Data processing addendum
This Data Processing Addendum (the “Addendum”) amends the Terms of Service of the Voximplant Master Subscription Agreement available via https://voximplant.com/legal/tos(the “Agreement”) by and between ZINGAYA, INC., D/B/A VOXIMPLANT(“Voximplant” or the “PIP”), a corporation duly organized and existing under and by virtue of the laws of the Delaware, United States, with principal office address at 594 Broadway, Suite 701, 10012, New York City, New York, United States of America and the undersigned Customer/Client of Voximplant.
This Addendum will be effective as of the date we receive a complete and executed Addendum from the Customer/Client indicated in the signature block below (the “Effective Date”). This Addendum shall apply to personal data processed by Voximplant on Customer/Client behalf in the course of providing the Service to Customer/Client (“Customer Personal Data”). The term of this Addendum corresponds to the duration of the Agreement.
Customer and Voximplantmay hereinafter be referred to collectively as “Parties” or individually as “Party”,
WHEREAS Customerand VOXIMPLANT enter into the Agreement pertaining to a defined and workable framework upon which the Parties wish to engage and enter into a partnership;
WHEREAS, the Parties acknowledge that the Data Subjects have express rights under the DPA that provide for protection and confidentiality of their Personal Data;
NOW, THEREFORE, for and in consideration of the foregoing premisesand mutual covenants herein contained, the Parties hereby agree to bind themselves, as follows:
This DPA has been pre-signed on behalf of Voximplant as the data processor/importer.
To complete this DPA, Customer must:
1.Where applicable, complete the information as data exporter on Pages 4, 7, 12, 13 and sign Pages 6, 11 (if applicable), 12, 13.
2.Send the completed and signed DPA to Voximplantby email at firstname.lastname@example.org.
Upon Voximplant’s receipt of the validly completed DPA, this DPA will become legally binding.
The following terms shall have the respective meaning whenever they are used in this Addendum:
A. Consent – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the Data Subject to do so;
B. Data Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
C. Data Protection Officer – refers to an individual designated by a Party to be accountable for compliance with the DPA andApplicable Law;
D. Data Subject – refers to an individual whose personal, sensitive personal, or privileged information is processed;
E. Personal Data – refers to either of the following:
1. Personal Information – refers to any information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; or
2. Sensitive Personal Information – refers to personal information:
i. About an individual's race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;
ii. About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings
iii. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
iv. Specifically established by an executive order or an act of Congress to be kept classified.
F. Personal Information Controller(“PIC”) – refers to the party who controls the processing of personal data, or instructs another to process Personal Data on its behalf. There is control if the party decides on what information is collected, or the purpose or extent of its processing;
G. Personal Information Processor(“PIP”) – refers to any natural or juridical person or any other body to whom a Personal Information Controller may outsource or instruct the processing of Personal Data pertaining to a Data Subject;
H. Personnel – shall refer to the employees, officers, agents, or otherwise acting under the authority of the Personal Information Processor and the Personal Information Controller;
I. Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system;
J. Security Breach – refers to any unauthorized, unlawful or accidental access, processing, disclosure, alteration, loss, damage, or destruction of Personal Data whether by human or natural causes.
Client will share, provide, or disclose to Voximplant, Personal Data which is in the possession and control of Client pertaining to its clients for the purpose of communication related services.
The PIC with regard to the Personal Data in their original possession, is responsible for ensuring that it collects Personal Data lawfully and in accordance with the requirements of the DPA, and the “Schedule A” and “Appendix 1”, if applicable, each of which is incorporated into, and made a part of, this Addendum.
Prior to collection or sharing of Personal Data, a PIC shall be responsible for obtaining the necessary Consent of the Data Subject over the collection of Personal Data and of apprising the DataSubject with the nature, purpose, and extent of the processing of his or her Personal Data, including the risks and safeguards involved, the identity of the PIC, his or her rights as a data subject, and how these can be exercised.
