or created by, Helpshift on behalf of Customer in the course of performance of the Agreement, and in each case where such personal data is processed by Helpshift for and on behalf of Customer in the performance of the Agreement.
Restricted Country means a country, territory or jurisdiction which is not considered by the EU Commission (or in respect of personal data transfers caught by the requirements of UK Data Protection Laws, the relevant UK governmental or regulatory body as applicable) to offer an adequate level of protection in respect of the processing of personal data pursuant to Article 45 ( 1 ) of the GDPR, (ii) where the UK GDPR applies, a country outside the UK which is not subject to an adequacy determination by UK Government; and (iii) where Swiss FADP, applies, a country outside Switzerland which has not been recognised to provide an adequate level of protection by the Federal Data Protection and Information Commissioner.
Relevant Transfer Mechanism means: a) in respect of an EU Restricted Transfer, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”); b) in respect of a UK Restricted Transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under or pursuant to section 119A(1) of the Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms) (“UK Addendum”) or c) in respect of a Swiss Restricted Transfer, the EU SCCs provided that any references in the clauses to the GDPR shall refer to the Swiss FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the EU SCCs (“Swiss SCCs”).
Restricted Transfer means a transfer of personal data from an entity whose processing under the Agreement is caught by the requirements of the GDPR and/or UK Data Protection Laws (as applicable) and/or Swiss FADP (as applicable), to an entity that processes the relevant personal data in a Restricted Country.
Sub-processors means further processors that are appointed by Helpshift to process the Personal Data.
Additionally, references to “controller”, “data subject”, “personal data breach”, “process”, “processed”, “processing”, “processor” and “supervisory authority” have the same meanings as per the GDPR. References to the GDPR and/or an article or chapter of the GDPR shall, where the context so requires and insofar as the Data Protection Laws (is that of the UK, be construed as a reference to the equivalent Data Protection Laws of the UK and/or the corresponding provision of such Data Protection Laws.
2.2 In this DPA: (a) a reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Data Protection Laws is that of the UK, be construed as a reference to the equivalent Data Protection Laws of the UK and/or the corresponding provision of such Data Protection Laws; and (b) a reference to a Clause is a reference to a Clause of this DPA.
3. Roles of the Parties and Processing Activities
3.1 The Parties acknowledge and agree that, to the extent that Helpshift processes Personal Data on behalf of Customer in connection with the provision of Services, Helpshift shall be the processor and Customer shall be the controller in respect of such processing.
3.2 Each Party acknowledges and agrees that the subject matter and duration of the processing carried out by Helpshift on behalf of Customer, the nature and purpose of the processing, the type of personal data, categories of data subjects, information on specific data transfers and the relevant safeguards applied shall be documented in the Agreement, the ‘Data Processing Schedule’ or Annex I to the Appendix (Restricted Transfer Addendum) of this DPA. The Data Processing Schedule, as updated from time to time, will be provided to Customer upon request.
3.3 If at any time either party considers that the relationship between the Parties and/or the scope of processing carried out by Helpshift no longer corresponds to the intention of the Parties stated in Clause 3.1 or 3.2, that party shall promptly notify the other and the Parties shall discuss and agree in good faith such steps that may be required to reflect the true status and/or scope of processing undertaken by Helpshift.
4. CCPA
4.1 The Parties acknowledge and agree that Helpshift is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a business purpose.
4.2 Helpshift shall: (i) comply with all applicable obligations under the CPRA; (ii) provide the same level of protection as required of a Business under the CPRA; (iii) notify Customer if it can no longer meet its obligations under the CPRA; (iv) not “sell” or “share” (as such terms are defined by the CCPA and/or the CPRA) Customer personal information; (v) not retain, use, or disclose Customer personal information for any purpose (including, but not limited to, any commercial purpose) other than to provide the Services under the Agreement; (vi) not retain, use, or disclose Customer personal information outside of the direct business relationship between Helpshift and Customer; and (vii) not combine Customer personal information with personal information that Helpshift ( 1 ) receives from, or on behalf of, another person or ( 2 ) collects from its own, independent consumer interaction.
4.3 The terms “business”, “personal information,” “service provider,” “sale,” and “sell” are as defined in the CCPA and CPRA.
