EU DATA PROCESSING ADDENDUM

Last Updated: April 21, 2019

INTRODUCTION

This Data Processing Addendum (this “DPA”) together with the Terms of Service (the “Terms”) and Privacy Policy, form a single, binding agreement (this “Agreement”) between you (“you” or “User”) and ExpoIQ Inc. (along with its affiliated companies, “we,” “us” or “ExpoIQ”). By using or accessing the Services (as defined below), you agree to be bound by this Agreement.
IF YOU DO NOT ACCEPT THIS AGREEMENT, WE DO NOT GRANT YOU ANY LICENSE OR USE RIGHTS HEREUNDER, AND YOU MUST NOT USE OR ACCESS THE SERVICES.

DEFINITIONS

Below are definitions of some of the important terms we use in this DPA. In addition, some terms are defined within the text of the DPA. If you see terms in this document that are capitalized but not defined, they have the definitions given to them in either the Terms of Service or Privacy Policy, unless otherwise specified.
Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
Agent” means any of your employees, contractors or other individuals or entities authorized to interact with the Services on your behalf.
Content” means any information, text, images, photos, audio, video, data, and any other materials that are sent, uploaded or otherwise transmitted to the Services by you, your Agents, or your Customers.
controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Privacy Directive” means Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under this Agreement, including, where applicable, EU Data Protection Law.
data subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
EEA” means the European Economic Area.
e-Privacy Directive” means Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
EU Data Protection Law” means, to the extent applicable to User Controlled Data, any data protection or data privacy law or regulation of Switzerland or any country in the European Economic Area, including (i) prior to 25 May 2018, the Data Privacy Directive and, on and after 25 May 2018, the GDPR; and (ii) the e-Privacy Directive.
GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which is commonly called the General Data Protection Regulation.
personal data” means any information relating to a “data subject” (as defined above).
Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016) 4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.
Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to User Controlled Data.
Services” means any product or service provided by ExpoIQ pursuant to this Agreement.
Subprocessors” means the other processors that are used by ExpoIQ to process personal data.
User Controlled Data” means the personal data in the Content that ExpoIQ processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. User Controlled Data does not include personal data when controlled by us, including without limitation certain data we collect (e.g. IP address and device/browser details) with respect to third parties’ interaction with you on the Services.

RELATIONSHIP TO OTHER PARTS OF THIS AGREEMENT

Conflicting Provisions

Except for the changes made by this DPA, the other parts of this Agreement remain unchanged and in full force and effect. If there is any conflict between this DPA and other parts of this Agreement, this DPA shall prevail to the extent of that conflict.

Claims

Any claims brought under or in connection with this DPA shall be subject to the Terms of Service, including but not limited to, the exclusions and limitations set forth in therein.

Total Liability

User further agrees that any regulatory penalties incurred by ExpoIQ in relation to User Controlled Data that arise as a result of, or in connection with, User’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count towards and reduce ExpoIQ’s liability under this Agreement pursuant to the limitations on liability set forth in the other parts of this Agreement.

Enforcing Parties

No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

Governing Law

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of the Terms, unless required otherwise by applicable Data Protection Laws.

RELATIONSHIP TO OTHER PARTS OF THIS AGREEMENT

This DPA applies where, and only to the extent that, ExpoIQ processes User Controlled Data that (1) originates from the EEA or Switzerland or (2) that is otherwise subject to EU Data Protection Law and where ExpoIQ conducts such processing on behalf of User as a processor in the course of providing Services pursuant to this Agreement.

PROCESSING ROLES AND ACTIVITIES

User as Controller

As between ExpoIQ and User, User is controller of User Controlled Data, and ExpoIQ shall process User Controlled Data only as a processor acting on behalf of User.

User Processing

User agrees that (1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of User Controlled Data and any processing instructions it issues to ExpoIQ; and (2) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for ExpoIQ to process User Controlled Data and provide the Services pursuant to this Agreement.

ExpoIQ Processing of User Controlled Data

ExpoIQ shall process User Controlled Data only for the purposes described in this Agreement and only in accordance with User’s documented, lawful instructions. The parties agree that this DPA together with the rest of this Agreement set out User’s complete and final instructions to ExpoIQ in relation to the processing of User Controlled Data, and that processing outside the scope of these instructions (if any) shall require prior written agreement between User and ExpoIQ.

ExpoIQ as Controller

ExpoIQ may also be an independent controller for some personal data relating to you or your Customers. Please see our Privacy Policy and Terms of Service for details about the personal data that we control. For clarity, any such data does not fall under the definition of User Controlled Data. We decide how to use and process such personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, you will receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.

Details of Data Processing

  • (1) Subject matter. The subject matter of the data processing under this DPA is User Controlled Data.
  • (2) Duration. As between ExpoIQ and User, the duration of the data processing under this DPA is until the termination of this Agreement in accordance with its terms.
  • (3) Purpose. The purpose of the data processing under this DPA is the provision of the Services to User and the performance of ExpoIQ's obligations under this Agreement (including this DPA) or as otherwise agreed by the parties.
  • (4) Nature of the Processing. ExpoIQ provides email messaging, analytics technology and other related services, as described in this Agreement.
  • (5) Categories of Data Subjects. Users and End Users are the data subjects contemplated by this DPA.
  • (6) Types of User Controlled Data. Users may control multiple types of personal data, including, without limitation: identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).

