Data Processing Agreement
Last updated June 10, 2024
This Data Processing Addendum (“DPA”) is governed by and part of the Terms of Service (the “Agreement,” which includes this DPA) between you as a subscriber (“you” or “Subscriber”) and Rosie by Rally Commerce, Inc. (“Rosie,” “us” or “we”) and sets forth the terms and conditions relating to Processing of Personal Information through your use of the Services. The parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Information. All capitalized terms not defined herein have the same meaning set forth in the Agreement.
By executing the Agreement, the Parties also execute this DPA.
1. DATA PROCESSING TERMS
1.1. “Authorized Affiliate” means any of Subscriber’s Affiliate(s) which (i) is subject to Data Protection Laws and (ii) is permitted to use the Services pursuant to the Agreement but has not executed its own contract with Rosie and is not “Subscriber” as defined under the Agreement. As used herein, “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity and “Control” means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.
1.2. “Controller” means the entity that determines the means and purposes of the Processing of Personal Information, also known as a “Business” under the CCPA and comparable U.S. state consumer privacy laws that limit or prohibit the sale of Personal Information.
1.3. “Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Data (as defined in the Agreement and including Personal Information, transmitted, stored, or otherwise) Processed by Rosie or its Sub-processors.
1.4. “Data Protection Laws” means all laws applicable to the Processing of Personal Information under the Agreement, the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations (“CCPA”) and consumer privacy and data protection law of Connecticut, Colorado, Iowa, Nevada, Oregon, Tennessee, Texas, Virginia, and other states, as well as Canada and other jurisdictions where the Services are marketed and offered, each as amended from time to time.
1.5. “Data Subject” means the identified or identifiable person to whom Personal Information relates.
1.6. “Personal Information” means any information contained in Your Data that is protected under applicable Data Protection Laws, such as information describing or relating to: (i) an identified or identifiable natural person or household or (ii) an identified or identifiable legal entity (where such information is protected as Personal Information or personally identifiable information under applicable Data Protection Laws).
1.7. “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8. “Processor” means the Party which Processes Personal Information on behalf of the Controller, including as applicable any “Service Provider” as that term is defined by the CCPA and comparable U.S. state consumer privacy laws that limit or prohibit the sale of Personal Information.
1.9. “Public Authority” means a government agency, court, or other governing body with authority to investigate or compel disclosure related to the Parties’ activities under the Agreement.
1.10. “Security Measures” means the technical and organizational measures employed by Rosie to secure Personal Information on the Services and as described in Section 9 of Schedule 2.
1.11. “Sell” has the meaning given in the CCPA or comparable U.S. state consumer privacy laws that limit or prohibit the sale of Personal Information.
1.12. “Share” has the meaning given in the CCPA or comparable U.S. state consumer privacy laws that limit or prohibit the sharing of Personal Information for cross-contextual behavioral advertising purposes.
1.13. “Sub-processor” means a Processor engaged by Rosie to Process Personal Information contained in Your Data.
2. PROCESSING PERSONAL INFORMATION
2.1. Roles of the Parties. This DPA applies where and to the extent that Subscriber, either directly or by making the AI Receptionist or other Services available to Subscriber’s end users, discloses Personal Information to Rosie pursuant to the Agreement. The Parties acknowledge and agree that (i) with regard to the Processing of Personal Information, Subscriber is the Controller and Rosie is the Processor and (ii) Rosie is generally authorized to engage Sub-Processors pursuant to the requirements of Section 5 “Sub-Processors” herein.
2.2. Duration. Rosie shall process Personal Information throughout the term of the Agreement or any renewal term thereof. Upon termination of the Agreement by either Party, Rosie shall cease processing Personal Information on Subscriber’s behalf upon completion of the termination provisions described herein.