5. Obligation of the Parties
5.1 Helpshift shall only process personal data for the purpose of providing the Services in accordance with the documented written instructions that Customer shall provide to Helpshift from time to time concerning such processing, unless required to do so by Applicable Law to which Helpshift is subject, in which event Helpshift shall inform Customer of such legal requirement unless prohibited from doing so by Applicable Law on important grounds of public interest. Customer shall ensure that any such instructions comply with Applicable Law. Customer shall ensure that the processing of personal data in accordance with Customer’s instructions will not cause Helpshift to be in breach of the Data Protection Laws. Helpshift shall notify Customer if, in Helpshift’s opinion, any instruction given by or on behalf of Customer breaches Data Protection Laws and may refuse to comply with any such instruction. For the avoidance of doubt, Customer acknowledges that no special categories of personal data or sensitive personal data, as such or similar terms are described by applicable Data Protection Laws, shall be shared with or made available to Helpshift unless specified in the Agreement.
5.2 Taking into account the nature of the processing and the information available to Helpshift, Helpshift shall assist Customer with regard to Customer’s compliance with its obligations under the following Articles of the GDPR:
(a) Article 32 (Security of Processing);
(b) Articles 33 and 34 (Notification and communication of a Personal Data Breach);
(c) Article 35 (Data protection impact assessment); and
(d) Article 36 (Prior consultation by Customer with the supervisory authority).
6. Security Measures
6.1 Helpshift shall maintain appropriate technical and organisational security measures in accordance with Article 32 of the GDPR, including those specified in Annex II to the Appendix (Restricted Transfer Addendum).
6.2 Helpshift shall ensure that the measures to be taken in accordance with Clause 6.1 of this DPA are appropriate having regard to:
(a) the nature of the personal data and the scope, context and purposes of the processing and the likelihood and severity of the risks to data subjects that are presented by the processing of such personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed; and
(b) the state of technological development and the cost of implementing such measures
7. Records, Data Retention and Audit
7.1 Helpshift shall:
(a) maintain a record of its processing activities which relate to the Agreement as required by Article 30 ( 2 ) of the GDPR; and
(b) at any time upon request, and in any event upon termination of an Agreement (unless Customer agrees otherwise in writing in each case), deliver up all Personal Data processed in accordance with the Agreement.
7.2 Following such delivery up and in the event of termination of the Agreement, Helpshift shall promptly and securely delete or destroy all such personal data except for any personal data that is necessary to enable Helpshift to comply with any continuing obligations that Helpshift may have under Applicable Law following its termination.
7.3 Each Party shall provide the other Party with such information as the other Party reasonably requests from time to time to enable such other Party to satisfy itself that the party providing the information is complying with its obligations under this DPA.
7.4 Helpshift shall permit Customer, its third-party representatives or a supervisory authority access to inspect, and take copies of records of its processing activities and any other relevant information held at any premises or on systems used in connection with the processing of the Personal Data, for the purpose of auditing compliance with Helpshift’s obligations under this DPA. Helpshift shall give any and all necessary assistance in respect of the conduct of such audits. Such audits shall be subject to the following:
(a) audits may be performed no more than once a year, except in the event of a reasonably suspected breach;
(b) Customer shall procure that any third party auditor enters into a confidentiality agreement in a form satisfactory to Helpshift (acting reasonably);
(c) Audits must be conducted during regular business hours on reasonable notice and must not unreasonably interfere with Helpshift’s business;
(d) Customer must provide Helpshift with any audit reports generated pursuant to any audit at no charge, unless prohibited by Applicable Law. Customer shall keep the audit reports confidential and may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Laws and/or confirming compliance with the requirements of this Clause 7; and
(e) notwithstanding anything else in this DPA and/or the Agreement, all audits are at Customer’s sole cost and expense.