The PIC shall be responsible for the accuracy, quality, and legality of Personal Data and the means by which they acquired them. The PIC hereby represents and warrants that it is compliant with the DPA and Applicable Law in relation to its collection of Personal Data, and in obtaining the Data Subjects’ Consent for the sharing of Personal Data with the PIP; and that it has in place appropriate administrative, physical, technical and organizational security measures that protect Personal Data from Security Breach.
The PIC shall be responsible for addressing any information request, or any complaint filed by a Data Subject and/or any investigation conducted by a governmental regulatory body. Provided, that the governmental regulatory body shall make a final determination as to which (PIC or PIP) is liable for any breach or violation of the DPA or Applicable LawThe PIC shall be responsible in providing a copy of this Addendum if requested by the Data Subject in writing.
The PIP shall process the Personal Data only in accordance with this DPA, the attached “Schedule A”, which incorporated into, and made a part of this DPA, and the other lawful, documented instructions of the PIC, except where otherwise required by Applicable Law. The Addendum, Schedule A and this DPA sets out Clients complete instructions to Voximplant in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the parties
The PIP shall not share Personal Data obtained from the PIC with any other party without the prior written permission/instruction of the PIC or process Personal Data in any way or for any purpose other than those set out in this Addendum. The PIP shall segregate the Personal Data from its own and its other clients’ data.
The PIC agrees that the PIP may engage PIP’s affiliates and certain third party sub-processors (collectively, “Sub-processors”) to process the Personal Data on the PIP’s behalf. Sub-processors may provide hosting services and may provide plug-in tools and services that enhance the PIP product offering. A list of Sub-processors currently engaged by the PIP may be found at https://voximplant.com/legal/subprocessors-list. The PIC approves the use of the Sub-processors listed at the URL as of the date of this Addendum.
The PIP shall provide the PIC with two (2) weeks prior notice if there are any additions to the list of Sub-processors. The PIP shall obtain from all Sub processors the necessary assurances and guarantees that it has adequate administrative, physical, technical organizational and procedural security measures to protect the Personal Data in view of the relevant risks. The PIP may terminate the Agreement if it objects to the addition of a new Sub processor
4. Categories of Personal Data and Purposes of Processing
The categories of Personal Data to be shared by PIC include the following:
● Organization name,
● Email address,
● Phone number,
● Billing address
● Mailing address,
● Credit card and payment details
● SIP and a proprietary telecommunications applications information
● Number of calls to and from a provided number
● Call length to and from a provided number
● Numbers calling or called by a provided number
● Call content and usage information
● Contact information associated with a corporate Client account.
● Certain identification necessary to obtain telephone numbers, such as photo ID
The PIP shall only process Personal Data for the purpose of providing the services under the Agreement and/or as identified in Schedule A.
The PIP shall implement appropriate security measures that ensure the availability, integrity, and confidentiality of Personal Data. The PIP shall implement reasonable and appropriate organizational, physical, technical, administrative, procedural and security measures to protect Personal Data against any Security Breach as prescribed in the DPA, its IRR, and circulars issued by a governmental regulatory body.
The PIP shall ensure that Personal Data is backed up on a regular basis and that any back up is subject to security measures as necessary to protect the availability, integrity and confidentiality of Personal Data.
The PIP undertakes that it will not, at any time, whether during the course of, or after the term of this Addendum, transfer, share, divulge, exploit, and modify any Personal Data to any person.
Voximplant is diligently seeking to complete the process to obtain the applicable ISO 27001 certifications. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Voximplant shall make available to Customer a copy of Voximplant’s then most recent third-party audits or certifications, as applicable.
Each party shall take steps to ensure that any person acting under its authority and who has access to Personal Data, does not process them except for purposes of this Data Processing Addendum or as required by law.
Each Party shall ensure that access toPersonal Data is limited only to its officer, employees, agents or representatives who need access only for purposes of this Data Processing Addendum.