2.3. Nature, Purpose, and Subject-Matter of the Processing. Rosie shall only Process Personal Information as Instructed (defined in Section 2.5) by Subscriber and only for the purpose of providing the Services to Subscriber pursuant to the Agreement. The nature, purpose, and subject matter of Rosie’s Processing of Personal Information as Subscriber’s Processor is described in the Agreement. All Processing of Personal Information via the Services is determined solely by Subscriber and according to Subscriber’s privacy practices.
2.4. Processing by Rosie. Subscriber hereby appoints Rosie to Process the Personal Information on Subscriber’s behalf as necessary for Rosie to provide the Services under the Agreement. Rosie shall treat Personal Information as Confidential Information. If Rosie is required by applicable law to disclose Personal Information for a purpose unrelated to the Agreement, Rosie will first inform Subscriber of the legal requirement and give Subscriber an opportunity to object or challenge the requirement, unless the law prohibits such notice. Notwithstanding the foregoing, Rosie shall have the right to (i) collect and use Personal Information to investigate a use of the Services that is unlawful or violates the Agreement, provide, and develop the Services, respond to legal actions, or for administrative purposes such as accounting and compliance and (ii) use any data in an anonymized format for Rosie’s internal purposes.
2.5. Instructions. Rosie shall Process, retain, use, store, or disclose Personal Information only according to written, documented, and lawful instructions issued by Subscriber to Rosie for the purpose of providing the Services to Subscriber pursuant to the Agreement (“Instructions”). The parties agree that the Agreement, together with Subscriber’s selections, configurations, customizations, and use of the Services under the Agreement and other written Instructions from Subscriber to Rosie, shall constitute Subscriber’s complete and final Instructions to Rosie concerning the Processing of Personal Information. Rosie shall inform Subscriber without delay if, in Rosie’s opinion, an Instruction violates applicable Data Protection Laws or Rosie is unable to follow an Instruction. Where necessary as determined by Rosie, Rosie may cease all Processing without liability until Subscriber issues new Instructions with which Rosie can comply. Notwithstanding any provision to the contrary, Subscriber is solely responsible for the legality, outcome, and results of any and all Instructions and Rosie shall have no liability whatsoever related to its performance of the Agreement according to any Subscriber Instructions.
2.6. Processing by Subscriber. Subscriber shall Process Personal Information in accordance with the requirements of all applicable Data Protection Laws, including without limitation requirements to provide notice to Data Subjects of the use of Rosie as Processor. Subscriber represents and warrants that Subscriber has established a lawful basis to Process Personal Information, Subscriber’s use of the Services will not violate the rights of any Data Subject, and Subscriber has the right to transfer, or provide access to, the Personal Information to Rosie for Processing under the terms of the Agreement. Subscriber shall have sole responsibility for (i) the accuracy, quality, and legality of Personal Information, (ii) the means by which Subscriber acquired the Personal Information, and (iii) the lawful basis and mechanisms of transferring Personal Information to Rosie. Subscriber shall inform Rosie without undue delay if Subscriber is unable to comply with Subscriber’s obligations under this DPA or any applicable Data Protection Laws. For the avoidance of doubt, Rosie is not responsible for compliance with any Data Protection Laws applicable to Subscriber or its industry that are not generally applicable to Rosie.
2.7. Limitations on Processing. The Parties agree that Rosie will Process Personal Information as Subscriber’s Service Provider in accordance with applicable Data Protection Laws and strictly for the business purpose of performing the Service under the Agreement. Rosie shall not (i) Sell Personal Information; (ii) Share Personal Information with third Parties for cross-contextual behavioral advertising purposes; (iii) retain, use, or disclose Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by Data Protection Laws; or (iv) retain, use, or disclose Personal Information outside of the direct business relationship between Subscriber and Rosie. Rosie certifies that it understands and will comply with the restrictions of this Section 2.7.
2.8. No Sale Between Parties. The Parties agree that Subscriber does not sell Personal Information to Rosie because, as a Service Provider, Rosie may only use Personal Information for the purposes of providing the Services to Subscriber.