8. Sub-Processors
8.1 Notwithstanding any other provision of the Agreement or the DPA, Helpshift shall be entitled to appoint Sub-processors. The following provisions shall apply in respect of the appointment of Sub-processors:
(a) Customer approves the appointment of Sub-processors that are disclosed prior to the commencement of the provision of the Services and, for the avoidance of doubt, also approves any affiliate that is also a Sub-processor and the authorized Sub-processors identified at https://www.helpshift.com/legal/subprocessors/ (the “Helpshift List”) with respect to Services provided by Helpshift;
(b) Helpshift shall notify Customer in writing of its intention to engage any additional Sub-processor, and such notice shall give details of the identity of such Sub-processor and the Services to be supplied by it. With respect to the Helpshift List, it may be updated from time to time. Helpshift may provide a mechanism to subscribe to notifications of new authorized Sub-processors and Customer agrees to subscribe to such notifications where available. At least five ( 5 ) days before enabling any third party other than existing authorized Sub-processors to access or participate in the processing of Personal Data, Helpshift will add such third party to the Helpshift List and notify Customer via email. Customer may object to such an engagement in accordance with Clause 8.1(e);
(c) Helpshift shall only use a Sub-processor that has provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws and ensures the protection of the rights of data subjects;
(d) Helpshift shall impose, through a legally binding contract between Helpshift and the Sub-processor, data protection obligations on the Sub-processor that are in all material respects equivalent to those in this DPA and in any event meet the requirements set out in the Data Protection Laws;
(e) Customer shall be entitled to object to the appointment of additional Sub-processors notified under Clause 8.1(b) in writing where it considers that such appointment will not comply with the requirements of this Clause 8.1(e) and is based on reasonable grounds relating to data protection. Customer shall be deemed to have approved the engagement of the Sub-processor if it has not served a notice in writing on Helpshift objecting (in accordance with this Clause 8.1(e)) to such appointment within 5 days of the date that the notice is deemed to be received by Customer in accordance with Clause 8.1(b);
(f) where Customer objects to the proposed appointment, Helpshift will use commercially reasonable efforts to provide the Services without the use of the relevant Sub-processor. Where Helpshift is unable to provide the Services notwithstanding its use of such commercially reasonable efforts, Helpshift shall have no liability for any failure to provide the relevant Services in accordance with the terms of the Agreement; and
(g) Helpshift shall remain fully liable for all acts or omissions of the Sub-processors as if they were acts or omissions of Helpshift.
Between the Parties
8.2 The Parties acknowledge and agree that the transfer from Customer to Helpshift of Personal Data does not constitute a Restricted Transfer. If and to the extent that such a transfer of Personal Data becomes a Restricted Transfer, the Parties shall enter into a separate addendum to implement a transfer mechanism to ensure that the Restricted Transfer complies with the International Transfer Requirements.
By Helpshift
8.3 Customer acknowledges and agrees that Personal Data may be transferred by Helpshift to Sub-processors located in a Restricted Country, which may be considered a Restricted Transfer. In the event of the transfer being considered a Restricted Transfer, Helpshift shall enter into a transfer mechanism to ensure that the Restricted Transfer meets the International Transfer Requirements.
Failure of transfer mechanisms
8.4 The Parties acknowledge and agree that to the extent either Party considers (acting reasonably) that the use of the relevant lawful transfer mechanism relied on in respect of a Restricted Transfer under Clause 8.3 is no longer an appropriate lawful transfer mechanism to legitimise the relevant Restricted Transfer pursuant to the International Transfer Requirements, the Restricted Transfer shall be suspended and the Parties shall work together in good faith to agree and put in place an alternative lawful transfer mechanism or such other supplementary measures to enable the Restricted Transfer to continue, and Helpshift shall provide details of the relevant transfer mechanism on request.
8.5 In addition to Clause 8.4, the Parties will each use commercially reasonable efforts to ensure that the Services can continue to be provided in all material respects in accordance with the Agreement despite the suspension of the Restricted Transfer.
8.6 Without prejudice to Helpshift’s obligations under Clauses 8.4 and 8.5, Helpshift shall have no liability under the Agreement for any inability to provide the relevant Services in accordance with the terms of the Agreement as a result of the suspension of a Restricted Transfer pursuant to Clause 8.4
Restricted Transfers
8.7 Personal Data may, in some cases, be transferred directly from Customer to Helpshift or to one of Helpshift’s Sub-processors located in a Restricted Country, which may be considered a Restricted Transfer. In this case, the Restricted Transfer will be governed by the terms of the Appendix (Restricted Transfer Addendum) to this DPA.