Data Used for ExpoIQ’s Legitimate Business Purposes

Notwithstanding anything to the contrary in this Agreement (including this DPA), User acknowledges that ExpoIQ shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, ExpoIQ is the controller of such data and accordingly shall process such data in accordance with the ExpoIQ Privacy Policy and Data Protection Laws.

Tracking Technologies

User acknowledges that in connection with the performance of the Services, ExpoIQ employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). User shall maintain appropriate notice, consent, opt -in and opt-out mechanisms as are required by Data Protection Laws to enable ExpoIQ to deploy Tracking Technologies lawfully on, and collect data from, the devices of End Users (defined below) in accordance with and as described in the Privacy Policy.

SUBPROCESSING

Authorized Subprocessors

User generally authorizes ExpoIQ to engage Subprocessors to process User Controlled Data on User's behalf. The Subprocessors currently engaged by ExpoIQ and authorized by User are listed in Exhibit A.

Subprocessor Obligations

ExpoIQ shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect User Controlled Data to the standard required by the Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause ExpoIQ to breach any of its obligations under this DPA.

Changes to Subprocessors

ExpoIQ shall (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from User; and (ii) notify User (for which email shall suffice) if it adds Subprocessors at least ten (10) days prior to any such changes.
User may object in writing to ExpoIQ’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, User may suspend or terminate this Agreement (without prejudice to any fees incurred by User prior to suspension or termination).

DATA SECURITY

Security Measures

ExpoIQ shall implement and maintain appropriate technical and organizational security measures to protect User Controlled Data from Security Incidents and to preserve the security and confidentiality of User Controlled Data, in accordance with ExpoIQ's security standards described in this DPA and in the Privacy Policy.

Updates to Security Measures

User is responsible for reviewing the information made available by ExpoIQ relating to data security and making an independent determination as to whether the Services meet User’s requirements and legal obligations under Data Protection Laws. User acknowledges that the Security Measures are subject to technical progress and development and that ExpoIQ may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by User.

Confidentiality of Processing

ExpoIQ shall ensure that any person who is authorized by ExpoIQ to process User Controlled Data (including its employees, agents and contractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Incident Response

Upon becoming aware of, and confirming the occurrence of, a Security Incident for which notification is required under applicable Data Protection Laws, ExpoIQ shall notify User without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by User.
In order to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, We will provide you with such information about the Security as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as any conflicting confidentiality obligations.
Our obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by ExpoIQ of any fault or liability of ExpoIQ with respect to the Security Incident. Despite the foregoing, ExpoIQ’s obligations under this paragraph do not apply to incidents that are caused by you or any activity on your Account or which are caused by third-party services.

Assistance with User Responsibilities

  • (1) Basic User Responsibilities. Notwithstanding the above, User agrees that except as provided by this DPA, User is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Controlled Data when in transit to and from the Services and taking any appropriate steps to securely encrypt and backup any User Controlled Data uploaded to the Services.
  • (2) Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint any individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of your User Controlled Data that we process on your behalf and instructions.
  • (3) Cooperation with User Response Efforts. The Services provide User with a number of controls that User may use to retrieve, correct, delete or restrict User Controlled Data, which User may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that User is unable to independently access the relevant User Controlled Data within the Services, ExpoIQ shall (at User's expense) provide reasonable cooperation to assist User to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under this Agreement. In the event that any such request is made directly to ExpoIQ, ExpoIQ shall not respond to such communication directly without User's prior authorization, unless legally compelled to do so. If ExpoIQ is required to respond to such a request, ExpoIQ shall promptly notify User and provide it with a copy of the request unless legally prohibited from doing so.
  • (4) Government Requests for User Controlled Data. If a law enforcement agency sends ExpoIQ a demand for User Controlled Data (for example, through a subpoena or court order), ExpoIQ shall attempt to redirect the law enforcement agency to request that data directly from User. As part of this effort, ExpoIQ may provide User’s basic contact information to the law enforcement agency. If compelled to disclose User Controlled Data to a law enforcement agency, then ExpoIQ shall give User reasonable notice of the demand to allow User to seek a protective order or other appropriate remedy unless ExpoIQ is legally prohibited from doing so.
  • (5) Impact Assessments. To the extent ExpoIQ is required under EU Data Protection Law, ExpoIQ shall (at User's expense) provide reasonably requested information regarding the Services to enable User to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

COMPLIANCE VERIFICATION

Upon reasonable request, ExpoIQ will verify its compliance with this DPA, provided that User shall not exercise this right more than once per year.

INTERNATIONAL TRANSFERS

You authorize us to transfer your User Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer your User Controlled Data to the United States. We will transfer User Controlled Data outside of Switzerland and the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.

RETURN OR DELETION OF DATA

Upon termination or expiration of this Agreement, ExpoIQ shall (at User's election) delete or return to User all User Controlled Data (including copies) in its possession or control, save that this requirement shall not apply to the extent ExpoIQ is required by applicable law to retain some or all of User Controlled Data, which User Controlled Data ExpoIQ shall securely isolate and protect from any further processing, except to the extent required by applicable law.