Each Party shall ensure that its officers, employees, agents or representatives engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to obligations of confidentiality and such obligations survive the termination of that officer’s, employees’, agents’ or representatives’ engagement or relationship with each Party.
Each Party shall take reasonable steps to ensure the reliability of any of its officers, employees, agents or representativeswho have access to Personal Data, which shall include ensuring that they all understand the confidentialnature of the Personal Data; and have received appropriate training in data protection prior to their access or Processing of Personal Data, and have agreed that they understand and will act in accordance with their responsibilities for confidentiality under this Data Processing Addendum.
8.Data Subject Access Rights
Data Subjects have a right to see what Personal Data is held about them, and to know why and how it is processed.
The PIC has an obligation to respond to these request or complaints. If a data subject contacts the PIP to exercise a right under Applicable law then the PIP will forward the request to the PIC. The PIC agrees to respond. Inquiry or request for Personal Data can be requested by submitting a written request with the following Data Protection Officers (or its equivalent):
Name of DPO: ................................................
Zingaya, Inc. d/b/a Voximplant:
Address: 594 Broadway, Suite 701, 10012, New York City, New York, USA.
The individuals listed in this section shall be the first port of call for questions about this Addendum, any complaint filed by the Data Subject and/or investigation by a governmental regulatory body. If there is a problem such as a potential Security Breach, the individuals listed in this section must be contacted.
Each Party shall rectify the complaint by any Data Subject within thirty (30) days from receipt of any such complaint. The Data Subject shall be given a response in writing describing how the complaint was rectified and how the situation complained of will be avoided moving forward.
9. Breach Management and Notification
Each Party shall implement policies and procedures for guidance of its personnel in the event of a Security Breach, including but not limited to:
A. A procedure for the timely discovery of Security Breach, including the identification of person or persons responsible for regular monitoring and evaluation of Security Breach;
B. A policy for documentation, regular review, evaluation and updating of the privacy and security policy and practices;
C. Clear reporting lines in the event of a possible Security Breach, including the identification of the person responsible for setting in motion the Security Breach response procedure, and who shall be immediately contacted in the event of a possible or confirmed Security Breach;
D. Conduct of a preliminary assessment for purpose of:
1. Assessing the nature and scope of the Security Breach and the immediate damage;
2. Determining the need for notification of law enforcement or external expertise; and
3. Implementing immediate measures necessary to secure any evidence, contain the Security Breach and restore integrity to the Personal Data;
E. Evaluation of the Security Breach as to its nature, extent and cause, the adequacy of safeguards in place, immediate and long-term damage, impact of the breach, and its potential harm and negative consequences to Personal Data and affected Data Subjects;
F. Procedures for contacting law enforcement in case Security Breach involves possible commission of criminal acts;
G. Conduct of investigations that will evaluate fully the Security Breach;
H. Procedures for immediately notifying the PIC when the Security Breach is subject to notification requirement; and
I. Measures and procedures for mitigating the possible harm and negative consequences to the PIC and the affected Data Subjects in the event of a Security Breach. Each Party must be ready to provide assistanceto the Data Subjects whose Personal Data may have been affected.
The Parties shall have the manpower, system, facilities and equipment in place to properly monitor access to Personal Data, and to monitor and identify a Security Breach.
If a party becomes aware of any Security Breach on its personnel, premises, facilities, system, or equipment, it shall: (a) notify the other Party of the Security Breach; (b) investigate the Security Breach and provide the other Party with information about the Security Breach; and (c) take reasonable steps to mitigate the effects and tominimize any damage resulting from the Security Breach.
The Parties shall cooperate with each other on incident investigation requirements for any Security Breach of Personal Data. Each Party shall send the written notification or notification to their DPO counterpart via e-mail of any Security Breach to the other within twenty-four (24) hours from knowledge or discovery thereof.