9. Costs
9.1 Customer will pay Helpshift in respect of any costs that are reasonably incurred by Helpshift to the extent that this falls outside the ordinary course of Helpshift’ business in respect of the performance by Helpshift of its obligations in this DPA, except where such performance is required as a result of a breach by Helpshift of its obligations under this DPA. Where practicable to do so, Helpshift will seek Customers’ written approval prior to incurring such costs.
10. Liability for Losses
10.1 Where, in accordance with the provisions under Article 82(3) of the GDPR, both Parties are responsible for the act, or omission to act, resulting in the payment of losses by a party or both parties then a party shall only be liable for that part of such losses which is in proportion to its respective responsibility.
10.2 Each party’s liability under or in connection with this DPA shall be limited in accordance with the Agreement.
11. Helpshift Personnel
11.1 Helpshift shall ensure that Helpshift personnel, to the extent that they are involved in the processing of personal data in connection with the Agreement, shall be subject to appropriate binding obligations to protect the confidentiality of such personal data.
11.2 Helpshift’s obligations under this DPA exclude any personal data relating to its personnel engaged in the performance of its obligations under the Agreement generated by Helpshift solely for the purposes of its internal human resources procedures and records.
12. Data Subject Rights and Breaches
12.1 Helpshift shall, to the extent permitted by law, notify Customer upon receipt of a request by a data subject to exercise the data subject’s right of access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Helpshift receives a Data Subject Request in relation to Personal Data processed under this DPA, Helpshift will advise the data subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any personal data are communicated to Helpshift, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each data subject.
12.2 Helpshift shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Helpshift’s assistance and (ii) Helpshift is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Helpshift.
12.3 Within 48 hours of discovering a personal data breach, or without undue delay, Helpshift shall provide Customer with the following information (insofar as it is possible, at the time of notifying Customer of the relevant personal data breach, or where such information is not available at the point of notification as soon as such information is available:
(a) the nature of the breach, information about the Personal Data involved, including where possible the categories and approximate number of data subjects concerned and the categories and number of personal data records concerned;
(b) the likely consequences of the personal data breach;
(c) the measures taken or proposed to be taken by Helpshift to address the personal data breach, including where appropriate measures to mitigate the possible adverse effects; and
(d) the details of a contact point where more information concerning the personal data breach can be obtained.
12.4 The obligations described in Clauses 5.2 and 12.3 in respect of personal data breaches shall not apply in the event that a personal data breach results from the actions or omissions of Customer. Helpshift’s obligation to report or respond to a personal data breach under Clause 12.3 will not be construed as an acknowledgement by Helpshift of any fault or liability with respect to the personal data breach.
13. Data losses where no processing agreed
13.1 Customer shall indemnify Helpshift from and against any and all losses (including regulatory fines) that arise out of or in connection with a claim or action that is made, alleged or brought by a third-party (including any supervisory authority) against Helpshift arising out of or in connection with Customer providing or otherwise making available to Helpshift any Personal Data in circumstances where the Parties have not agreed and documented the scope of such processing in the Agreement.
14. General
14.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales and the Parties irrevocably agree to the non-exclusive jurisdiction of the courts of England and Wales. No failure to enforce any provision of this DPA will constitute a waiver of that provision. Customer may not assign this DPA without Helpshift’s written consent and, subject to that limitation, this DPA will inure to the benefit of and be binding upon the Parties and their respective successors and assigns. This DPA contains the entire agreement between the Parties with respect to the subject matter of this Data Processing and supersedes any other prior agreements or understandings hereof and no amendment of it shall be valid unless it is in writing and signed by both Parties. If any provision(s) of this DPA is or becomes invalid, illegal or unenforceable under any law, the validity, legality and enforceability of the remaining provisions of this DPA shall not be affected or impaired. Customer is an independent contractor, and nothing in this DPA shall create a partnership or relationship of employer and employee or a joint venture between the Parties. By signing this DPA, Customer confirms that it understands English and its terms.
APPENDIX - RESTRICTED TRANSFER ADDENDUM
1. International Transfer Requirements
1.1 The Parties acknowledge and agree that to the extent the transfer of personal data from the data exporter to the data importer is considered a Restricted Transfer, as at the date of this Agreement, the parties shall rely on the applicable Relevant Transfer Mechanism to transfer the personal data from the data exporter to the data importer.
