DPA

Data Processing Agreement

Last Updated Dec 7th, 2023

To provide some of Our Services to you as a subscriber (“Subscriber” and “you”), Umso Software Inc. (“Umso”, “We”, “Us”, and Our”) processes the data of individuals visiting the website created by you (“End Users”) using Our Services if We host that website. Umso refers to the processing of such data as “Processing”. This Data Processing Agreement (“DPA”) sets forth the terms of such Processing by Us.

This DPA forms part of the Umso Terms of Service, and any other applicable Umso terms governing the use of the Services (collectively, the “Umso Policies”). The terms of the Umso Policies will apply to this DPA as applicable. In the event of any conflict between this DPA and any of the Umso Policies, the provisions of the following documents (in order of precedence) will prevail: (i) Standard Contractual Clauses; then (ii) this DPA; and then (iii) the Umso Terms of Service. Any capitalized term not defined in this DPA, will have the meaning ascribed to it in the Umso Policies.

To the extent End User Subscriber Data is Processed by Umso, the Subscriber acknowledges and agrees that Umso will process Personal Data as necessary to provide its Services under the Umso Policies and by using the Services, the Subscriber has instructed Umso to process such Personal Data on his/her/its behalf pursuant to this DPA.


1. Definitions

In this DPA, the terms below have the following meanings:

Applicable Data Protection Regulations” means the EU Data Protection Law and other applicable regulations as set forth in Annex 5 attached hereto.

The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor” have the meanings given in the GDPR and as specified in other applicable regulations as set forth in Annex 2 attached hereto.

End User Subscriber Data” means the Personal Data of End Users of Subscribers as Processed by Umso on behalf of its Subscribers as part of the Services.

EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) the GDPR as transposed into UK national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the UK.

EU Restricted Transfer” means either: (i) a transfer of Personal Data by Subscriber (transferor) to Umso (transferee); or (ii) an onward transfer from a Umso to a Sub-processor, in each case, where such transfer would be prohibited by EU Data Protection Law in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses or any other mechanism permitted under EU Data Protection Laws. 

EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws.

Restricted Transfer” means an EU Restricted Transfer and/or a UK Restricted Transfer as the context dictates.

Standard Contractual Clauses” means (i) the EU Standard Contractual Clauses or the UK Standard Contractual Clauses (as applicable), as updated, amended, replaced or superseded from time to time by the European Commission or by the competent authority, as applicable; or (ii) where required from time to time by a competent authority for use with respect to any specific Restricted Transfer, any other set of contractual clauses or other similar mechanism approved by such authority or by Applicable Data Protection Regulations for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such regulatory authority or Applicable Data Protection Laws.

"Sub-processor" means any processor engaged by Umso to assist in fulfilling its obligations with respect to providing the Services pursuant to Umso Policies or this DPA. Sub-processors include third parties but exclude Umso employees and independent contractors.In this DPA, except as otherwise expressly provided or as the context otherwise requires, a capitalized cognate of a defined term has a meaning corresponding to that of the defined term. 

UK Restricted Transfer” means either: (i) a transfer of Personal Data by Subscriber (transferor) to Umso (transferee); or (ii) an onward transfer from Umso to a Sub-processor, in each case, where such transfer would be prohibited by EU Data Protection Law in the absence of the protection for the transferred Personal Data provided by the UK Standard Contractual Clauses or any other mechanism permitted under EU Data Protection Law.

UK Standard Contractual Clauses” means, as applicable, (i) the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (“UK Addendum”), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR; or (ii) the International Data Transfer Agreement issued by the UK Information Commissioner, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR (“UK IDTA”).


2. Processing by Umso

Umso will:

(a) Process End User Subscriber Data for the provision of the Services to Subscribers and according to the Umso Policies;

(b) Process End User Subscriber Data only on the specific and documented instructions of the Subscriber, including with regard to overseas transfers of Personal Data to a third country, unless required to do so by any law to which Umso is subject; in such case, Umso shall inform Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

(c) ensure that anyone acting on its behalf, will Process End User Subscriber Data according to the provisions of this DPA;

(d) immediately inform Subscriber if, in its opinion, an instruction infringes EU Data Protection Law;

(e) ensure that its personnel have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; and

(f) implement appropriate technical, organizational, and security measures to protect the privacy and security of the End User Subscriber Data.


