To provide some of Our Services to you as a subscriber ("Subscriber" and "you"), Umso Software Inc. ("Umso", "We", "Us", and "Our") processes the data of individuals visiting the website created by you ("End Users") using Our Services if We host that website. Umso refers to the processing of such data as "Processing". This Data Processing Agreement ("DPA") sets forth the terms of such Processing by Us.
This DPA forms part of the Umso Terms of Service, Privacy Policy and any other applicable Umso terms governing the use of the Services (collectively, the "Umso Policies"). The terms of the Umso Policies will apply to this DPA as applicable. In the event of any conflict between this DPA and any of the Umso Policies, the provisions of the following documents (in order of precedence) will prevail: (i) Standard Contractual Clauses; then (ii) this DPA; and then (iii) the Umso Terms of Service. Any capitalized term not defined in this DPA, will have the meaning ascribed to it in the Umso Policies.
To the extent End User Subscriber Data is Processed by Umso, the Subscriber acknowledges and agrees that Umso will process Personal Data as necessary to provide its Services under the Umso Policies and by using the Services, the Subscriber has instructed Umso to process such Personal Data on his/her/its behalf pursuant to this DPA.
1. Definitions
In this DPA, the terms below have the following meanings:
“Applicable Data Protection Regulations” means the EU Data Protection Law and other applicable regulations as set forth in Annex 2 attached hereto.
The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor” have the meanings given in the GDPR and as specified in other applicable regulations as set forth in Annex 2 attached hereto.
“End User Subscriber Data” means the Personal Data of End Users of Subscribers as Processed by Umso on behalf of its Subscribers as part of the Services.
"EU Data Protection Law" means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the "GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union).
“Standard Contractual Clauses” means the standard contractual clauses attached hereto as Annex 1 and the related Appendix 1 attached thereto which form part of this DPA, as may be amended from time to time (the “Clauses”), or with respect to onward transfers by Umso as a Processor to any third party that processes Personal Data under the instructions and supervision of Umso pursuant to Sections 3 and 4 of this DPA, also the Standard Contractual Clauses for the transfer of Personal Data to Processors or Sub-processors established in third countries, as adopted by the European Commission from time to time under EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 or the GDPR, as applicable.
"Sub-processor" means any processor engaged by Umso to assist in fulfilling its obligations with respect to providing the Services pursuant to Umso Policies or this DPA. Sub-processors include third parties but exclude Umso employees and independent contractors.
In this DPA, except as otherwise expressly provided or as the context otherwise requires, a capitalized cognate of a defined term has a meaning corresponding to that of the defined term.
2. Processing by Umso
Umso will:
(a) Process End User Subscriber Data for the provision of the Services to Subscribers and according to the Umso Policies;
(b) Process End User Subscriber Data only on the specific instructions of the Subscriber, including with regard to overseas transfers of Personal Data to a third country;
(c) ensure that anyone acting on its behalf, will Process End User Subscriber Data according to the provisions of this DPA, the Privacy Policy and any Applicable Data Protection Regulations;
(d) ensure that its personnel have committed themselves to appropriate contractual or statutory obligations of confidentiality; and
(e) implement appropriate technical, organizational, and security measures to protect the privacy and security of the End User Subscriber Data.
3. Subscriber Obligations
3.1 The Subscriber:
(a) will collect, use, and process Personal Data in accordance with the Applicable Data Protection Regulations;
(b) will have sole responsibility for the accuracy, quality, and legality of End User Subscriber Data and the means by which it was obtained;
(c) will ensure the appropriate level of security when using Our Services, taking into consideration any risks with respect to End User Subscriber Data; and
(d) acknowledges that any storage and/or transfer of End User Subscriber Data by the Subscriber to any third-party or platform other than Umso shall be at the sole risk and responsibility of the Subscriber.
3.2 The Subscriber represents and warrants that:
(a) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Regulations, in respect of its processing of End User Subscriber Data and any processing instructions it issues to Umso; and
(b) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Regulations for Umso to process End User Subscriber Data for the purposes described in Our Terms of Service. The Subscriber will have sole responsibility for the accuracy, quality, and legality of End User Subscriber Data and the means by which the Subscriber acquired End User Subscriber Data. Without limiting the generality of the foregoing, Subscriber agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Regulations) applicable to any content created, sent, or managed through the Services.
4. Subprocessing
The Subscriber hereby grants Umso the right to engage any Sub-processor without obtaining any further written, specific authorization from the Subscriber. The Sub-processors currently engaged by Umso and authorized by Subscriber are available here.
The Subscriber may object in writing to Our appointment of a new Sub-processor within five calendar days of receiving notice from Us, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Umso and the Subscriber will discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Umso will, at its sole discretion, either not appoint such Sub-processor, or permit the Subscriber to suspend or terminate the affected Services in accordance with the termination provisions in the Umso Terms of Service without liability to either Umso or the Subscriber (but without prejudice to any fees incurred by the Subscriber prior to the effective date of the suspension or termination).
Umso will (a) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for End User Subscriber Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (b) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Umso to breach any of its obligations under this DPA.
5. Jurisdictional Protection
To the extent that Umso is the recipient and Processor of Personal Data protected by EU Data Protection Laws and is:
(a) established in a jurisdiction deemed to provide an adequate level of protection for Personal Data, Umso will comply with and the Clauses will apply solely on an onward data transfer of the Personal Data imported by Umso to Sub-processors located in a jurisdiction not deemed as providing an adequate level of protection for Personal Data; or
(b) established in a jurisdiction not deemed to provide an adequate level of protection for Personal Data (as described in applicable EU Data Protection Law), Umso will be the data importer for the purposes of and will comply with the Clauses.