1.2 Accordingly each party agrees that by entering into this Agreement, the Relevant Transfer Mechanism shall be deemed agreed, incorporated by reference into the Agreement and executed by each of the parties acting on their own behalf and on behalf of their affiliates (where applicable) without the need for any further signature from either party, with Customer being the data exporter (and any relevant affiliates) and Helpshift (and any affiliates) being the data importer.
1.3 For the purpose of the EU SCCs, the following provisions shall apply:
a) Module One (Controller to Controller) of the EU SCCs apply when Company is processing personal data as a controller pursuant to Clause 13.5 of the Agreement. b) The Controller to Processor module (module 2) of the EU SCCs shall apply in respect of Restricted Transfers if Helpshift is processing personal data as a processor pursuant to Clause 2 of the DPA.
c) For each module, the elections in respect of those modules are as follows:
i. Clause 7 (Docking Clause) shall not apply;
ii. Clause 9 shall reflect the General Written Authorisation option and the minimum time period for prior notice of sub-processor changes shall be as set forth in Clause 8 of the DPA;
iii. Clause 11 (Optional Clause) shall not apply;
iv. Clause 17, Option 1 applies and the EU SCCs are governed by Irish law;
v. Clause 18(b), disputes will be resolved before the courts of Ireland;
vi. Annex I.A and Annex I.B, the details of the parties and the transfer are deemed populated with the relevant information set out in the Agreement, this DPA and the associated SOW;
vii. Clause 13(a) and Annex I.C, the Irish Data Protection Commissioner will act as competent supervisory authority;
viii. Annex II, the description of the technical and organizational security measures shall be in accordance with Annex II;
ix. Annex III, the list of sub-processors shall be in accordance with Annex III.
1.4 For the purpose of the UK Addendum, the following provisions shall apply:
(a) Clause 7 (Docking Clause) shall not apply;
(b) Clause 9 shall reflect the General Written Authorisation option and the minimum time period for prior notice of sub-processor changes shall be as set forth in Clause 8 of the DPA;
(c) Clause 11 (Optional Clause) shall not apply;
(d) The information required for Table 1 of the UK Addendum shall be provided in the recitals to the Agreement and this DPA;
(e) The information required for Table 3 of the UK Addendum is set out in Annexes I, II & III; and
(f) For the purpose of Table 4 of the UK Addendum, the parties agree that both the data exporter and the data importer may end the UK Addendum as set out in Section 19 of the UK Addendum.
1.5 The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
a) The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
b) The Terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
c) Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed.
d) The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs
1.6 The parties The Relevant Transfer Mechanism shall cease to apply to the processing of personal data under the Agreement if and to the extent that the relevant transfer of the personal data ceases to be a Restricted Transfer.
2. Applicability and Effect of this RTA
2.1 In the event of any conflict or inconsistency between the Agreement, the main body of this Appendix and/or the Relevant Transfer Mechanism, the provisions which provide the most protection to Data Subjects shall prevail. In the absence of any such provision providing more protection to Data Subjects than any other provision, in the event of any conflict or inconsistency:
a) between this Appendix and the Agreement, this Appendix shall prevail;
b) between the Relevant Transfer Mechanism and the main body of this Appendix, the Relevant Transfer Mechanism shall prevail.
2.2 For the avoidance of doubt, nothing in this Appendix, Agreement and DPA is intended to vary, modify or contradict the provisions of the EU SCCs and/or the UK Addendum.
3. Supplementary Measures
3.1 The parties acknowledge and agree that the Relevant Transfer Mechanism may not, in isolation, ensure that the data importer’s Processing complies with the International Transfer Requirements. Accordingly, the data importer shall, promptly on the data exporter’s request, whether prior to the Restricted Transfer or otherwise, implement and maintain such supplementary measures in respect of the Restricted Transfer to ensure the Restricted Transfer complies with the International Transfer Requirements), or such other measures or safeguards as may be otherwise required by the data exporter (“Supplementary Measures”).