3. RIGHTS OF DATA SUBJECTS
Rosie shall, to the extent legally permitted, promptly notify Subscriber if Rosie receives a request from a Data Subject to exercise the Data Subject's right under applicable Data Protection Laws relating to Personal Information (each a “Data Subject Request”). Taking into account the nature of the Processing, if Subscriber is unable to independently address a Data Subject Request, Rosie will assist Subscriber by appropriate technical and organizational measures insofar as this is possible and to the extent Rosie is legally permitted to do so, for the fulfilment of Subscriber’s obligation to respond to a Data Subject Request under Data Protection Laws. Subscriber shall be legally responsible for responding to any such Data Subject Requests or communications involving Personal Information and for all costs associated with the same.
4. Rosie PERSONNEL
Rosie shall ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Rosie shall take commercially reasonable steps to ensure the reliability of any Rosie personnel engaged in the processing of Personal Information. Rosie shall ensure that Rosie's access to Personal Information is limited to those personnel who are necessary to provide the Services.
5. SUB-PROCESSORS
5.1. Appointment of Sub-processors. Subscriber generally authorizes Rosie to engage Sub-Processors for the provision of the Services and Subscriber acknowledges and agrees that (i) Rosie’s Affiliates may be retained as Sub-processors and (ii) Rosie and Rosie’s Affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services to Subscriber. Rosie or a Rosie Affiliate has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Information to the extent applicable to the nature of the Services provided by such Sub-Processor. Rosie shall be liable for the acts and omissions of its Sub-Processors to the same extent Rosie would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement. Rosie shall make available to Subscriber the current list of Sub-processors for the applicable Service(s) upon Subscriber’s written request.
5.2. Objection Right for New Sub-processors. If Subscriber is entitled to notice and an opportunity to object to new Sub-Processors under applicable Data Protection Laws, (i) upon request by Subscriber to be so notified, Rosie shall notify Subscriber of new Sub-Processors and (ii) Subscriber may object to Rosie’s use of a new Sub-Processor by notifying Rosie promptly in writing within ten (10) business days after receipt of Rosie’s notice thereof. In the event Subscriber objects to a new Sub-Processor under this Section 5.2(ii), Rosie will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid Processing of Personal Information by the objected-to new Sub-Processor without unreasonably burdening Subscriber. If Rosie is unable to make available such change within thirty (30) days, Subscriber may terminate the Agreement.
6. SECURITY
Rosie shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Information as detailed in Schedule 2 hereto. In doing so, Rosie shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Subscriber is solely responsible for (i) reviewing and determining whether the Services meet Subscriber’s security standards and support Subscriber’s obligations under Data Protection Laws and (ii) the secure use of the Services by Subscriber or any end user whom Subscriber provides with access an AI Receptionist or other Rosie Services, including but not limited to securing account authentication information and ensuring no such end user seeks to misuse Personal Information or engages in activities likely to give rise to a Data Incident.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
Rosie shall notify Subscriber without undue delay after becoming aware of a Data Incident occurring on Rosie or our Sub-Processor’s information system. Rosie shall make reasonable efforts to identify the cause of such Data Incident and take such steps as Rosie deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within Rosie's reasonable control. At Subscriber’s reasonable request, and to the extent Rosie is required to do so under applicable Data Protection Laws, Rosie will promptly provide Subscriber with commercially reasonable assistance as necessary to enable Subscriber to meet Subscriber’s obligations under applicable Data Protection Laws to notify authorities and/or affected Data Subjects. The obligations herein shall not apply to incidents that are caused by Subscriber or Subscriber’s end users.
8. GOVERNMENT ACCESS REQUESTS
If Rosie receives a legally binding request from a Public Authority to access Personal Information that Rosie Processes on Subscriber’s behalf, Rosie shall, unless otherwise legally prohibited, promptly notify Subscriber including a summary of the nature of the request. To the extent Rosie is prohibited by law from providing such notification, Rosie shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Rosie to communicate as much information as possible, as soon as possible. Further, Rosie shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Rosie shall pursue possibilities of appeal. When challenging a request, Rosie shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Information requested until required to do so under the applicable procedural rules. Rosie agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. Rosie shall promptly notify Subscriber if Rosie becomes aware of any direct access by a Public Authority to Personal Information contained in Your Data and provide information available to Rosie in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require Rosie to pursue action or inaction that could result in civil or criminal penalty for Rosie such as contempt of court. Rosie shall ensure that Sub-processors involved in the Processing of Personal Information are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.
