Data Processing Addendum
“Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data.
“Customer Data” means any Personal Data that Smart Link PTY LTD processes on behalf Of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
“Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
“Data Subject” means an identified or identifiable natural person.
“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection Of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“EEA” means, for the purposes Of this DPA, the European Economic Area, United Kingdom and Switzerland.
“Personal Data” means any information relating to a Data Subject.
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Services” means any product or service provided by Smart Link PTY LTD to Customer pursuant to the Agreement.
“Sub-processor” means any Data Processor engaged by Smart Link PTY LTD to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
2. Relationship with the Agreement
2.1. The terms used in this Addendum shall have the meanings set forth in this Addendum.
2.2. The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.
2.3. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict so far as the subject matter concerns the processing Of Customer Data.
2.4. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.
2.5. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Smart Link PTY LTD in relation to the Customer Data that arise as a result Of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Smart Link PTY LTD’s liability under the Agreement as if it were liability to the Customer under the Agreement.
2.6. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any Of its terms.
2.7. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Processing of Customer Data
3.1 Role of the Parties. As between Smart Link PTY LTD and Customer, Customer is the Data Controller of Customer Data, and Smart Link PTY LTD shall process Customer Data only as a Data Processor acting on behalf of Customer.
3.2 Customer Processing Of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Smart Link PTY LTD; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Smart Link PTY LTD to process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3 Smart Link PTY LTD Processing Of Customer Data. Smart Link PTY LTD shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s instructions.
3.4 Details Of Data Processing
(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
(b) Duration: As between Smart Link PTY LTD and Customer, the duration Of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
(c) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of Smart Link Pty LTD’s obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
(d) Subject-Matter and nature of the processing: The subject-matter of Processing of Personal Data by Smart Link PTY LTD is the provision Of the services to Customer that involves the Processing Of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and an Order.
(e) Data Subjects: Customer’s contacts and other end users including Customer’s employees, contractors, collaborators, suppliers, subcontractors (collectively, “Users”), customers (“Subscribers”), and prospects.
(f) Types of Customer Data:
(i) Customer and Users: identification, publicly available social media profile information, e-mail, IT information (IP addresses, usage data, cookies data, browser data); financial information (credit card details, account details, payment information).
(ii) Subscribers: identification and publicly available social media profile information (name, date of birth, gender, geographic location), chat history, navigational data (including chatbot usage information), application integration data, and Other electronic data submitted, stored, sent, or received by end users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion.
3.6 Tracking Technologies.
4.1 Authorized Sub-processors.
Customers agree that Smart Link PTY LTD may engage Sub-processors to process Customer Data. The Sub-processors currently engaged by Smart Link PTY LTD are listed in Annex A, and Customer hereby authorizes these specific Sub-processors.
4.2 Sub-processor Obligations.
Smart Link PTY LTD shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for the Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Smart Link PTY LTD to breach any of its obligations under this DPA.
4.3. Sub-processor List.
When requested by the Customer, Smart Link PTY LTD shall make available to Customer an up-to-date list of all Sub-processors used for the processing of Customer Data. Smart Link PTY LTD shall notify Customer (for which email shall suffice) if it adds or removes Sub-processors, at least 10 days prior to any such changes.
Customer may object in writing to Smart Link PTY LTD’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. If Smart Link PTY LTD is reasonably able to provide the Services to Customer in accordance with the Agreement without using the Sub-processor and decides to do so, then Customer will have no further rights under this clause 4.4 in respect of the proposed use of the Sub-processor. If Smart Link PTY LTD requires use of the Sub-processor in its discretion and, after discussion by the parties of Customer’s concerns in good faith with a view to achieving resolution, is unable to satisfy Customer as to the suitability of the Sub-processor or the documentation and protections in place between Smart Link PTY LTD and the Sub-processor within ninety (90) days from Customer’s notification of objections, Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the Agreement or the applicable Services (as Customer may decide) with at least thirty (30) days written notice. If Customer does not provide a timely objection to any new or replacement Sub-processor in accordance with this clause 4.4, Customer will be deemed to have consented to the Sub-processor and waived its right to Object.
5.1 Adequate Measures.
Taking into account the State Of the art, the costs Of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Smart Link PTY LTD shall, in relation to the Customer Data, implement and maintain throughout the term Of this Addendum, the technical and organizational measures set forth in (the “Security Measures”).
5.2 Confidentiality Of processing.
Smart Link PTY LTD shall ensure that any person who is authorized by Smart Link PTY LTD to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation Of confidentiality (whether a contractual or statutory duty).
5.3 Customer Responsibilities.
Customer acknowledges and agrees that it has reviewed and assessed the Security Measures and deems them appropriate for the protection Of Customer Data. Customer acknowledges that the Security Measures are subject to technical progress and development and that Smart Link PTY LTD may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation Of the overall security Of the Services purchased by the Customer. Customer agrees that, except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials and protecting the security of Customer Data when in transit from the Service.
6. Data Subject Rights and Requests
Smart Link PTY LTD will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Customer to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Smart Link PTY LTD, Smart Link PTY LTD will inform Customer and will advise Data Subjects to submit their request to Customer. Customers shall be solely responsible for responding to any Data Subjects’ requests.
7. Data Breach
7.1 Notification of Data Breach.
Smart Link PTY LTD shall, to the extent permitted by law, notify Customer without undue delay upon Smart Link PTY LTD or any Sub-processor becoming aware Of a Data Breach affecting Customer Data and will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Data Breach under the Data Protection Laws.