4. Invalidity of the Relevant Transfer Mechanism
4.1 If the Relevant Transfer Mechanism ceases to exist or are no longer considered by either party to be a lawful method of complying with the International Transfer Requirements for any reason, the data importer shall cease (and procure that any the relevant third party ceases) all substantive processing of such personal data until such time as the data importer has, in accordance with the data exporter’s instructions, entered into an alternative transfer mechanism and/or put in place such Supplementary Measures and/or safeguards to comply with the International Transfer Requirements.
4.2 Subject to Clause 8, if the data exporter determines (acting reasonably) that it is not feasible to put in place such an alternative transfer mechanism and/or Supplementary Measures and/or safeguards to enable compliance with the International Transfer Requirements, the data exporter may at its discretion:
(a) require the data importer to (and/or procure that any relevant third party processors) to only Process the data exporter’s Personal Data within certain jurisdictions and/or subject to certain other restrictions, supplementary measures and/or safeguards;
(b) delete (or procure the deletion of) and/or destroy the data exporter’s Personal Data such that it is no longer processed in the relevant Restricted Country; and/or
(c) terminate the Services provided under the Agreement in whole or in part on fourteen (14) days’ prior written notice, and where fees for the Services provided under the Agreement are paid in advance, it shall be entitled to a prorated refund in respect of fees paid for Services not provided in accordance with the Agreement as at the effective date of termination.
5. Further Assurance
5.1 Each party shall, at the request of the other party, execute such additional documents and perform or procure the performance of such other acts or things that may reasonably be required by the other party in order to give full effect to this Appendix.
Annex I
A. List of Parties
Data Exporter
- Name of the Data Exporter: The party identified as the “Customer” in the Agreement, this DPA and in the relevant SOW.
- Address: As set forth in the Agreement.
- Contact person’s name, position and contact details: As set forth in the Agreement.
- Activities relevant to the data transferred under these Clauses: See Annex 1(B) below.
- Signature and date: This Annex 1 shall automatically be deemed executed when the Agreement is executed by Customer
- Role (controller/processor): The Data Exporter’s role is set forth in Section 13 of the Agreement or Section 3 of this DPA.
Data Importer
- Name: As set forth in the Agreement
- Address: As set forth in the Agreement.
- Contact person’s name, position and contact details: Helpshift Privacy Team – [email protected]
- Activities relevant to the data transferred under these Clauses: See Annex 1(B) below
- Signature and date: This Annex 1 shall automatically be deemed executed when the Agreement is executed by Helpshift.
- Role (controller/processor): The Data Exporter’s role is set forth in Section 13 of the Agreement or Section 3 of this DPA.
B. Description of Transfer
Categories of data subjects whose personal data is transferred:
For Module 1: Customer’s employees and individuals authorized by Customer to access Customer’s Helpshift account. For Module 2: Customer’s end-users/customers.
Categories of personal data transferred:
For Module 1: Customer Account Data and Customer Usage Data. For Module 2: Any Personal Data processed by Helpshift in connection with the Services as described in the Data Processing Schedule in more detail.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Helpshift does not knowingly collect (and Customer shall not submit) any sensitive data or any special category of data (as defined under Applicable Laws).
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
The processing of Personal Data shall endure for the duration of the Agreement and this DPA on a continuous basis. It’s described in the Data Processing Schedule in more detail.
Nature of the processing:
Helpshift will process Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement, this DPA and the Data Processing Schedule, and in accordance with Customer’s instructions as set forth in this DPA.
Purpose(s) of the data transfer and further processing:
Helpshift will process Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement, this DPA and the Data Processing Schedule, and in accordance with Customer’s instructions as set forth in this DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For Module 1: Helpshift will process Customer Account Data and Customer Usage Data in accordance with Helpshift Privacy Policy.
For Module 2: Helpshift will process and retain Personal Data in accordance with the Agreement and this DPA. It’s described in the Data Processing Schedule in more detail.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing:
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13
Where the GDPR applies, the competent supervisory authority shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27 ( 1 ) GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. Where the UK GDPR applies, the UK Information Commissioner’s Office
343 Sansome Street, 5th Floor, San Francisco, CA 94104 Tel.: 1-800-245-9164; email: [email protected]
Annex II - Technical and Organisational Security Measures
Helpshift has implemented and will maintain reasonable and appropriate technical and organizational measures to protect Personal Data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Annex ii.