9. RETURN OR DELETION OF PERSONAL INFORMATION
Rosie will return, destroy, or render anonymous all Personal Information in accordance with Subscriber’s reasonable written Instructions submitted to Rosie within 30 days of termination or expiration of the Agreement or as otherwise instructed by Subscriber. The requirements of this Section 9 do not apply to the extent that Rosie is required by applicable law to retain any Personal Information, or to Personal Information that is archived on backup systems, which data Rosie shall securely isolate and protect from any further Processing and delete following Rosie’s deletion practices.
10. AUTHORIZED AFFILIATES
10.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Subscriber enters into the DPA on behalf of Subscriber and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Rosie and each such Authorized Affiliate subject to the provisions of the Agreement. Subscriber, as the contracting party to the Agreement, shall remain responsible for coordinating all communication with Rosie under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Subscriber.
10.2. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Rosie, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to this section. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Rosie directly by itself, the parties agree that (i) solely Subscriber as the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) Subscriber as the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together.
11. LIMITATION OF LIABILITY
All activities under this DPA are subject to the applicable limitations of liability set forth in the Agreement. For the avoidance of doubt, Rosie’s and its Affiliates’ total liability for all claims from Subscriber and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Subscriber and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Subscriber and/or to any Authorized Affiliate that is a contractual party to any such DPA. Additionally, Subscriber agrees that any regulatory fines or penalties incurred by Subscriber in relation to the Your Data that arise as a result of, or in connection with, Subscriber's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Rosie's liability under the Agreement as a liability under the Agreement.
12. GENERAL
If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control with respect to the subject matter herein. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless otherwise required by applicable Data Protection Laws. This DPA and the schedules hereto will automatically terminate upon expiration or termination of the Agreement.
SCHEDULE 1 — DATA SECURITY MEASURES
Rosie has implemented the following technical and organizational Security Measures for the Services:
Physical access controls
Measures for preventing unauthorized persons from gaining access to data processing systems:
Data center is ISO 27001, 27017, and 27018 certified.
Data center compliant with CISPE Code of Conduct for data protection.
Admission control
Measures to prevent data processing systems from being used without authorization:
Multi-factor-authentication
Fine-grained access to objects (only administrative staff can access personal data)
Only authorized API-request authentication is used
AWS Security Token Service (STS) enabled
Virtual access control
Measures to ensure only authorized persons can access or modify Personal Information:
User authentication based on username and strong password
All transactional records contain client-specific identifiers
Data access is role- and user-based
Access, insertion, and modification are logged
Cloud security and privacy standards: ISO 27001, 27017, and 27018
Transmission control
Measures to protect Personal Information during electronic transmission:
All data encrypted in transit using TLS 1.2+
Access to reports is logged
Backup media are encrypted
Removable storage is not used
Input control
Measures to ensure all changes to Personal Information are tracked and auditable:
Governance and monitoring via AWS CloudWatch and Datadog
Entry restricted to defined roles
All entries are timestamped and attributed
Firewalls and intrusion prevention systems are in place
Assignment control
Measures to ensure commissioned Processing follows principal’s instructions:
Confidentiality agreements with all data-accessing individuals
Regular training conducted for personnel
No unauthorized third-party processors used
Availability control
Measures to protect Personal Information from accidental destruction or loss:
Nightly snapshots stored on AWS
Backups retained for 30 days
Separation control
Measures to ensure Personal Information collected for different purposes is kept separate:
Physical and logical data separation
Discrete development, staging, and production environments
Personal Information for services/support is kept separate from marketing data
Last updated June 10, 2024
This Data Processing Addendum (“DPA”) is governed by and part of the Terms of Service (the “Agreement,” which includes this DPA) between you as a subscriber (“you” or “Subscriber”) and Rosie by Rally Commerce, Inc. (“Rosie,” “us” or “we”) and sets forth the terms and conditions relating to Processing of Personal Information through your use of the Services. The parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Information. All capitalized terms not defined herein have the same meaning set forth in the Agreement.
