Data Processing Addendum

This Data Processing Addendum (“DPA”) is hereby incorporated into and governed by the terms of the Terms of Service (the “Agreement”) between Voiceflow (the "Company") and its end users (the "Customer") and applies to the extent that Company  processes Personal Data (as defined herein) on behalf of Customer in the performance of Services thereunder.

Because the Company’s Agreement already incorporates this DPA, you do not need to sign a separate copy. This DPA (and the applicable Standard Contractual Clauses, as defined below) contain legal terms that apply to personal information that may be contained in Customer input.

This DPA supplements the Agreement for the provision of Company’s services as set out in Annex I of Appendix A (the “
Company Offering” or “Offering”). In the event of any conflict between the Agreement and this DPA, the terms and conditions of this DPA shall control.  Except to the extent expressly superseded or modified in this DPA, the terms and conditions of the Agreement will apply to this DPA and remain in full force and effect.          

Definitions    
Controller to Processor SCC” means the Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914, as applied in accordance with Appendix A

Personal Data” means any information relating to an identified or identifiable individual transferred by Customer or its permitted agents to Company in performance of or pursuant to the Agreement or this DPA, and any information relating to an identified or identifiable derived or otherwise created by Company in connection therewith.

Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as, but not limited to, collection, use, modification, retrieval, disclosure, storage, anonymization, deletion, and/or management.  

Processor to Processor SCCs” means the Module Three (transfer processor to processor) of the European Commission Implementing Decision (EU) 2021/914, as applied in accordance with Appendix A.

Privacy Laws” means all applicable laws and regulations governing the Processing or protection of Personal Data as amended, modified or replaced from time to time, including for example and without limitation the Personal Information Protection and Electronic Documents Act, SC 2000 c. 5 (“PIPEDA”), Regulation (EU) 2016/679 (“GDPR”) and Directive 2002/58/EC, the EU GDPR as saved into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss FADP”), and any implementing legislation or further particularising rules, orders or regulations.“

Standard Contractual Clauses” means where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the Transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), (the "EU SCCs").

Swiss Amendments” mean the Controller to Processor SCCs or the Processor to Processor SCCs (as applicable) with the following amendments: (i) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner, (ii) “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023, (c) the term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 (iii), (iv) the Controller to Processor SCCs also protect the data of legal entities until the entry into force of the Revised FADP, and (v) the FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

UK Addendum” means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force from 21 March 2022, available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as updated and/or replaced from time to time. For the purposes of the UK Addendum, (i) the information required for Table 1 is contained in Schedule 1 of this DPA, and the start date shall be the commencement of the Service; (ii) in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor where Company is acting as your Processor and Module Three for Processor to Processor where Company is acting as your sub-processor; (iii) in relation to Table 3, the list of parties and description of the transfer are as set out in Schedule 1 of this DPA, Company’s technical and organizational measures are set out in Schedule 1 of this DPA, and the list of Company's sub-processors is as provided in Section 8 of this DPA; and (iv) in relation to Table 4, neither party will be entitled to terminate the UK Addendum in accordance with clause 19 of Part 2 of the UK Addendum.

Data Processing and Security Responsibilities
Customer and Company shall each comply with all Privacy Laws that apply to it in relation to any Personal Data Processed in connection with this DPA, as set out in Annex I of Appendix A to this DPA.Customer agrees that it has:made and shall maintain all necessary registrations and notifications as required in order to permit Company to perform its obligations and exercise its rights under this DPA;obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Company to perform its obligations and exercise its rights under this DPA, and shall inform Company immediately if any such consents are withdrawn;ensured and shall continue to ensure that all Personal Data Processed by Company is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Company to perform its obligations and exercise its rights under this DPA; ensured and shall continue to ensure that there are valid legal bases to enable Company to Process Customer's Personal Data; Processed and will continue to Process the Personal Data in accordance with all applicable Privacy Laws.In the course of Processing Personal Data on behalf of Customer in connection with the Company Offering as set out in Annex I of Appendix A to this DPA, Company shall:only Process Personal Data for the purposes of rendering the Company Offering and as otherwise instructed by Customer in writing from time to time, and not Process any Personal Data in any other manner without the express prior written authorization of Customer unless required to do so by applicable law;immediately inform the Customer if, in Company’s opinion, any instruction received from the Customer infringes any Privacy Laws; not disclose (and not allow any of its employees, or permitted agents or representatives to disclose) any Personal Data to any third party without the prior written authorization of Customer unless required to do so under applicable law;where any disclosure, transfer or other Processing of Personal Data is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest); notify Customer in writing of any (i) enquiry received from  individuals relating to the individual’s right to access, update, correct, rectify, erase or restrict the processing of Personal Data or to exercise their right of data portability or an objection in accordance with Privacy Laws, (ii) complaint or correspondence received by Company relating to the Processing of Personal Data, and (iii) order, demand, warrant or any other document purporting to compel the production of any Personal Data, and provide reasonable assistance at Customer’s cost to facilitate Customer’s compliance with Customer’s obligations under Privacy Laws; implement appropriate physical, technical, administrative and organizational measures appropriate to the processing of the Personal Data in connection with the Company Offering (as further described in Annex II of Appendix A) as would allow Company to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services and to provide reasonable assistance at Customer's cost to ensure compliance with Customer's obligations to implement such security measures; limit access to Personal Data only to those employees and authorized agents of Company who need to have access to the Personal Data and solely for the purposes of Company rendering the Company Offering; ensure or cause each of the employees and permitted contractors of Company to agree in writing to keep and to protect the confidentiality and security of the Personal Data in accordance with the terms of this DPA, and otherwise properly advise and train each of its employees and permitted subcontractor of the requirements of Company under this DPA and applicable Privacy Law; andprovide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws to carry out a data protection impact assessment or to consult with the relevant supervisory authority in respect of any such data protection impact assessment.