7.2 Assistance to Customers.
Smart Link PTY LTD shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach.
8. Data Transfers
8.1 Customer acknowledges and accepts that the provision of the Services under the Agreement may require the processing Of Customer Data by sub-processors in countries outside the EEA.
8.2 If, in the performance of this DPA and/or the Agreement, Smart Link PTY LTD transfers any Customer Data to, or permits processing of Customer Data by, a Sub-processor located outside of the EEA and not in an Adequate Country, then, in advance of any such transfer, Smart Link PTY LTD shall ensure that the transfer is compliant with the EU Data Protection Laws.
9. Return or Deletion of Data
9.1 If you are a resident of the EEA, upon termination or expiration of the Agreement, Smart Link PTY LTD shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Smart Link PTY LTD is required by applicable law to retain some or all Of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Smart Link PTY LTD shall securely isolate and protect from, any further processing, except to the extent required by applicable law.
10.1 This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit Of, nor may any provision hereof be enforced by, any other person.
10.2 This DPA shall be governed by and construed in accordance with the laws Of the country Of territory stipulated for this purpose in the Agreement, and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under this DPA.
10.3 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect Of statements made fraudulently, no other representations or terms shall apply or form part of this DPA Each party represents and warrants to the other that the performance Of such party’s obligations hereunder have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
List of Sub-Processors
These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; and provide incident tracking, response, diagnosis and resolution services.
- Amazon Web Services, Inc.
- Vultr, Inc.
- Facebook, Inc.
- Google Business Message
- Pabbly Connect
- Stripe, Inc
- Google Sheet
Smart Link PTY LTD’s personnel (employees and contractors) will not process customer data without authorization. Personnel are obligated to maintain the confidentiality Of any customer data and this obligation continues even after their engagement ends.
Technical and Organization Measures.
Smart Link PTY LTD has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
Organization of Information Security.
Smart Link PTY LTD’s personnel with access to customer data are subject to confidentiality obligations.
Smart Link PTY LTD conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. Smart Link PTY LTD implements measures, as needed, to address vulnerabilities discovered in a timely manner.
Smart Link PTY LTD’s database and data processing servers are hosted in a data center located in Australia and operated by a third party vendor. Smart Link PTY LTD maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.
Software Development and Acquisition:
For the software developed by Smart Link PTY LTD, Smart Link PTY LTD follows secure coding standards and procedures set out in its standard operating procedures.
Smart Link PTY LTD implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for Smart Link PTY LTD’s software, information systems or network architecture. These Change management procedures include appropriate segregation of duties.
Third Party Provider Management:
In selecting third party providers who may gain access to, store, transmit or use customer data, Smart Link PTY LTD conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
Human Resources Security.
Smart Link PTY LTD informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.
Physical and Environmental Security.
(a)Physical Access to Facilities.
Smart Link PTY LTD limits access to facilities where information systems that process customer data are located to identify authorized individuals who require such access for the performance of their job function. Smart Link PTY LTD terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.
(b) Protection from Disruptions.
Smart Link PTY LTD uses commercially-reasonable systems and measures to protect against loss of data due to power supply failure or line interference.
Communications and Operations Management.
(a) Security Documents.
Smart Link PTY LTD maintains security documents describing its security measures and the relevant procedures.
(b) Data Recovery Procedures.
(i) On an ongoing basis, Smart Link PTY LTD maintains multiple copies of customer data from which it can be recovered.
(ii) Smart Link PTY LTD stores copies of customer data and data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.
(iii) Smart Link PTY LTD has procedures in place governing access to copies of customer data.
(iv) Smart Link PTY LTD has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.
(c) Encryption: Mobile Media.
Smart Link PTY LTD uses HTTPS encryption on all data connections. Smart Link PTY LTD restricts access to customer data in media leaving its facilities. Smart Link PTY LTD further has a destruction policy for hardware in the data center that stores customer data.
(d) Event Logging.
Smart Link PTY LTD logs the use Of data-processing systems. Logs are maintained for at least 10 days.
(a) Records Of Access Rights.
Smart Link PTY LTD maintains a record Of security privileges Of individuals having access to customer data.
(b) Access Authorization.
(i) Smart Link PTY LTD maintains and updates a record of personnel authorized to access systems that contain customer data.
(ii) Smart Link PTY LTD deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services
(c) Least Privilege.
(i) Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function. (ii) Smart Link PTY LTD restricts access to customer data to only those individuals who require such access to perform their job function.
(d) Integrity and Confidentiality.
(i) Smart Link PTY LTD instructs its personnel to disable administrative sessions when leaving the Smart Link PTY LTD’s premises or when computers are unattended. (ii) Smart Link PTY LTD stores passwords in a way that makes them unintelligible while they are in force.
(i) Smart Link PTY LTD uses commercially reasonable practices to identify and authenticate users who attempt to access information systems.
(ii) Smart Link PTY LTD ensures that de-activated or expired identifiers are not granted to other individuals.
(iii) Smart Link PTY LTD maintains commercially reasonable procedures to deactivate login credentials that have been corrupted or inadvertently disclosed or pursuant to a number of failed login attempts.
(f) Network Design. Smart Link PTY LTD has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.
Smart Link PTY LTD’s information systems have security controls designed to detect and mitigate attacks by using logs and alerting.
Information Security Incident Management.
(a) Record of Breaches.
Smart Link PTY LTD maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and the procedure for recovering data.
(b) Record of Disclosure.
Smart Link PTY LTD tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time, unless prohibited by law.