6. Security
By using any of Our Services, the Subscriber agrees to the adequacy of the organizational, technical, and security measures implemented by Us to protect the Personal Data. Some of those measures are referred to herein and in Appendix 2 below attached to the Clauses.
7. Notice of Breach
If We become aware of any Personal Data Breach, We will, without undue delay, provide notification of the same, to the affected Subscribers, in accordance with Applicable Data Protection Regulations. We will use reasonable efforts to include the following information in such notifications:
- details of the nature of such breach and number of records affected,
- the category and estimated number of affected data subjects,
- anticipated consequences, and
- any actual or proposed measures to be taken by Us (or on Our behalf) in order to mitigate the potential negative effects of such breach.
Our notification of a Personal Data Breach will not be deemed as an acknowledgement by Us of any fault or liability with respect to such incident.
In the event of a Personal Data Breach, the Subscriber will be obligated to take the measures required under Applicable Data Protection Regulations in connection with its End User Subscriber Data.
8. Compliance
Upon reasonable written request, We will:
(a) make available to the Subscriber certifications demonstrating Our compliance with the obligations under this DPA and the Applicable Data Protection Regulations; and/or
(b) make available to the Subscriber information necessary to demonstrate compliance with Our obligations under this DPA and Applicable Data Protection Regulations.
Umso will assist the Subscriber, within reasonable timetables, by the appropriate measures and, as reasonably possible (considering the nature of the Processing), in complying with Data Subject rights and all other relevant obligations under the Applicable Data Protection Regulations.
9. Assistance to Subscriber
We will also reasonably assist the Subscriber, in ensuring compliance with the obligations to:
(a) implement appropriate technical and organisational security measures;
(b) notify (if required) Personal Data breaches to regulators and/or individuals; and
(c) conduct data protection impact assessments (including assessment of the adequacy of the Clauses) and, if required, prior consultation with regulators.
If We receive any request directly from an End User relating to Data Subject rights, We will not respond to such communication directly except as appropriate (for example, to direct the Data Subject to contact you) or legally required, without the Subscriber's prior authorization. If We are required to respond to such a request, We will promptly notify you and provide you with a copy of the request unless We are legally prohibited from doing so. For the avoidance of doubt, nothing in any of the Umso Policies or this DPA will restrict or prevent Us from responding to any Data Subject or data protection authority requests in relation to Personal Data for which We are a Controller.
10. Applicable Transfer Mechanism
The Processing of the End User Subscriber Data will take place within the territory of the EU, Canada, or a third country, territory, or one or more specified sectors within that third country or territory which the European Commission has determined ensures an adequate level of protection. Any transfer to and Processing in a third country or territory outside the EU that does not ensure an adequate level of protection for Personal Data (as described in applicable Data Protection Regulations), will be undertaken in accordance with the Clauses (depending on the nature of the data exporter and data importer as Controller or Processor).
11. Term
This DPA will be in effect in relation to each Subscriber, for as long as such Subscriber, uses any of Our Services; provided, however, that in the event We are obligated, according to the terms of this DPA or any Umso Policies, to keep Personal Data of an End User following the termination of the Services, this DPA will continue to be in effect for as long as Umso holds such Personal Data.
12. Effect of Termination
Upon termination of the use by the Subscriber of the Services, We will, at the election of the Subscriber, delete or return to the Subscriber all End User Subscriber Data in Our possession or control, except that this requirement will not apply to the extent Umso is required by applicable law to retain some or all of the End User Subscriber Data, or to End User Subscriber Data We have archived on back-up systems, which End User Subscriber Data Umso will securely isolate, protect from any further processing, and eventually delete in accordance with Our deletion policies, except to the extent required by applicable law.
13. Amendments
Umso will have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.
14. Notice to Umso
Any questions regarding this DPA or requests from a Subscriber to exercise Data Subject rights as described herein, in the GDPR, or other applicable regulation, should be addressed to the Umso Data Protection Officer at privacy@umso.com. Umso will attempt to resolve any complaints regarding the use of End User Subscriber Data in accordance with this DPA and Umso Policies.
15. Limitation of Liability
UMSO’S LIABILITY TAKEN TOGETHER IN THE AGGREGATE ARISING OUT OF OR RELATED TO THIS DPA (INCLUDING THE CLAUSES) WILL BE SUBJECT TO THE EXCLUSIONS AND LIMITATIONS OF LIABILITY SET FORTH IN OUR TERMS OF SERVICE.
ANY CLAIMS MADE AGAINST US UNDER OR IN CONNECTION WITH THIS DPA (INCLUDING, WHERE APPLICABLE, THE CLAUSES) WILL BE BROUGHT SOLELY BY THE SUBSCRIBER ENTITY THAT IS A PARTY TO THE RELATED TERMS OF SERVICE.
IN NO EVENT WILL UMSO LIMIT ITS LIABILITY WITH RESPECT TO ANY INDIVIDUAL'S DATA PROTECTION RIGHTS UNDER THIS DPA OR OTHERWISE.
16. General Matters
No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in Our Terms of Service, unless required otherwise by Applicable Data Protection Regulations.
For the avoidance of doubt, when EU law ceases to apply to the United Kingdom (“UK”) following the UK's withdrawal from the EU and until such time as the UK is deemed to provide adequate protection for personal data (within the meaning of applicable EU Data Protection Law) then to the extent Umso processes (or causes to be processed) any End User Subscriber Data protected by EU Data Protection Law applicable to the United Kingdom, Umso will process such End User Subscriber Data in compliance with the Clauses.