U.S. Privacy Law Addendum
This United States Privacy Law Addendum (the “Addendum”) supplements the Terms entered into by and between Customer and Outbound (and, together, the “Parties”). This Addendum includes the terms of the Terms. Any capitalized terms that are used but not defined herein shall have the definitions set forth in the Terms. Where there is a conflict between the Terms and this Addendum, this Addendum will control.
1. Definitions
1.1 “Authorized Subprocessor” means a third-party party entity engaged by Outbound to process Personal Data in order to provide the Services and that has been approved by Customer in accordance with Section 6.
1.2 “Outbound Account Data” means personal data that relates to Outbound’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account.
1.3 “Outbound Usage Data” means Service usage data collected and processed by Outbound in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and similar data.
1.4 “Consumer” means a natural person whose Personal Data is protected by Privacy Laws.
1.5 “Consumer Request” means a request from a Consumer to exercise their rights over Personal data afforded pursuant to Privacy Laws.
1.6 “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing Personal Data. “Controller” includes the term “Business” or equivalent term under Privacy laws.
1.7 “Personal Data” means any information provided to Outbound by or on behalf of Customer in connection with the Services that relates to an identified or identifiable Consumer and constitutes “personal data,” “personal information,” or equivalent term under Privacy Laws.
1.8 “Privacy Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the processing of Personal Data. Privacy Laws includes but are not limited to, (i) U.S. state comprehensive privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”) and (ii) U.S. consumer health data privacy laws, such as the Washington My Health My Data Act (“MHMDA”), in each case as updated, amended or replaced from time to time. The terms “affiliates,” “business purpose,” “Controller,” “Personal Data Breach,” “Processor,” “process” or “processing,” “sell,” or “share,” shall have the meaning set forth for that or any equivalent term under Privacy Laws. For the avoidance of doubt, the terms “Controller” and “Processor” include “Business” and “Service Provider,” respectively, as defined in the CCPA.
2. Description of Processing.
2.1. Nature and Purpose of Processing: Except with respect to Outbound Account Data and Outbound Usage Data, Outbound shall process Personal Data provided by Customer under the Terms as necessary to provide the Services under the Terms, for the purposes specified in the Terms and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Such purposes shall include providing or facilitating the Services, such as creating or operating the Landing Pages.
2.2. Duration of Processing: Outbound shall process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Terms, or (ii) by applicable law or regulation.
2.3. Categories of Consumers: Outbound may process Personal Data relating to the following categories of Consumers: Customer end-users or Customer’s prospective customers.
2.4. Categories of Personal Data: Outbound may process the following categories of Personal Data: any categories of data solicited in connection with the Customer’s use of the Services, including any fields that may be solicited from Customer end-users or Customer’s prospective customers on Landing Pages.
3. Customer’s Obligations.
Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Outbound to be in breach of the Privacy Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Outbound by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Outbound regarding the processing of such Personal Data. Customer shall not provide or make available to Outbound any Personal Data in violation of the Terms or otherwise inappropriate for the nature of the Services, and shall indemnify Outbound from all claims and losses in connection therewith.
4. Use of Personal Data.
Outbound shall not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside of Outbound’s direct business relationship with Customer or for any purpose other than to perform the Services and other obligations under the Terms, which constitutes a business purpose under the Privacy LawsTerms, except as otherwise permitted in Terms or by Privacy Laws; and (iii) combine Personal Data received from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another party or person, except as necessary to provide the Services or as otherwise instructed by Customer.
5. Audit.
To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Outbound shall either (i) make available for Customer’s review copies of certifications or reports demonstrating Outbound’s compliance with prevailing data security standards applicable to the processing of Personal Data provided by Customer under the Terms, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of Outbound’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Outbound’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Outbound for any time expended for on-site audits. To the extent permitted under Privacy Laws, if Customer determines that Outbound is processing Personal Data in an unauthorized manner, Customer may, taking into account nature of Outbound’s processing and the nature of the Personal Data processed by Outbound on behalf of Customer, and upon providing prior written notice, take commercially reasonable and appropriate steps to stop and remediate such unauthorized processing.
