Attentive Data Processing Addendum
1. Introduction
This Data Processing Addendum (“DPA”) is entered into between Attentive Mobile Inc. (“Attentive” or “Company”) and the counterparty agreeing to these terms (“Customer”) which has entered into a Master Subscription Agreement or other written or electronic agreement for the Services provided by Attentive, along with any applicable Order Forms (the “Agreement”). Customer and Attentive are individually referred to as “Party” and collectively as the “Parties.”
This DPA governs the manner in which Attentive shall process Personal Data on behalf of Customer (and, where applicable, Customer’s Affiliates) and pursuant to the Agreement. All capitalized terms not defined in this DPA will have meaning set forth in the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement, and this DPA, this DPA shall control. The Parties agree that this DPA shall supersede and replace any existing data protection terms the Parties may have previously entered into in connection with the Agreement.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA.
2. Definitions
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
a. "Affiliate” means with respect to each Party any entity that controls, is controlled by, or is under common control with that Party.
b. "Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
c. "Data Protection Laws” mean the relevant data protection and data privacy laws, rules, and regulations applicable to the processing, privacy and protection of Personal Data, which may include: (i) the GDPR; and (ii) the Swiss Federal Act on Data Protection 1992 and / or the Swiss Data Protection Act 2020 (once in force), as each may be amended or restated from time to time.
d. “Data Subject” shall have the meaning given to that term under the GDPR.
e. "GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), and any local implementations or applications of the same in any EEA Member State; and/or the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, as the context permits and to the extent applicable to a Party.
f. “Personal Data” means “personal data,” “personally identifiable information,” “personal information,” or other such similar terms under Data Protection Laws, that is Processed by Attentive pursuant to the Agreement pertaining to: (i) Data Subjects located in the United Kingdom and European Economic Area (EEA); and (ii) Customers that notify Attentive that their Processing of Personal Data of Data Subjects outside the areas listed in (i) is subject to GDPR. For purposes of this DPA, Personal Data shall also encompass Sensitive Personal Data, if applicable. The Personal Data and the specific uses of the Personal Data are detailed in Annex 1.
g. “Process” shall have the meaning given to that term under the GDPR.
h. "Processor” has the meaning given to that term under the GDPR, and in the context of this DPA, that term or “Service Provider” means an entity which Processes Personal Data on behalf of the Customer.
i. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed by or otherwise controlled by or on behalf of Attentive, and includes any “Personal Data Breach,” as defined under the GDPR.
j. “Sell” means directly or indirectly selling, renting, licensing, commercializing, releasing, disclosing, disseminating, making available, transferring, communicating orally, or otherwise using in writing or by electronic or other means, Personal Data (by Attentive or any Sub-processor) for monetary or other valuable consideration.
k. "Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive personal data” or “special categories of personal data” under Data Protection Laws and shall include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a person, or data concerning health or data concerning a person’s sex life or sexual orientation.
l. “Services” means the “Services” as defined in the Agreement.
m. “SCCs” means: (i) where the EU GDPR or Swiss Federal Act on Data Protection applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR, including the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
n. "Sub-processor” means any of Attentive’s Affiliates, authorized contractors, agents, and third-party service providers that are appointed by Attentive to Process Personal Data.
o. “Term” means the period from the Effective Date until the end of Attentive’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Attentive may continue providing the Services for transitional purposes. Notwithstanding expiration of the Term, the relevant provisions of this DPA will remain in effect until, and automatically expire upon, deletion or disposal of all Personal Data as provided herein.
3. Data Processing
a. Roles of Parties. As between Customer and Attentive, Customer is the Controller of the Personal Data, and Attentive shall Process Personal Data as a Processor acting on behalf of Customer, as to the Processing identified in Annex 1. In relation to Processing by a Party of Personal Data of the other Party’s staff or representatives for contract administration purposes, each Party does so as an independent Controller and shall do so in compliance with their respective obligations under Data Protection Laws. Otherwise, Attentive shall not determine the purposes and means of processing of any Personal Data such that it would be deemed to be a Controller.
b. Instruction for Data Processing.