Standard Contractual Clauses
Company and Customer agree that any transfer of Personal Data from Customer (as “data exporter”) to Company (as “data importer”) requires that appropriate safeguards are put in place in accordance with Privacy laws, the parties will be subject to the Standard Contractual Clauses (as attached hereto as Appendix A), which will be deemed incorporated into and form a part of this DPA.

Audit Rights
Company shall provide and Customer agrees to accept Company’s most current third-party certifications as may be relevant and available in respect of the Company Offering. Company shall provide Customer (or its representatives) with access to information necessary to demonstrate Company’s compliance with this DPA and to the records, facilities and premises of Company during business hours and upon at least 30 days’ advance notice in writing, at most once per year, for the purposes of verifying Company’s compliance with this DPA.

Subcontracting
Customer acknowledges and agrees that Company shall use sub-processors (including Company affiliates) to provide the Offering as set out in Annex III of Appendix A. Company shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Company under this DPA.  Company shall only retain sub-processors that Company can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Data. Where such sub-processors fail to fulfil their data protection obligations, Company shall remain fully liable to the Customer for the performance of those sub-processor’s obligations. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex III of Appendix A, Company shall notify Customer of such sub-processors, whereupon Customer shall have 10 days to object to such appointment by providing detailed reasons for such objection to Company.

Security Breach Notification
Company shall notify Customer without undue delay upon Company becoming aware of any accidental or unlawful destruction, loss, alteration, theft, unauthorized access to, use, or disclosure of Personal Data Processed (“Privacy Breach”). Company shall reasonably cooperate with Customer in notifying individuals affected by a Privacy Breach and other parties in accordance with applicable law.

Termination
Upon the termination of the Agreement or at such other times as instructed by Customer in writing, Company shall either return or, upon the written instruction of Customer, securely dispose of the Personal Data and all existing copies. In the event applicable law does not permit Company to comply with the delivery or destruction of the Personal Data, Company warrants that it shall ensure the confidentiality of the Personal Data in accordance with applicable law.

Governing Law and Jurisdiction
This DPA and any action related thereto will be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflicts of law principles.

APPENDIX ASTANDARD CONTRACTUAL CLAUSES    
If there is a Restricted Transfer of personal data from Customer (as data exporter) to Company (as data importer), the parties will comply with the following requirements:

If the Restricted Transfer is an EU Restricted Transfer, then the EU SCCs shall apply on the following basis:

where Customer is a controller and Company is also a controller of the personal data transferred, Module One will apply; where Customer is a controller and Company is a processor of the personal data transferred, Module Two will apply; and where Customer is a processor and Company is also a processor of the personal data transferred (i.e. Customer processes the personal data on behalf of a third party controller), Module Three will apply;
in Clause 7, the optional docking clause will not apply;
for Modules Two and Three only, in Clause 9 (use of sub-processors), option 2 (general written authorisation) will apply, and the Company will:
provide a current list of agreed sub-processors; and
provide prior notice of any sub-processor changes in accordance with any notice period specified for sub-processor changes in the Agreement or, if no such period is specified, Company will provide seven (7) days' prior notice of any sub-processor changes;
in Clause 11, the optional redress language will not apply;
in Clause 17, Option 1 will apply (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
in Clause 18(b), the parties select the courts of Ireland;
in Annex I:
Part A shall be completed with the parties names, contact details and activities set out or otherwise described in the Agreement and this Addendum (with Customer acting as the data exporter, and the Company acting as the data importer), and execution of this Addendum shall be deemed execution of the EU SCCs;
Part B shall be completed with the relevant information set out in Annex I of this Addendum; and
Part C shall be the supervisory authority determined in accordance with the criteria set out in Clause 13(a) of the EU SCCs; and
Annex II: shall be deemed completed with the technical and organizational measures described in the Agreement.

If the Restricted Transfer is a UK Restricted Transfer, then the EU SCCs and UK Addendum shall apply on the following basis:
the EU SCCs, completed as set out above in section 1 above of this Appendix A apply between Customer and Company, and shall be modified by the UK Addendum completed as set out in sub-paragraphs (b) to (d) below;
Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in section 1 above of this Appendix A;
Table 4 of the UK Addendum shall be deemed checked "Importer"; and
the start date of the UK Addendum (as set out in Table 1) shall be the first date the Customer provides Personal Data to the Company.

If the Restricted Transfer is a Swiss Restricted Transfer, then the EU SCCs and the Swiss Amendments shall apply on the following basis:
the EU SCCs, completed as set out section 1 above of this Appendix A apply between Customer and Company, and shall be modified as set out in sub-paragraphs b. to i. below;
references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;
references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;
references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law" (as applicable);
the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection and Information Commissioner;
references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";
in Clause 17, the EU SCCs shall be governed by the laws of Switzerland; and
the EU SCCs also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.

If the Restricted Transfer is a non-Adequate Country Restricted Transfer, then the EU SCCs shall apply on the following basis:
the EU SCCs, completed as set out above in section 1.1 above apply between Customer and Company, and shall apply on a mutatis mutandis basis.
In the event that any provision of this Addendum conflicts, directly or indirectly, with the New Standard Contractual Clauses, the New Standard Contractual Clauses shall prevail. For the purposes of this DPA, the “
New Standard Contractual Clauses” means, where the GDPR applies, the new or revised standard contractual clauses officially published by the European Commission.