6. Authorized Subprocessors.
6.1 A list of Outbound’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto (See, Exhibit A), at a link provided to Customer, via email or through another means made available to Customer. Such List may be updated by Outbound from time to time. Outbound may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, Outbound will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Outbound within ten (10) days of receipt of the aforementioned notice to Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. If Customer does not object during this period, that third party will be deemed an Authorized Subprocessor. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Outbound from offering the Services to Customer.
6.2 If Customer reasonably objects to an engagement in accordance with Section 6.1, and Outbound cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Outbound. Discontinuation shall not relieve Customer of any fees owed to Outbound under the Terms.
6.3 Outbound will enter into a written Terms with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Outbound under this Addendum with respect to the protection of Personal Data. In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written Terms with Outbound, Outbound will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such Terms.
7 Confidentiality and Security of Personal Data.
7.1 Outbound shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Outbound’s confidentiality obligations in the Terms. Customer agrees that Outbound may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this Addendum, the Terms, or the provision of Services to Customer.
7.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Outbound shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.
8 Personal Data Breach.
8.1 In the event of a Personal Data Breach, Outbound shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Outbound in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach, to the extent that remediation is within Outbound’s reasonable control.
8.2 In the event of a Personal Data Breach, Outbound shall, taking into account the nature of the processing and the information available to Outbound, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Privacy Laws with respect to notifying (i) the relevant regulatory agency and (ii) Consumers affected by such Personal Data Breach without undue delay.
8.3 The obligations described in Sections 8.1 and 8.2 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Outbound’s obligation to report or respond to a Personal Data Breach under Sections 8.1 and 8.2 will not be construed as an acknowledgement by Outbound of any fault or liability with respect to the Personal Data Breach.
9. Data Protection Assessments.
Taking into account the nature of Outbound’s processing and the information available to Outbound, Outbound shall reasonably cooperate with Customer to conduct any data protection or privacy impact assessments as required by Privacy Laws, including by providing Customer with information and documents necessary for such assessments that Customer cannot otherwise obtain without Outbound’s assistance. Notwithstanding the foregoing, Customer and Outbound each remain responsible only for the measures respectively allocated to them under Privacy Laws pertaining to any such assessment.
10. Consumer Request.
Outbound shall, to the extent permitted by Privacy Laws, notify Customer upon receipt of a Consumer Request. If Outbound receives a Consumer Request in relation to Personal Data, Outbound will advise the Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Consumer Requests communicated to Outbound, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.
11. Return or Destruction of Personal Data.
Upon the termination or expiration of the Terms, at Customer’s choice, Outbound shall return or delete Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Outbound shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
12. Outbound’s Role as a Controller.
The parties acknowledge and agree that with respect to Outbound Account Data and Outbound Usage Data, Outbound is an independent controller, not a joint controller with Customer. Outbound will process Outbound Account Data and Outbound Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Outbound’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Outbound is subject; and (vi) as otherwise permitted under Privacy Laws and in accordance with this DPA and the Terms. Outbound may also process Outbound Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Privacy Laws. Any processing by Outbound as a controller shall be in accordance with Outbound’s privacy policy.
Exhibit A
| Name of Authorized Subprocessor | Address | Contact Person Name, position, contact information | Description of processing | Country in which subprocessing will take place |
|---|---|---|---|---|
| Amazon Web Services | Amazon Web Services, Inc 410 Terry Avenue North Seattle, WA 98109-5210 United States | ATTN: AWS Legal (via Data Privacy Center/compliance forms) | Cloud infrastructure and storage services | United States |
| CallRail, Inc. | 100 Peachtree St NW, Suite 2700, Atlanta, GA 30303 | privacy@callrail.com | Call Tracking & Recording | United States |
| Liquid Web, LLC | Liquid Web, LLC 2660 Horizon Dr SE, Grand Rapids, MI 49546 | privacy@liquidweb.com | Web Hosting & Cloud Services | United States |
| My SEO Tool Inc (Agency Analytics) | My SEO Tool Inc 134 Peter St, Unit #1302 Toronto ON, Canada M5V 2H2 | support@agencyanalytics.com | Analytics and Reporting | United States and Canada |