- i. Attentive. Personal Data shall be Processed by Attentive only on documented instructions from the Customer (including with regard to international data transfers), and in compliance with the terms of this DPA, Data Protection Laws, and the terms of the Agreement. Processing outside the scope of this DPA or the Agreement, including any changes to the locations of Processing of Personal Data, will require prior written agreement between the Parties. Attentive will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instruction and Data Protection Laws and the Parties will act promptly and in good faith to agree non-conflicting processing instructions.
- ii. Attentive is prohibited from: (i) Selling Personal Data; (ii) Processing Personal Data for any purpose other than for the specific purpose identified in the Agreement; and (iii) Processing Personal Data outside of the direct business relationship between Customer and Attentive. However, this provision shall not restrict Attentive from its ability to: (iv) comply with federal, state or local laws; (v) comply with a civil, criminal or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities; (vi) cooperate with law enforcement agencies concerning conduct that Attentive believes in good faith may violate federal, state or local law; or (vii) exercise or defend legal claims.
- iii. Customer. Customer agrees that: (i) it shall comply with its obligations as Controller under Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Attentive; and (ii) it has provided notice and obtained (or shall obtain) all necessary authorization (including without limitation, verifiable consent) and rights necessary under Data Protection Laws for Attentive to Process Personal Data and provide the Services.
c. Sub-processors.
- i. To the extent necessary to fulfill Attentive’s contractual obligations under the Agreement, Customer hereby authorizes the engagement of Sub-processors to Process Personal Data provided Attentive enters into written agreements with the Sub-processors regarding such Sub-processors’ Processing of Personal Data. The written agreements must: (i) impose data protection and security requirements that comply with Data Protection Laws and are no less onerous than those set forth in this DPA; (ii) specifically require such Sub-processors to assist Attentive and Customer in responding to any request received by Attentive or any Sub-processors from a Data Subject exercising their rights in Personal Data granted to them under Data Protection Laws (“Privacy Requests”); and (iii) limit use and access to Personal Data only to the extent required to perform the obligations subcontracted to Sub-processors in accordance with this DPA. Attentive will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors.
- ii. The current list of Sub-processors are set forth on security.attentivemobile.com. Customer may subscribe to notifications of any Sub-processor arrangements by subscribing to notifications at security.attentivemobile.com, or such other similar mechanism made available by Attentive. Attentive shall publish and make available to Customer any proposed changes with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors. Customer may object to Attentive’s use of a new Sub-processor with written notice within ten (10) days after Attentive has published its proposed changes. In the event Customer objects to Attentive’s use of a new Sub-processor, the Parties will work together in good faith to find a mutually acceptable resolution. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Customer may terminate the Agreement by providing no less than 30 days’ written notice, as set forth in the Agreement. During any such objection period, Attentive may suspend the affected portion of the Services.
d. Confidentiality. Any person authorized to Process Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality. Attentive shall limit access to Personal Data to only those employees and other personnel with a need to have access to such Personal Data to carry out the terms of the Agreement.
4. Transfer of Personal Data
a. Except as set forth in Annex 3, Attentive shall not engage in a Restricted Transfer, as defined below, without the Customer’s prior written consent.