3. Subscriber Obligations

3.1 The Subscriber:

(a) will Process (including, but not limited to, collection and use) Personal Data in accordance with the Applicable Data Protection Regulations;

(b) will have sole responsibility for the accuracy, quality, and legality of End User Subscriber Data and the means by which it was obtained;

(c) will ensure the appropriate level of security when using Our Services, taking into consideration any risks with respect to End User Subscriber Data; and

(d) acknowledges that any storage and/or transfer of End User Subscriber Data by the Subscriber to any third-party or platform other than Umso shall be at the sole risk and responsibility of the Subscriber.

3.2 The Subscriber represents and warrants that:

(a) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Regulations, in respect of its Processing of End User Subscriber Data and any Processing instructions it issues to Umso; and 

(b) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Regulations for Umso to Process End User Subscriber Data for the purposes described in Our Terms of Service. The Subscriber will have sole responsibility for the accuracy, quality, and legality of End User Subscriber Data and the means by which the Subscriber acquired End User Subscriber Data. Without limiting the generality of the foregoing, Subscriber agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Regulations) applicable to any content created, sent, or managed through the Services.


4. Sub-processing

1. The Subscriber hereby grants Umso the right to engage any Sub-processor without obtaining any further written, specific authorization from the Subscriber. The Sub-processors currently engaged by Umso and authorized by Subscriber are available here

2. The Subscriber may object in writing to Our appointment of a new Sub-processor within five calendar days of receiving notice from Us (prior to the intended appointment of the new Sub-processor), provided that such objection is based on reasonable grounds relating to data protection. In such event, the Umso and the Subscriber will discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Umso will, at its sole discretion, either not appoint such Sub-processor, or permit the Subscriber to suspend or terminate the affected Services in accordance with the termination provisions in the Umso Terms of Service without liability to either Umso or the Subscriber (but without prejudice to any fees incurred by the Subscriber prior to the effective date of the suspension or termination).

3. Umso will 

(a) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for End User Subscriber Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and

(b) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Umso to breach any of its obligations under this DPA.


5. Jurisdictional Protection

To the extent that Umso is the recipient and Processor of Personal Data protected by EU Data Protection Laws and is:

(a) established in a jurisdiction deemed to provide an adequate level of protection for Personal Data (i.e., where the transfer of Personal Data to Umso by Subscriber is not to be considered a Restricted Transfer), Umso will ensure that the appropriate Standard Contractual Clauses are concluded with Sub-processors in respect of any onward transfer which constitutes a Restricted Transfer as required by EU Data Protection Law; or

(b) established in a jurisdiction not deemed to provide an adequate level of protection for Personal Data (i.e., where the transfer of Personal data to Umso by Subscriber is to be considered a Restricted Transfer), the Standard Contractual Clauses shall hereby be concluded between Umso (as data importer) and Subscriber (as data exporter) as incorporated in Annex 1 to this DPA, and Umso will ensure that the appropriate Standard Contractual Clauses are concluded with Sub-processors in respect of any onward transfer which constitutes a Restricted Transfer as required by EU Data Protection Law.


6. Security

By using any of Our Services, the Subscriber agrees to the adequacy of the organizational, technical, and security measures implemented by Us to protect the Personal Data. Some of those measures are referred to herein and in Annex 3 below attached to this DPA.


7. Notice of Breach

1. If We become aware of any Personal Data Breach, We will, without undue delay, provide notification of the same, to the affected Subscribers, in accordance with Applicable Data Protection Regulations. We will use reasonable efforts to include the following information in such notifications: 

- details of the nature of such breach and number of records affected, 
- the category and estimated number of affected data subjects, 
- anticipated consequences, and 
- any actual or proposed measures to be taken by Us (or on Our behalf) in order to mitigate the potential negative effects of such breach.

Our notification of a Personal Data Breach will not be deemed as an acknowledgement by Us of any fault or liability with respect to such incident.

2. In the event of a Personal Data Breach, the Subscriber will be obligated to take the measures required under Applicable Data Protection Regulations in connection with its End User Subscriber Data.


8. Compliance

1. Upon reasonable written request, We will:

(a) make available to the Subscriber certifications demonstrating Our compliance with the obligations under this DPA and the Applicable Data Protection Regulations; and/or

(b) make available to the Subscriber information necessary to demonstrate compliance with Our obligations under this DPA and Applicable Data Protection Regulations and, where and to the extent necessary under Applicable Data Protection Regulations, allow for and contribute to audits, including inspections, conducted by Subscriber or another auditor, which may not be a direct competitor of Umso, mandated by the Subscriber. Timing and extent of such audit shall be coordinated with Umso at least 30 calendar days prior to the intended audit (unless such coordination exceptionally would contradict the purpose of the audit).

2. The Subscriber shall bear the costs of audits unless an audit is required due to a violation of Applicable Data Protection Regulation and/or this DPA by Umso; in such case, Umso shall bear reasonably costs related to the audit. 