By executing the Agreement, the Parties also execute this DPA.
1. DATA PROCESSING TERMS
1.1. “Authorized Affiliate” means any of Subscriber’s Affiliate(s) which (i) is subject to Data Protection Laws and (ii) is permitted to use the Services pursuant to the Agreement but has not executed its own contract with Rosie and is not “Subscriber” as defined under the Agreement. As used herein, “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity and “Control” means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.
1.2. “Controller” means the entity that determines the means and purposes of the Processing of Personal Information, also known as a “Business” under the CCPA and comparable U.S. state consumer privacy laws that limit or prohibit the sale of Personal Information.
1.3. “Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Data (as defined in the Agreement and including Personal Information, transmitted, stored, or otherwise) Processed by Rosie or its Sub-processors.
1.4. “Data Protection Laws” means all laws applicable to the Processing of Personal Information under the Agreement, the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations (“CCPA”) and consumer privacy and data protection law of Connecticut, Colorado, Iowa, Nevada, Oregon, Tennessee, Texas, Virginia, and other states, as well as Canada and other jurisdictions where the Services are marketed and offered, each as amended from time to time.
1.5. “Data Subject” means the identified or identifiable person to whom Personal Information relates.
1.6. “Personal Information” means any information contained in Your Data that is protected under applicable Data Protection Laws, such as information describing or relating to: (i) an identified or identifiable natural person or household or (ii) an identified or identifiable legal entity (where such information is protected as Personal Information or personally identifiable information under applicable Data Protection Laws).
1.7. “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8. “Processor” means the Party which Processes Personal Information on behalf of the Controller, including as applicable any “Service Provider” as that term is defined by the CCPA and comparable U.S. state consumer privacy laws that limit or prohibit the sale of Personal Information.
1.9. “Public Authority” means a government agency, court, or other governing body with authority to investigate or compel disclosure related to the Parties’ activities under the Agreement.
1.10. “Security Measures” means the technical and organizational measures employed by Rosie to secure Personal Information on the Services and as described in Section 9 of Schedule 2.
1.11. “Sell” has the meaning given in the CCPA or comparable U.S. state consumer privacy laws that limit or prohibit the sale of Personal Information.
1.12. “Share” has the meaning given in the CCPA or comparable U.S. state consumer privacy laws that limit or prohibit the sharing of Personal Information for cross-contextual behavioral advertising purposes.
1.13. “Sub-processor” means a Processor engaged by Rosie to Process Personal Information contained in Your Data.
2. PROCESSING PERSONAL INFORMATION
2.1. Roles of the Parties. This DPA applies where and to the extent that Subscriber, either directly or by making the AI Receptionist or other Services available to Subscriber’s end users, discloses Personal Information to Rosie pursuant to the Agreement. The Parties acknowledge and agree that (i) with regard to the Processing of Personal Information, Subscriber is the Controller and Rosie is the Processor and (ii) Rosie is generally authorized to engage Sub-Processors pursuant to the requirements of Section 5 “Sub-Processors” herein.
2.2. Duration. Rosie shall process Personal Information throughout the term of the Agreement or any renewal term thereof. Upon termination of the Agreement by either Party, Rosie shall cease processing Personal Information on Subscriber’s behalf upon completion of the termination provisions described herein.