b. Cross-Border Data Transfer Mechanism. In connection with the Services, the Parties acknowledge and agree that Personal Data shall be processed outside of the EEA and the United Kingdom in the jurisdictions set out in this DPA or the Agreement, including jurisdictions that have not been designated as providing an adequate level of protection under Data Protection Laws (“Third Country”), and to support such transfers to Third Countries (hereinafter, “Restricted Transfers”), Data Protection Laws may require the execution of additional contractual terms and additional compliance measures to be taken. The Parties agree that to the extent Restricted Transfers occur pursuant to this Agreement, the Restricted Transfer shall be subject to:
- i. the data exporter ensuring that all Restricted Transfers comply with Data Protection Laws and, where required, a transfer impact assessment (“TIA”) is carried out;
- ii. the data importer ensuring that all subsequent Processing in the Third Country and any onward transfers comply with Data Protection Laws, and that, where required, the data importer supports and assists the data exporter with carrying out a TIA and implements any supplementary measures required to safeguard the Personal Data from unauthorized access from government authorities in the Third Country;
- iii. where the Restricted Transfer is to a Sub-processor, ensuring that a written contract is in place and the provisions of clause 3(c) have otherwise been complied with;
- iv. the appropriate SCCs as follows:
- 1. Transfers Restricted by EEA Data Protection Laws. The Parties agree Restricted Transfers Protected by EEA Data Protection Laws shall be subject to the SCCs as follows:
- A. Module Two will apply where the Customer is a Controller data exporter and Attentive is a Processor data importer, and Module Three will apply where Customer is a Processor data exporter and Attentive is a Sub-processor data importer;
- B. In Clause 7, the optional docking clause will apply to the extent not inconsistent with the other provisions of the Agreement;
- C. In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processors will be set forth in Section 3 of this DPA;
- D. In Clause 11, the optional language will not apply;
- E. In Clause 17, option 2 will apply, subject to the following:
Where the Customer is established in the EEA, the law of the Member State in which the Customer is established, provided such Member State law allows for third-party beneficiary rights, and if the Member State law does not allow for third-party beneficiary rights, then this shall be governed by the law of the Republic of Ireland; - F. In Clause 18(b), the Parties submit themselves to the jurisdiction of the courts of that country whose law applies according to Section 4(c)(v) of this DPA;
- G. For the Purpose of Annex I of the SCCs, Appendix 1 contains the specifications regarding the Parties, the description of transfer, and the competent supervisory authority;
- H. For the Purpose of Annex II of the SCCs, Appendix 2 contains the technical and organizational measures;
- I. The specifications for Annex III of the SCCs, are determined by Section 3 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Attentive upon request.
- 2. Transfers Restricted by United Kingdom Data Protection Laws. Where the Parties are lawfully permitted to rely on the SCCs for transfers of Personal Data from the United Kingdom subject to completion of the UK Addendum, then:
- A. The EU SCCs, completed as set forth in Section 4(b)(iv)(1) shall also apply to transfers of such Personal Data, subject to sub-clause (B) below;
- B. The UK Addendum shall be deemed executed between the transferring Customer and Attentive, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data.
5. Data Security
a. Attentive Security. Attentive shall implement and maintain a security program that includes appropriate technical and organizational measures that are designed to ensure a level of security appropriate to risk and the nature of the information and that are further designed to protect Personal Data from unauthorized access, destruction, use, modification or disclosure in accordance with Data Protection Laws. Such technical and organizational measures are set forth in Annex 2. Further, Attentive shall require all Sub-processors to maintain an equivalent standard of security measures when Processing any Personal Data, taking into account the specific Processing that is being carried out by those Sub-processors.
b. Attentive shall assist the Customer in ensuring compliance with the obligations pursuant to Article 32 of the GDPR relating to security of processing, taking into account the nature of processing and information available to the Attentive.
6. Assessments and Audits
a. Attentive Obligations. Attentive shall, in accordance with Data Protection Laws, make available to Customer such information in Attentive’s possession or control as Customer may reasonably request with a view to demonstrating Attentive’s compliance with its obligations pursuant to this DPA.
b. Attentive may fulfill Customer’s right of audit under Data Protection Laws by providing:
- i. an audit report not older than twelve (12) months, prepared by an independent external auditor, describing and documenting Attentive’s technical and organizational measures, made available at security.attentivemobile.com;
- ii. additional information in Attentive’s possession or control, to the extent such information is required by Customer to comply with Data Protection Laws; and
- iii. to the extent the information made available under the preceding clauses are insufficient such that Customer would violate Data Protection Laws, then Attentive shall enable Customer to request an audit, no more than once annually, to verify Attentive’s compliance with its obligations under this DPA. If the Parties agree that an audit is appropriate, the Parties will agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under this Section. Whenever possible, evidence for such an audit will be limited to the evidence collected for Attentive’s most recent third-party audit. All reasonable fees incurred by Attentive shall be reimbursed by Customer.
