1. CLIENTBOOK DATA PROCESSING ADDENDUM.
This Clientbook Data Processing Addendum (“DPA”) applies to the extent Clientbook Processes any Covered Data as Processor in connection with Clientbook's services and digital products as directed by the Client or Controller.
In case of any conflict or inconsistency with Clientbook's Software-as-a-Services Agreement or any other agreement, this DPA will take precedence to the extent of such conflict or inconsistency.
2. DEFINITIONS.
2.1 “Agreement” means this Software-as-a-Service (SaaS) Agreement, consisting of the terms and conditions stated herein as well as all Order Forms, policies, addenda, exhibits, attachments and amendments (if any).
2.2 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.3 “Client” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, engages Clientbook for its services or digital products.
2.4 ”Client Account Data" means Personal Data or Personal Information that relates to Client's relationship with Clientbook, such the names and contact information of Client's users, billing information associated with Client's account, and any Personal Data or Personal Information Clientbook may need to collect for the purpose of identity verification (including providing multi-factor authentication).
2.5 “Clientbook” means Clientbook, Inc. a Delaware Corporation.
2.6 “Covered Data” means any Personal Data, Personal Information, or Customer Information pertaining to a Consumer or Data Subject that is provided to Clientbook by Client or otherwise Processed by Clientbook as a Processor or Service Provider in in connection with Clientbook's services and digital products. Covered Data excludes Client Account Data.
2.7 “Customer Information” means any record containing nonpublic personal information about a customer.
2.8 “Data Subject” means the individual to whom Personal Data relates.
2.9 “Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the California Consumer Privacy Act (“CCPA”), Australia Privacy Act 1988, and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Mexico’s Federal Law on the Protection of Personal Data Held by Private Companies (“FLPPDHPP”), the British Virgin Islands’ Data Protection Act (“BVIDP”).
2.10 “Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws and Regulations.
2.11 “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
2.12 “Pseudonymise” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
2.13 “Services” means the software-as-a-service application and technical support services owned or operated by Clientbook, including mobile applications, Software, websites or other properties.
In addition, “Business,” “Business Purpose,” “Consumer,” “Personal Information,” “Process,” “Processing,” “Processing of,” “Sale,” “Share,” and “Service Provider” and their respective derivative terms as used in this DPA shall be interpreted in accordance with Data Protection Laws and Regulations. All other capitalized terms used in this DPA have the meanings ascribed to them in the Underlying Agreement.
3. Scope.
3.1 Roles of the Parties. The parties acknowledge and agree that with respect to the Covered Data, Client is the Controller and Clientbook is the Processor for, and on behalf of, Client and conducts its Processing operations in accordance with Client’s instructions. Client hereby instructs Clientbook to Process Covered Data on Client’s behalf pursuant to this DPA and the Service Agreement.
3.2 Data Pseudonymisation Details. Notwithstanding anything to the contrary in this DPA, Clientbook may Pseudonymise all or portions of Covered Data so that it no longer constitutes Personal Data or Personal Information under Data Protection Laws and Regulations, at which point such data will no longer constitute Covered Data under this DPA.
4. CLIENT AS A CONTROLLER OF COVERED DATA.
4.1 Client’s Obligations. Client as the Controller determines the purposes for and means by which Covered Data is being or will be Processed, and the manner in which Covered Data is or will be Processed. Client represents and warrants that:
(a) Client as Controller shall, in its use of the Clientbook's Services, Process Customer Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirements to provide notice to Consumers of the use of Clientbook as Processor.
(b) For the avoidance of doubt, Client's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations.
(c) Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges and agrees that its use of Clientbook's Services will not violate the rights of any Consumers, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under any applicable Data Protection Laws and Regulations; and
(d) Client will promptly notify Clientbook of any Consumer or Data Subject request made pursuant to any Data Protection Laws and Regulations with which Client must comply that requires Clientbook to take any action with respect to Covered Data being Processed, and will provide the information necessary for Clientbook to comply with such request.
5. CLIENTBOOK AS A PROCESSOR OF COVERED DATA.
5.1 Clientbook’s Obligations. Unless otherwise permitted or required by applicable Law, Clientbook will Process Covered Data in accordance with Client's instructions as a Processor to provide Clientbook's Services, and Client hereby instructs Clientbook to do so. Clientbook will ensure that any person authorized to Process Covered Data under this DPA is bound by appropriate obligations of confidentiality.
5.2 Data Protection Policy. Clientbook has developed and implemented, and will maintain, a comprehensive written Data Protection Policy that outlines Clientbook's activities and the Covered Data at issue. In addition, the Data Protection Policy contains polices and procedures covering the practices, processes, controls, and training that Clientbook will implement to protect the security and confidentiality of Covered Data, protect against any anticipated threats or hazards to the security or integrity of Covered Data, and protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Consumer, Data Subject, or Customer.