2.3. Nature, Purpose, and Subject-Matter of the Processing. Rosie shall only Process Personal Information as Instructed (defined in Section 2.5) by Subscriber and only for the purpose of providing the Services to Subscriber pursuant to the Agreement. The nature, purpose, and subject matter of Rosie’s Processing of Personal Information as Subscriber’s Processor is described in the Agreement. All Processing of Personal Information via the Services is determined solely by Subscriber and according to Subscriber’s privacy practices.
2.4. Processing by Rosie. Subscriber hereby appoints Rosie to Process the Personal Information on Subscriber’s behalf as necessary for Rosie to provide the Services under the Agreement. Rosie shall treat Personal Information as Confidential Information. If Rosie is required by applicable law to disclose Personal Information for a purpose unrelated to the Agreement, Rosie will first inform Subscriber of the legal requirement and give Subscriber an opportunity to object or challenge the requirement, unless the law prohibits such notice. Notwithstanding the foregoing, Rosie shall have the right to (i) collect and use Personal Information to investigate a use of the Services that is unlawful or violates the Agreement, provide, and develop the Services, respond to legal actions, or for administrative purposes such as accounting and compliance and (ii) use any data in an anonymized format for Rosie’s internal purposes.
2.5. Instructions. Rosie shall Process, retain, use, store, or disclose Personal Information only according to written, documented, and lawful instructions issued by Subscriber to Rosie for the purpose of providing the Services to Subscriber pursuant to the Agreement (“Instructions”). The parties agree that the Agreement, together with Subscriber’s selections, configurations, customizations, and use of the Services under the Agreement and other written Instructions from Subscriber to Rosie, shall constitute Subscriber’s complete and final Instructions to Rosie concerning the Processing of Personal Information. Rosie shall inform Subscriber without delay if, in Rosie’s opinion, an Instruction violates applicable Data Protection Laws or Rosie is unable to follow an Instruction. Where necessary as determined by Rosie, Rosie may cease all Processing without liability until Subscriber issues new Instructions with which Rosie can comply. Notwithstanding any provision to the contrary, Subscriber is solely responsible for the legality, outcome, and results of any and all Instructions and Rosie shall have no liability whatsoever related to its performance of the Agreement according to any Subscriber Instructions.
2.6. Processing by Subscriber. Subscriber shall Process Personal Information in accordance with the requirements of all applicable Data Protection Laws, including without limitation requirements to provide notice to Data Subjects of the use of Rosie as Processor. Subscriber represents and warrants that Subscriber has established a lawful basis to Process Personal Information, Subscriber’s use of the Services will not violate the rights of any Data Subject, and Subscriber has the right to transfer, or provide access to, the Personal Information to Rosie for Processing under the terms of the Agreement. Subscriber shall have sole responsibility for (i) the accuracy, quality, and legality of Personal Information, (ii) the means by which Subscriber acquired the Personal Information, and (iii) the lawful basis and mechanisms of transferring Personal Information to Rosie. Subscriber shall inform Rosie without undue delay if Subscriber is unable to comply with Subscriber’s obligations under this DPA or any applicable Data Protection Laws. For the avoidance of doubt, Rosie is not responsible for compliance with any Data Protection Laws applicable to Subscriber or its industry that are not generally applicable to Rosie.
2.7. Limitations on Processing. The Parties agree that Rosie will Process Personal Information as Subscriber’s Service Provider in accordance with applicable Data Protection Laws and strictly for the business purpose of performing the Service under the Agreement. Rosie shall not (i) Sell Personal Information; (ii) Share Personal Information with third Parties for cross-contextual behavioral advertising purposes; (iii) retain, use, or disclose Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by Data Protection Laws; or (iv) retain, use, or disclose Personal Information outside of the direct business relationship between Subscriber and Rosie. Rosie certifies that it understands and will comply with the restrictions of this Section 2.7.
2.8. No Sale Between Parties. The Parties agree that Subscriber does not sell Personal Information to Rosie because, as a Service Provider, Rosie may only use Personal Information for the purposes of providing the Services to Subscriber.