-
7. Security Incident
a. Security Incident Procedure. Attentive will deploy and follow policies and procedures designed to detect, respond to, and otherwise address Security Incidents including procedures designed to: (i) identify and respond to suspected or known Security Incidents, investigate Security Incidents and reasonably cooperate with Customer’s (and any law enforcement or regulatory official’s) investigation of the Security Incident, mitigate harmful effects of Security Incidents; and (ii) restore the availability or access of Personal Data in a timely manner.
b. Notice. Attentive shall provide notice promptly and without undue delay if Attentive is made aware that a Security Incident has taken place. Such notice will include information available and required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
8. Data Subject Requests, Regulator and Government Requests, and Prior Consultation
a. Personal Data Request. Attentive shall provide notice promptly and in any event within any timeframe required by Data Protection Laws to Customer of any Privacy Requests or privacy-related complaints from Data Subjects received by Attentive or any Sub-processor. At Customer’s request and without undue delay, Attentive agrees to assist Customer in answering or complying with any Privacy Requests, including by taking reasonable steps to ensure the compliance of any Sub-processor and by appropriate technical and organizational measures in accordance with Article 28(3)(e) of the GDPR.
b. Government Disclosure and Regulator Requests. Attentive shall provide prompt written notice and full details to Customer of any request for disclosure of or access to Personal Data (“Access Request”) or any other notices, complaints or enforcement actions related to Personal Data that have been submitted or brought by a governmental or regulatory body or law enforcement authority, including any data protection supervisory authority, unless otherwise prohibited by law or a legally binding order of such body or agency. Attentive shall, where possible, seek to refer all such Access Requests to the Customer for the Customer to assume conduct of and respond to, or Attentive shall otherwise challenge all such Access Requests by all reasonable means.
c. Prior Consultation. Attentive shall provide reasonable assistance to Customer in relation to a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
9. Data Disposal
a. Disposal upon Termination. After notification from Customer that Customer seeks to terminate use of all Services, Attentive shall at the Customer’s option delete or provide to Customer all Personal Data, including existing copies, from its possession or control in accordance with Data Protection Laws. Attentive shall comply with this instruction as soon as reasonably practicable. This requirement shall not apply to the extent Attentive is required by applicable law to retain some or all records that include Personal Data. Upon request, Attentive shall provide written certification to Customer that it has destroyed or otherwise disposed of Personal Data. If Attentive is prevented from destroying Personal Data due to applicable law, it shall retain such Personal Data for this limited purpose and shall comply with its relevant obligations, subject to the terms and restrictions of this DPA.
Annex 2 to the DPA: Technical and Organizational Measures
The following sections define Attentive’s current technical and organizational measures. Attentive may change these at any time on reasonable written notice so long as it maintains a comparable or better level of security.
Administrative Safeguards
1. Security Program. Attentive shall designate an information security team that shall identify reasonably foreseeable internal and external risks, assess the sufficiency of safeguards, and adjust the security program based on business changes. Such team shall review risks and prioritize security-related projects and initiatives.
2. Security Policies. Information security policies shall be made available to relevant personnel and reviewed periodically.
3. Hiring. When legally permissible, candidates shall undergo a background check prior to hiring. Attentive shall require all new personnel to review and agree to Attentive’s information security and confidentiality policies during Attentive’s onboarding process.
4. Training. Attentive shall train individuals that have access to Personal Data concerning appropriate privacy and security practices and compliance with the terms hereof, Data Protection Laws and Attentive’s obligations under the DPA. Attentive shall also provide mandatory information security training on an annual basis to designated personnel.
Physical Safeguards
5. Access Control. Attentive’s facilities are secured with a building access control system and all ingress and egress doors are secured with badge readers, which log access. Unauthorized persons shall be prevented from gaining access to premises, buildings or rooms, where data processing systems are located which Process Personal Data. Exceptions may be granted for the purpose of auditing the facilities to third-party auditors.
- Networking and other required equipment is secured in areas restricted only to personnel that require access to provide the Service to Customer.
- Video surveillance is implemented at all ingress and egress locations.
- Reception staff are present during business hours at Attentive’s facilities.
- Visitor access processes are implemented and visitor access is controlled and logged.
6. Termination of Access Controls. Attentive shall terminate access to Personal Data when it is no longer needed to perform Services for Customer. Documented processes are in place for offboarding of such users.