9. Assistance to Subscriber

1. We will also reasonably assist the Subscriber, in ensuring compliance with the obligations to:

(a) implement appropriate technical and organisational security measures; 

(b) notify (if required) Personal Data breaches to regulators and/or individuals; and 

(c) conduct data protection impact assessments and, if required in the context of such data protection impact assessment, prior consultation with regulators.

2. Umso will assist the Subscriber, within reasonable timetables, by the appropriate measures and, as reasonably possible (considering the nature of the Processing), in complying with Data Subject rights and all other relevant obligations under the Applicable Data Protection Regulations as required under such Applicable Data Protection Regulations.

3. If We receive any request directly from an End User relating to Data Subject rights, We will not respond to such communication directly except as appropriate (for example, to direct the Data Subject to contact you) or legally required, without the Subscriber's prior authorization. If We are required to respond to such a request, We will promptly notify you and provide you with a copy of the request unless We are legally prohibited from doing so. For the avoidance of doubt, nothing in any of the Umso Policies or this DPA will restrict or prevent Us from responding to any Data Subject or data protection authority requests in relation to Personal Data for which We are a Controller.


10. Applicable Transfer Mechanism

The Processing of the End User Subscriber Data generally will take place within the territory of the EU, Canada, or a third country, territory, or one or more specified sectors within that third country or territory which the European Commission and/or the UK Information Commissioner's Office (ICO), as applicable, has determined ensures an adequate level of protection. Any Restricted Transfer will be undertaken in accordance with the Standard Contractual Clauses as required under Applicable Data Protection Regulation.


11. Term

This DPA will be in effect in relation to each Subscriber, for as long as such Subscriber, uses any of Our Services; provided, however, that in the event We are obligated, according to the terms of this DPA or any Umso Policies, to keep Personal Data of an End User following the termination of the Services, this DPA will continue to be in effect for as long as Umso holds such Personal Data.


12. Effect of Termination

Upon termination of the use by the Subscriber of the Services, We will, at the election of the Subscriber, delete or return to the Subscriber all End User Subscriber Data in Our possession or control, except that this requirement will not apply to the extent Umso is required by applicable law to retain some or all of the End User Subscriber Data, or to End User Subscriber Data We have archived on back-up systems, which End User Subscriber Data Umso will securely isolate, protect from any further processing, and eventually delete in accordance with Our deletion policies, except to the extent required by applicable law.


13. Amendments

Umso will have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.


14. Notice to Umso

Any questions regarding this DPA or requests from a Subscriber to exercise Data Subject rights as described herein, in the GDPR, or other applicable regulation, should be addressed to the Umso Data Protection Officer at privacy@umso.com. Umso will attempt to resolve any complaints regarding the use of End User Subscriber Data in accordance with this DPA and Umso Policies.


15. Limitation of Liability

UMSO’S LIABILITY TAKEN TOGETHER IN THE AGGREGATE ARISING OUT OF OR RELATED TO THIS DPA (INCLUDING THE STANDARD CONTRACTUAL CLAUSES) WILL BE SUBJECT TO THE EXCLUSIONS AND LIMITATIONS OF LIABILITY SET FORTH IN OUR TERMS OF SERVICE.

ANY CLAIMS MADE AGAINST US UNDER OR IN CONNECTION WITH THIS DPA (INCLUDING, WHERE APPLICABLE, THE STANDARD CONTRACTUAL CLAUSES) WILL BE BROUGHT SOLELY BY THE SUBSCRIBER ENTITY THAT IS A PARTY TO THE RELATED TERMS OF SERVICE.

IN NO EVENT WILL UMSO LIMIT ITS LIABILITY WITH RESPECT TO ANY INDIVIDUAL'S DATA PROTECTION RIGHTS UNDER THIS DPA OR OTHERWISE.


16. General Matters

No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in Our Terms of Service, unless required otherwise by Applicable Data Protection Regulations.

Annex 1 - Standard Contractual Clauses

1. EU Standard Contractual Clauses

1.1 In respect of any EU Restricted Transfer between Umso and Subscriber, with effect from the commencement of the relevant transfer Umso and Subscriber hereby enter into Module 2 of the EU Standard Contractual Clauses.  Module 2 of the Eu Standard Contractual Clauses shall apply as follows:

(a) Clause 7 – Docking clause of the EU Standard Contractual Clauses shall apply;

(b) Clause 9 – Use of subprocessors of the EU Standard Contractual Clauses “Option 2” shall apply and the “time period” shall be at least five calendar days; 

(c) Clause 11(a) – Redress of the EU Standard Contractual Clauses, the optional language shall not apply;

(d) Clause 13(a) – Supervision of EU Standard Contractual Clauses, the following shall be inserted: 

(i) Where the data exporter is established in an EU Member State: "The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority."