5.3 Compliance. Upon written request, Clientbook will take reasonable and appropriate steps to make available to Client information to demonstrate Clientbook’s compliance with provisions of Data Protection Laws and Regulations applicable to Processors/Service Providers, and will allow Client to verify Clientbook’s compliance with Clientbook’s obligations under this DPA.
5.4 Audit Report. Upon Client’s written request no more than once per year, Clientbook will provide a copy of Clientbook’s then-current audit report to Client. Such audit report refers to an industry standard audit that may be deemed appropriate by Clientbook which relates to Clientbook’s Processing of Covered Data and is conducted by an independent third-party auditor. The audit report shall be deemed to be Clientbook’s Confidential Information.
5.5 Clientbook’s Cooperation and Assistance. Taking into account the nature of the Processing and the information available to Clientbook, Clientbook will provide Client with reasonable cooperation and assistance to enable Client as a Business or Controller to fulfill Client’s binding obligations with respect to the Covered Data, if any, under Data Protection Laws and Regulations to:
(a) respond to requests from Data Subjects or Consumers for the exercise of their rights; and
(b) provide notification of a Covered Data breach (or analogous concept) as required under Data Protection Laws and Regulations.
6. Term.
6.1 Duration. The DPA is considered in effect until disposal of the Personal Data in accordance with Clientbook's Services.
6.2 Clientbook’s Data Storage of Data. Upon termination of Clientbook's Services, or digital products and receipt of Client’s written request, Clientbook will delete Covered Data in Clientbook’s possession, unless applicable Law requires further storage.
6.3 Archiving Service. Clientbook does not provide an archiving service. Clientbook may delete Client’s data 30 days after the termination of Client’s Agreement. Additionally, Client understands and agrees that following termination, Clientbook may delete all of Client’s Data in Clientbook’s possession.
7. CCPA-SPECIFIC TERMS.
In addition to the general terms, this Section applies to the extent that Client is a Business under the CCPA and Clientbook Processes Personal Information subject to the CCPA as a Service Provider in connection with its provision of the Clientbook's services and digital products to Client. Clientbook will:
(a) not Sell or Share such Personal Information, nor retain, use, or disclose such Personal Information for any purpose other than the Business Purposes specified in the Underlying Agreement, unless otherwise permitted by the CCPA;
(b) except to perform the specific Business Purposes or as otherwise permitted by the CCPA, not combine such Personal Information with Personal Information received from or on behalf of another person or source;
(c) otherwise comply with provisions of the CCPA applicable to Service Providers, providing the same level of privacy protection required of Businesses by the CCPA, and notify Client if Clientbook can no longer meet these obligations; and
(d) upon receipt of written notice that Client reasonably believes Clientbook is using Personal Information in an unauthorized manner, take reasonable and appropriate steps to work with Client to remediate the allegedly unauthorized use, if necessary. Clientbook will notify Client in the event Clientbook determines it can no longer meet its obligations under the CCPA.
8. CLIENTBOOK SERVICE PARTNERS.
8.1 Authorization to Engage Sub-Processors. Client authorizes Clientbook to engage sub-processors and service providers as necessary to deliver the services outlined in the Agreement. Clientbook shall ensure that any such sub-processors are bound by obligations that are consistent with the terms of this Data Processing Addendum. If you would like a list of specific Sub-Processors that Clientbook uses, you can request one by emailing legal@clientbook.com
8.2 Use of Sub-Processors. Clientbook may engage sub-processors and service providers to process Personal Data as necessary to provide the services under the Agreement. Client acknowledges and agrees that Clientbook's use of sub-processors is essential to the performance of the services, and Clientbook may appoint or replace sub-processors at its discretion without prior notice to the Client. Clientbook will ensure that any sub-processors are bound by obligations that are consistent with the terms of this Data Processing Addendum.
9. CLIENTBOOK AS A CONTROLLER OF CLIENT ACCOUNT DATA.
9.1 Independent Contractor. Client acknowledges that, with regard to the Processing of Client Account Data, Client is a Controller and Clientbook is an independent Controller/Business, not a joint Controller with Client. Clientbook will Process Client Account Data as a Controller in order to:
(a) manage the relationship with Client;
(b) carry out Clientbook's core business operations, such as billing and accounting;
(c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of Clientbook's services and digital products;
(d) perform identity verification; and
(e) as otherwise permitted under Data Protection Laws and Regulations and in accordance with this DPA, Clientbook's SAAS Agreement and Clientbook's Privacy Policy(https://www.clientbook.com/privacy-policy).
10. CONFLICTS.
To the extent there is a conflict or inconsistency between this DPA and the Terms and Conditions this DPA will control.
11. Amendments.
Clientbook reserves the right to update or modify the DPA from time to time as its business evolves by posting an updated version of this DPA on its website. If, in Clientbook’s sole discretion, it believes that the modifications being made are material, Clientbook will notify Client prior to the change taking effect. By continuing to utilize the Services after the effective date of any update to this DPA, Client will be deemed to have accepted such update.