7. Data Destruction. Attentive shall securely destroy or return Personal Data in accordance with the DPA when it is no longer needed to perform Services for Customer.
- Locked shred bins shall be placed in Attentive’s facilities for disposal of hard copy materials that contain Personal Data.
- Equipment that contains Personal Data shall be erased prior to recycling so that the data cannot be read or reconstructed.
Technical Safeguards
8. Data Access Controls. Attentive has policies and procedures in place designed to ensure that access to data is within a particular employee’s scope of duty and access to data and systems is appropriately based on job function (such as by requiring unique IDs and passwords for all users, periodic review of access, and revoking/changing access promptly when employment terminates or changes in job functions occur).
9. User IDs and Passwords. Attentive shall require each individual that has access to Personal Data to use a unique user ID which must not be shared, and select a strong password (in accordance with applicable industry standards).
10. Antivirus. Attentive shall require that each employee’s Attentive-managed workstation on which Personal Data is stored, or from which Personal Data may be accessed, has a functioning and updated antivirus program.
11. Firewalls. Attentive shall comply with written procedures that a computer on which Personal Data is stored, or from which it may be accessed, is behind a firewall and encrypted.
12. Security Patches. Attentive shall have procedures designed to ensure that the operating system and software of each computer on which Personal Data is stored, or from which it may be accessed, has been updated to include patches that relate to security vulnerabilities. System updates and security patches to be deployed on a regular basis. Updates rated as critical shall be evaluated for impact and deployed on an accelerated timeline.
13. System Security. Attentive’s computers and systems shall be configured to automatically lock after a period of inactivity and a unique password shall be required to unlock such computer or system.
- Core business systems are backed up and encrypted, where applicable.
- Wireless networks are encrypted and require two-factor authentication.
14. Incident Response. Attentive shall comply with a written procedure for responding to Security Incidents and shall regularly test and monitor the effectiveness of key controls, systems and procedures designed to prevent and detect Security Incidents. Security and operations teams shall maintain continuous support of Attentive’s systems and services.
- Attentive’s Security Incident procedure shall be reviewed at least annually.
15. Vulnerability Management. Vulnerability scans are conducted on a regular basis against the Attentive’s critical infrastructure. Vulnerabilities are regularly reviewed and prioritized for remediation based on severity.
16. Testing. Attentive’s security testing includes testing of primary application components -- both unauthenticated and authenticated, manual and automated penetration testing -- to identify vulnerabilities. Additionally, Attentive monitors several vulnerability/threat intelligence feeds for up-to-date information about current general security issues, technology-specific vulnerabilities, and patch release information.
17. Encryption. Utilization of commercially available and industry standard encryption technologies for Personal Data that is:
- being transmitted by Attentive over public networks (i.e., the Internet) or when transmitted wirelessly; or
- at rest, using AES-256 transparent database encryption for its production relational databases hosting customer data.
18. Resilience and Business Continuity. Attentive uses multiple AWS regions and availability zones for business continuity and disaster recovery purposes, as well as a tested regular back-up and restoration process.
Additional Supplementary Measures
Attentive further commits to implementing supplementary measures based on guidance provided by applicable supervisory authorities in order to enhance the protection of Personal Data in relation to the processing in a Third Country, as described below:
Additional Organizational Measures
1. Internal Governance. Development of specific training procedures for personnel in charge of managing requests for access to Personal Data from public authorities, which shall be updated to reflect new legislative and jurisprudential developments.
2. Transparency. Regular publication of transparency reports or summaries regarding governmental requests for access to Personal Data, insofar publication is not prohibited by applicable law.
Additional Contractual Measures
3. Access Requests. In case of any Access Request, Attentive shall inform the requesting public authority of the incompatibility of the order with the safeguards contained in Data Protection Laws and the resulting conflict of obligations for Attentive. Attentive further agrees to review, under the laws of the country of destination, the legality of the Access Request, notably whether it remains within the powers granted to the requesting public authority and exhaust all available remedies to challenge the request. When challenging a request, Attentive shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits.
Annex 3 to the DPA: List of Sub-processors
For Attentive’s list of Sub-processors, please see security.attentivemobile.com.