3. RIGHTS OF DATA SUBJECTS
Rosie shall, to the extent legally permitted, promptly notify Subscriber if Rosie receives a request from a Data Subject to exercise the Data Subject's right under applicable Data Protection Laws relating to Personal Information (each a “Data Subject Request”). Taking into account the nature of the Processing, if Subscriber is unable to independently address a Data Subject Request, Rosie will assist Subscriber by appropriate technical and organizational measures insofar as this is possible and to the extent Rosie is legally permitted to do so, for the fulfilment of Subscriber’s obligation to respond to a Data Subject Request under Data Protection Laws. Subscriber shall be legally responsible for responding to any such Data Subject Requests or communications involving Personal Information and for all costs associated with the same.
4. Rosie PERSONNEL
Rosie shall ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Rosie shall take commercially reasonable steps to ensure the reliability of any Rosie personnel engaged in the processing of Personal Information. Rosie shall ensure that Rosie's access to Personal Information is limited to those personnel who are necessary to provide the Services.
5. SUB-PROCESSORS
5.1. Appointment of Sub-processors. Subscriber generally authorizes Rosie to engage Sub-Processors for the provision of the Services and Subscriber acknowledges and agrees that (i) Rosie’s Affiliates may be retained as Sub-processors and (ii) Rosie and Rosie’s Affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services to Subscriber. Rosie or a Rosie Affiliate has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Information to the extent applicable to the nature of the Services provided by such Sub-Processor. Rosie shall be liable for the acts and omissions of its Sub-Processors to the same extent Rosie would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement. Rosie shall make available to Subscriber the current list of Sub-processors for the applicable Service(s) upon Subscriber’s written request.
5.2. Objection Right for New Sub-processors. If Subscriber is entitled to notice and an opportunity to object to new Sub-Processors under applicable Data Protection Laws, (i) upon request by Subscriber to be so notified, Rosie shall notify Subscriber of new Sub-Processors and (ii) Subscriber may object to Rosie’s use of a new Sub-Processor by notifying Rosie promptly in writing within ten (10) business days after receipt of Rosie’s notice thereof. In the event Subscriber objects to a new Sub-Processor under this Section 5.2(ii), Rosie will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid Processing of Personal Information by the objected-to new Sub-Processor without unreasonably burdening Subscriber. If Rosie is unable to make available such change within thirty (30) days, Subscriber may terminate the Agreement.
6. SECURITY
Rosie shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Information as detailed in Schedule 2 hereto. In doing so, Rosie shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Subscriber is solely responsible for (i) reviewing and determining whether the Services meet Subscriber’s security standards and support Subscriber’s obligations under Data Protection Laws and (ii) the secure use of the Services by Subscriber or any end user whom Subscriber provides with access an AI Receptionist or other Rosie Services, including but not limited to securing account authentication information and ensuring no such end user seeks to misuse Personal Information or engages in activities likely to give rise to a Data Incident.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
Rosie shall notify Subscriber without undue delay after becoming aware of a Data Incident occurring on Rosie or our Sub-Processor’s information system. Rosie shall make reasonable efforts to identify the cause of such Data Incident and take such steps as Rosie deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within Rosie's reasonable control. At Subscriber’s reasonable request, and to the extent Rosie is required to do so under applicable Data Protection Laws, Rosie will promptly provide Subscriber with commercially reasonable assistance as necessary to enable Subscriber to meet Subscriber’s obligations under applicable Data Protection Laws to notify authorities and/or affected Data Subjects. The obligations herein shall not apply to incidents that are caused by Subscriber or Subscriber’s end users.
8. GOVERNMENT ACCESS REQUESTS
If Rosie receives a legally binding request from a Public Authority to access Personal Information that Rosie Processes on Subscriber’s behalf, Rosie shall, unless otherwise legally prohibited, promptly notify Subscriber including a summary of the nature of the request. To the extent Rosie is prohibited by law from providing such notification, Rosie shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Rosie to communicate as much information as possible, as soon as possible. Further, Rosie shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Rosie shall pursue possibilities of appeal. When challenging a request, Rosie shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Information requested until required to do so under the applicable procedural rules. Rosie agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. Rosie shall promptly notify Subscriber if Rosie becomes aware of any direct access by a Public Authority to Personal Information contained in Your Data and provide information available to Rosie in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require Rosie to pursue action or inaction that could result in civil or criminal penalty for Rosie such as contempt of court. Rosie shall ensure that Sub-processors involved in the Processing of Personal Information are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.