(ii) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: "The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority."

(iii) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: "The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority."

(e) Clause 17 – Governing law of the EU Standard Contractual Clauses “Option 2” shall apply and the “Member State” shall be Germany;

(f) Clause 18 – Choice of forum and jurisdiction of the Standard Contractual Clauses the Member State shall be the Member State by whose law the EU Standard Contractual Clauses are governed pursuant Section 1.1(e) of this Annex 1;

(g) Annex 1 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 1 to this Annex 1; 

(h) Annex 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 2 to this Annex 1; and

(i) Annex 3 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 3 to this Annex 1.


2. UK Standard Contractual Clauses

2.1 In respect of any UK Restricted Transfer between Umso and the Subscriber, Umso (as “data importer”) and the Subscriber (as “data exporter”), hereby enter into Module 2 of the Eu Standard Contractual Clauses as amended by the UK IDTA.  The provisions of Sections 1.1(a) to 1.1(c) and 1.1(g) to 1.1(i) of this Annex 1 shall apply to the UK IDTA.


3. Specific additional safeguards

If, at any time, a competent supervisory authority or a court with competent jurisdiction over a party mandates that transfers from controllers in the European Economic Area or the UK to processors established outside the European Economic Area or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organizational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Personal Data is conducted with the benefit of such additional safeguards.

Appendix 1 to Annex 1 - Description of the Transfer

A. List of parties:

Data exporter(s):

Name: name as indicated in Subscriber's umso.com-account 

Address: address as indicated in Subscriber's umso.com-account 

Contact person’s name, position and contact details: the name of the person who has created the umso.com-account; the email address for which the umso.com-account has been created shall be deemed the contact details

Activities relevant to the data transferred under these Clauses: receive Services.

Signature and date: by agreeing to the Umso Terms of Service the Subscriber agrees to the conclusion of the Standard Contractual Clauses as required under Section 5 (b) of the DPA.

Role (controller/processor): controller

Data importer(s):

Name: Umso

Address: #900-2025 Willingdon Avenue, Burnaby, B.C., Canada V5C 0J3.

Contact person’s name, position and contact details: Data Protection Officer, privacy@umso.com

Activities relevant to the data transferred under these Clauses: performance of the Services

Signature and date: where the Subscriber agrees to the Umso Terms of Service Umso agrees to the conclusion of the Standard Contractual Clauses as required under Section 5 (b) of the DPA.

Role (controller/processor): processor

B. Description of transfer

Categories of data subjects whose personal data is transferred:
See Annex 2 to the DPA.

Categories of personal data transferred:
See Annex 2 to the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
See Annex 2 to the DPA and Appendix 2 to Annex 1.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous.

Nature of the processing:
See Annex 2 to the DPA.

Purpose(s) of the data transfer and further processing:
See Annex 2 to the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For the duration of Processing as indicated in Annex 2 to the DPA.


C. Competent Supervisory Authority

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with its Article 3 (2) and has appointed a representative pursuant to Article 27 (1) GDPR: 
The supervisory authority of the Member State in which the representative within the meaning of Article 27 (1) GDPR is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with its Article 3 (2) without however having to appoint a representative pursuant to Article 27 (2) GDPR: 
The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under the EU Standard Contractual Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located shall act as competent supervisory authority.


Appendix 2 to Annex 1 - Technical and Organisational Measures
See Annex 3 to the DPA.


Appendix 3 to Annex 1 – Sub-processors
See Annex 4 to the DPA.


Appendix 4 to Annex 1 – Additional Business Terms
The parties acknowledge that Clause 2 of the EU Standard Contractual Clauses permits them to include additional business-related terms provided they do not contradict provided that they do not contradict, directly or indirectly, the Clauses of the EU Standard Contractual Clauses or prejudice the fundamental rights or freedoms of data subjects. Accordingly, this Appendix 4 to Annex 1 to the DPA sets out the parties' interpretation of their respective obligations under specific Clauses identified below. Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under such Clauses. The Standard Contractual Clauses shall prevail, in case of any contractions between these interpretations and the EU Standard Contractual Clauses


Clause 8.1(a) and Clause 16: Suspension of data transfers and termination

1. The parties acknowledge that for the purposes of Clause 8.1(a) of the EU Standard Contractual Clauses, data importer may process the personal data only on behalf of the data exporter and in compliance with its documented instructions as set out in the DPA and that pursuant to the DPA, these instructions shall be the data exporter’s complete and final instructions.