More specifically, Helpshift’s security program shall include, at a minimum:
1. Access control of Processing Areas
1.1 Helpshift has implemented and will maintain reasonable and appropriate measures to prevent unauthorized access to the data processing equipment (namely telephones, database and application servers, and related hardware) where Personal Data is processed or used, including:
(a) establishing security areas and physical controls;
(b) protecting and restricting access paths;
(c) establishing access authorizations for Helpshift personnel, including the respective documentation;
(d) ensuring all access to the data center where Personal Data is hosted is logged, monitored, and tracked; and
(e) ensuring the data centers where Personal Data is hosted is secured by a security alarm system, and other appropriate security measures.
2. Access control to Data Processing Systems
2.1 Helpshift has implemented and will maintain reasonable and appropriate measures to prevent data processing systems where Personal Data is processed and used from being used by unauthorized persons, including:
(a) Using industry best encryption technologies, including for data at rest and in-transit;
(b) Identifying the terminal and/or the terminal user to Helpshift and processing systems;
(c) using automatic temporary lock-out of user terminal if left idle, and requiring identification and password to reopen;
(d) using automatic temporary lock-out of the user ID when several erroneous passwords are entered, logging files of events, monitoring of break-in-attempts (alerts); and
(e) ensuring all access to data content is logged, monitored, and tracked.
3. Access control to use specific areas of Data Processing Systems
3.1 Helpshift commits that the Helpshift personnel entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including:
(a) implementing employee policies and training in respect of each individual’s access rights to the Personal Data;
(b) allocating individual terminals and /or terminal user, and identifying characteristics exclusive to specific functions;
(c) implementing monitoring capability in respect of individuals who delete, add, or modify the Personal Data;
(d) releasing data only to authorized persons, including allocating differentiated access rights and roles; and
(e) ensuring control of files, as well as controlled and documented destruction of data.
4. Availability Control
4.1 Helpshift has implemented and will maintain reasonable and appropriate measures to ensure that Personal Data is protected from accidental destruction or loss, including:
(a) infrastructure redundancy; and
(b) that backups are stored at an alternative site and are available for restore in case of failure of the primary system
5. Transmission Control
5.1 Helpshift has implemented and will maintain reasonable and appropriate measures to prevent Personal Data from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including:
(a) using of industry standard firewall, VPN, and encryption technologies to protect the gateways and pipelines through which the data travels;
(b) ensuring confidential employee data is encrypted within the system (where relevant);
(c) providing user alert upon incomplete transfer of data (end to end check); and
(d) as far as possible, ensuring all data transmissions are logged, monitored, and tracked.
6. Separation of Processing for different purposes
6.1 Helpshift has implemented and will maintain reasonable and appropriate measures to ensure that data collected for different purposes can be processed separately, including:
(a) ensuring access to data is separated through application security for the appropriate users;
(b) ensuring modules within Helpshift’s data base separate which data is used for which purpose, i.e., by functionality and function;
(c) at the database level, ensuring data is stored in different normalized tables, separated per module, or function they support; and
(d) ensuring interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.
7. Documentation
7.1 Helpshift will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Helpshift will ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this annex.
8. Breach Management and Notification
8.1 In the event of a personal data breach, Helpshift will comply with its obligations under the Clause 12 of the DPA.
9. Monitoring
9.1 Helpshift has implemented and will maintain reasonable and appropriate measures to monitor access restrictions to Helpshift’s system administrators and to ensure that they act in accordance with instructions received. This is accomplished by various measures including:
(a) ensuring individual appointments of system administrators.
(b) adopting commercially reasonable and appropriate measures to register system administrators’ access logs to the infrastructure and keep them secure, accurate, and unmodified for at least six months.
(c) completing yearly audits of system administrators’ activity; and
(d) keeping an updated list with system administrators’ identification details (e.g., name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request.
10. Limits on Retention / Destruction
10.1 Helpshift will destroy or dispose of records containing Personal Data when there no longer exists any lawful basis for processing. Helpshift has implemented and will maintain reasonable and appropriate measures to securely destroy all Personal Data consistent with Data Protection Law. Methods of performing these actions may include the use of a third-party disk scrubbing utility or destruction of the drive, such as by degaussing, shredding, or other means of physically destroying data through specialized equipment and services.