9. RETURN OR DELETION OF PERSONAL INFORMATION
Rosie will return, destroy, or render anonymous all Personal Information in accordance with Subscriber’s reasonable written Instructions submitted to Rosie within 30 days of termination or expiration of the Agreement or as otherwise instructed by Subscriber. The requirements of this Section 9 do not apply to the extent that Rosie is required by applicable law to retain any Personal Information, or to Personal Information that is archived on backup systems, which data Rosie shall securely isolate and protect from any further Processing and delete following Rosie’s deletion practices.
10. AUTHORIZED AFFILIATES
10.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Subscriber enters into the DPA on behalf of Subscriber and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Rosie and each such Authorized Affiliate subject to the provisions of the Agreement. Subscriber, as the contracting party to the Agreement, shall remain responsible for coordinating all communication with Rosie under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Subscriber.
10.2. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Rosie, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to this section. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Rosie directly by itself, the parties agree that (i) solely Subscriber as the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) Subscriber as the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together.
11. LIMITATION OF LIABILITY
All activities under this DPA are subject to the applicable limitations of liability set forth in the Agreement. For the avoidance of doubt, Rosie’s and its Affiliates’ total liability for all claims from Subscriber and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Subscriber and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Subscriber and/or to any Authorized Affiliate that is a contractual party to any such DPA. Additionally, Subscriber agrees that any regulatory fines or penalties incurred by Subscriber in relation to the Your Data that arise as a result of, or in connection with, Subscriber's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Rosie's liability under the Agreement as a liability under the Agreement.
12. GENERAL
If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control with respect to the subject matter herein. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless otherwise required by applicable Data Protection Laws. This DPA and the schedules hereto will automatically terminate upon expiration or termination of the Agreement.
SCHEDULE 1 — DATA SECURITY MEASURES
Rosie has implemented the following technical and organizational Security Measures for the Services:
Physical access controls
Measures for preventing unauthorized persons from gaining access to data processing systems:
Data center is ISO 27001, 27017, and 27018 certified.
Data center compliant with CISPE Code of Conduct for data protection.
Admission control
Measures to prevent data processing systems from being used without authorization:
Multi-factor-authentication
Fine-grained access to objects (only administrative staff can access personal data)
Only authorized API-request authentication is used
AWS Security Token Service (STS) enabled
Virtual access control
Measures to ensure only authorized persons can access or modify Personal Information:
User authentication based on username and strong password
All transactional records contain client-specific identifiers
Data access is role- and user-based
Access, insertion, and modification are logged
Cloud security and privacy standards: ISO 27001, 27017, and 27018
Transmission control
Measures to protect Personal Information during electronic transmission:
All data encrypted in transit using TLS 1.2+
Access to reports is logged
Backup media are encrypted
Removable storage is not used
Input control
Measures to ensure all changes to Personal Information are tracked and auditable:
Governance and monitoring via AWS CloudWatch and Datadog
Entry restricted to defined roles
All entries are timestamped and attributed
Firewalls and intrusion prevention systems are in place
Assignment control
Measures to ensure commissioned Processing follows principal’s instructions:
Confidentiality agreements with all data-accessing individuals
Regular training conducted for personnel
No unauthorized third-party processors used
Availability control
Measures to protect Personal Information from accidental destruction or loss:
Nightly snapshots stored on AWS
Backups retained for 30 days
Separation control
Measures to ensure Personal Information collected for different purposes is kept separate:
Physical and logical data separation
Discrete development, staging, and production environments
Personal Information for services/support is kept separate from marketing data