Upon receipt, confirmation and knowledge of the security breach, the DPO shall notify the required governmental regulatory body and the affected Data Subject within seventy-two (72) hours.
The Party who was notified of a Security Breach may require the other Party to provide further details and actions taken on the Security Breach.
10. Duration of this Addendum
Upon termination or expiry of Voximplant Master Subscription Agreement or upon the termination of the provision of data processing services and upon the written request of PIC, PIP shall immediately cease any Processing of Personal Data.
11. Retention of Personal Data
Personal Data should only be processed for as long as is necessary. Processing of Personal Data should be limited accordingly and for a period no longer than the term of this Addendum. Specific justification for processing of Personal Data beyond said period is required.
The PIC recognizes that the PIP may be required Personal Data to be retained for further use in the near future.
If a complaint is received about the accuracy of Personal Data which affects personal and/or sensitive personal information shared with the other Party, an updated replacement Personal Data will be communicated to the other Party. The other Party must replace the out of date data with the revised data.
12. Return or Destruction of Personal Data
Upon expiration or termination of the Agreement or this Addendum, whichever comes first, the PIP, unless otherwise required by applicable laws, shall perform the following within thirty (30) days from date of said expiration or termination:
a. Return all PersonalData of Data Subjects in any recorded form including any other property, information, and documents provided by the PIC;
b. Destroy all copies it made of Personal Data and any other property, information and documents if requested by the PIC. For print out or other tangible formats, the document will be shredded. For data in electronic form, the document must be deleted, wiped, overwritten or otherwise make it irretrievable; and
c. Deliver to the PIC a certificate confirming PIP’s compliance with the return ordestruction obligation under this section, if requested by the PIC.
13. Entire Agreement
This Addendum constitutes the entire agreement between the parties with respect to the subject matter hereof. It excludes and supersedes everything else which has occurred between the Parties whether written or oral, including all other communications with respect to the subject matter hereof.
This Addendum may not be amended or modified except in writing and consented to by both Parties.
15. Separability Clause
If any provision of this Addendum is illegal or unenforceable, its invalidity shall not affect the other provisions of this Addendum that can be given effect without the invalid provision. If any provision of this Addendum does not comply with any law, ordinance or regulation, such provision to the extent possible shall be interpreted in such a manner to comply with such law, ordinance or regulation, or if such interpretation is not possible, it shall be deemed to satisfy the minimum requirements thereof.
This Addendum may be executed in two or more counterpart copies, each of which shall be deemed to be an original, but all of which shall constitute the same agreement.
Either Party shall not assign or delegate its rights or obligations under this Addendum, in whole or in part, to any third party by operation of law or otherwise, without the prior written consent of the other. Any attempted assignment or delegation that does not comply with this section shall be null and void and of no effect.
18. Non-Waiver of Rights
The failure of a Party to insist upon a strict performance of any of the terms, conditions and covenants hereof, shall not be deemed a relinquishment or waiver of any right/remedy that said Party may have, nor shall it be construed as a waiver of any subsequent breach of the same or other terms, conditions and covenants. Any waiver, extension or forbearance of any of the terms, conditions and covenants of this Addendum by any Party hereto shall be in writing and limited to the particular instance only and shall not in any manner be construed as a waiver, extension or forbearance of any of the terms, conditions and/or covenants of this Addendum.
19. Legal Capacity of Representatives
Each Party represents and warrants to the other Party that its representative executing this Addendum on its behalf is its duly appointed and acting representative and has the legal capacity required under the applicable law to enter into this Addendum and bind it.
20. Governing Law and Venue
This Addendum shall be governed by and construed in accordance with the laws of the State of New York in the United States, without regard to any conflicts of law rules. Exclusive jurisdiction over and venue of any suit arising out of or relating to this Addendum shall be in the courts of the State of New York, USA. The Parties hereby consent and submit to the exclusive jurisdiction and venue of those courts.