2. The parties acknowledge that Subscriber may be is entitled to suspend the transfer of data and/or terminate the affected parts of the Services pursuant Clause 16 of the EU Standard Contractual Clauses in accordance with the terms of the Umso Terms of Service.

3. If the data exporter intends to suspend the transfer of personal data and/or terminate the affected parts of the Services based on Clause 16 of the EU Standard Contractual Clauses, it shall first provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).

4. In addition, the data exporter and data importer shall reasonably cooperate with each other during the Cure Period to agree what additional safeguards or other measures, if any, may be reasonably required to ensure the data importer's compliance with the Clauses and applicable data protection law.

5. If, after the Cure Period, the data importer has not or cannot cure the non-compliance in accordance with the paragraphs 2 and 3 above, then the data exporter may suspend and/or terminate the affected part of the Services in accordance with the provisions of the Terms of Service without liability to either party (but without prejudice to any fees incurred by the data exporter prior to suspension or termination).


Clause 9(c): Disclosure of Sub-processor agreements

1. The parties acknowledge the obligation of the data importer to send a copy of a Sub-processor agreement it concludes under the EU Standard Contractual Clauses to the data exporter upon request.

2. The parties further acknowledge that, pursuant to Sub-processor confidentiality restrictions, data importer may be restricted from disclosing onward Sub-processor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any Sub-processor it appoints to permit it to disclose the Sub-processor agreement to data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

3. Even where data importer cannot disclose a Sub-processor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably can in connection with such sub-processing agreement to data exporter.


Clause 12: Liability

1. Any claims brought under the EU Standard Contractual Clauses shall be subject to the Umso Policies, including but not limited to, the exclusions and limitations set forth in the Umso Terms of Service. In no event, shall any party limit its liability with respect to any data subject rights under these the EU Standard Contractual Clauses.


Annex 2 - Description of the Processing

Categories of data subjects whose Personal Data is Processed:
End Users

Categories of Personal data Processed:
- Location (country, city)
- Referring source
- Information related to the use of Subscriber’s platform (such as pages visited on Subscriber’s platform, the computing device used to access Subscriber’s platform, software operating system, and log data)
- Information provided by End Users via web forms on Subscriber's platform as implemented by Subscriber (potentially including but not limited to End Users' names, addresses, contact details, messages / questions to Subscriber, requests)

Subject matter, nature and purpose of Processing:
Performance of the Services under the Umso Terms of Services.

Duration of the Processing:
As set out in Section 11 of the DPA.


Annex 3 – Technical and Organizational Measures
The technical and organisational security measures implemented by the data importer are as described in: Security Policy.


Annex 4 – Sub-processors
As referenced in Section 4.1 of the DPA.


Annex 5 – Applicable Regulations

1. California:​

1.1 The definition of “Applicable Data Protection Regulations” described in section 1 of this DPA includes the California Consumer Privacy Act (“CCPA”).

1.2 The definition of (i) “Personal Data” includes “Personal Information”, (ii) “Data Subject” includes “Consumer”, (iii) “Controller” includes “Business”, (iv) “Processor” includes “Service Provider”, as defined under the CCPA.

1.3 Umso will process, retain, use, and disclose personal data only as necessary to provide its Services, which constitutes a business purpose.

1.4 Umso agrees not to: (i) sell (as defined by the CCPA) End User Subscriber Data; (ii) retain, use, or disclose End User Subscriber Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose End User Subscriber Data outside of the scope of the Umso Policies.

1.5 Umso certifies that its Sub-processors, as described in Section 4 of the DPA, are Service Providers under the CCPA, with whom Umso has entered into a written contract that includes terms ensuring at least the same level of protection and security as those set out in this DPA.

1.6 Umso’s obligations regarding Data Subject requests, as described in Section 9 (Assistance to Subscriber) of this DPA, apply to Consumer’s rights under the CCPA.
Made with
Cookie Settings
This website uses cookies

Cookie Settings

We use cookies to improve user experience. Choose what cookie categories you allow us to use. You can read more about our Cookie Policy by clicking on Cookie Policy below.

These cookies enable strictly necessary cookies for security, language support and verification of identity. These cookies can’t be disabled.

These cookies collect data to remember choices users make to improve and give a better user experience. Disabling can cause some parts of the site to not work properly.

These cookies help us to understand how visitors interact with our website, help us measure and analyze traffic to improve our service.

These cookies help us to better deliver marketing content and customized ads.