Let’s Talk Interactive Data Processing Agreement


Let’s Talk Interactive Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Master Software Subscription Agreement between Let’s Talk Interactive and [Customer], (hereinafter “Customer”) and, or other agreement between Customer and Let’s Talk Interactive governing Customer’s use of the Service Offerings (collectively, the “Agreement”) when the GDPR applies to your use of our Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Let’s Talk Interactive under the Agreement (“Let’s Talk Interactive”, “We”, “Our”, “Data Processor”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in in the definitions section of this DPA.

GENERAL TERMS.

  1. The parties agree that this DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may previously have entered in connection with Services.
  2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail.
  3. Any claims brought under or in connection with this DPA are subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Agreement.

ROLES OF PARTIES; CUSTOMER OBLIGATIONS

  1. The Parties acknowledge and agree that for purposes of this DPA, Let’s Talk Interactive is a Processor of Customer Personal Data, and that Customer is a Controller.
  2. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Customer Personal Data and any Processing instructions it issues to Let’s Talk Interactive; and (ii) it has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws for Let’s Talk Interactive to Process Customer Personal Data and provide the Services as described in the Agreement. Customer shall promptly notify Let’s Talk Interactive and cease Processing Customer Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.
  1. Data Processing.
    1. Scope and Roles. This DPA applies when Customer Data is processed by Let’s Talk Interactive. In this context, we will act as processor to Customer, who can act either as controller or processor of Customer Data.
    2. Customer Controls. Customer can submit requests through the Data Subject Access Rights (DSAR) Portal noted in our Privacy Policy so submit requests related to the Customer’s obligations under the GDPR, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that Let’s Talk Interactive would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Let’s Talk Interactive becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Let’s Talk Interactive will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by fulfilling requests submitted through our DSAR portal.
    3. Details of Data Processing.
      1. Subject matter. The subject matter of the data processing under this DPA is Customer Data.
      2. Duration. As between Let’s Talk Interactive and Customer, the duration of the data processing under this DPA is determined by Customer.
      3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
      4. Nature of the processing. Software as a Service (SaaS) and such other Services as described in the Documentation and initiated by Customer from time to time.
      5. Type of Customer Data. Customer Data provided by and or uploaded to the Customer’s SaaS tenant.
      6. Categories of data subjects. The data subjects could include Customer’s customers, employees, suppliers and End Users.
    4. Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR.
  2. Customer Instructions. The parties agree that this DPA and the Agreement (including Customer providing instructions) constitute Customer’s documented instructions regarding Let’s Talk Interactive’s processing of Customer Data (“Documented Instructions”). Let’s Talk Interactive will process Customer Data only in accordance with Documented Instructions (which if Customer is acting as a processor, could be based on the instructions of its controllers). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Let’s Talk Interactive and Customer, including agreement on any additional fees payable by Customer to Let’s Talk Interactive for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Let’s Talk Interactive declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Taking into account the nature of the processing, Customer agrees that it is unlikely Let’s Talk Interactive can form an opinion on whether Documented Instructions infringe the GDPR. If Let’s Talk Interactive forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
  3. Confidentiality of Customer Data. Let’s Talk Interactive will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Let’s Talk Interactive a demand for Customer Data, Let’s Talk Interactive will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Let’s Talk Interactive may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Let’s Talk Interactive will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Let’s Talk Interactive is legally prohibited from doing so.
    1. Let’s Talk Interactive will maintain appropriate physical, technical and organizational informational security measures to protect the integrity, security, and confidentiality of all Customer Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of Customer Personal Data.
    2. Customer acknowledges that Let’s Talk Interactive may change the security measures through the adoption of new or enhanced security technologies and authorizes Let’s Talk Interactive to make such changes provided that they do not diminish the level of protection. Let’s Talk Interactive shall make information about the most up to date security measures applicable to the Services available to Customer upon request.
  4. Confidentiality Obligations of Let’s Talk Interactive‘s Personnel. Let’s Talk Interactive restricts its personnel from processing Customer Data without authorization by Let’s Talk Interactive. Let’s Talk Interactive imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
  5. Assistance with Data Subject Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Customer Personal Data, or block or restrict Processing of Customer Personal Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Let’s Talk Interactive shall comply with any commercially reasonable request by Customer to facilitate such actions. Taking into account the nature of the processing, the Service Controls are the technical and organizational measures, Let’s Talk Interactive will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests under the GDPR. If a data subject makes a request to Let’s Talk Interactive, Let’s Talk Interactive will promptly forward such request to Customer once Let’s Talk Interactive has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes on its behalf, and on behalf of its controllers when Customer is acting as a processor, Let’s Talk Interactive to respond to any data subject who makes a request to Let’s Talk Interactive, to confirm that Let’s Talk Interactive has forwarded the request to Customer.
  6. Security Incident Notification.
    1. Security Incident. Let’s Talk Interactive will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
    2. Let’s Talk Interactive Assistance. To enable Customer to notify of a Security Incident to supervisory authorities or data subjects (as applicable), Let’s Talk Interactive will cooperate with and assist Customer by including in the notification under this Section such information about the Security Incident as Let’s Talk Interactive is able to disclose to Customer, taking into account the nature of the processing, the information available to Let’s Talk Interactive, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
    3. Unsuccessful Security Incidents. Customer agrees that:
      1. an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Let’s Talk Interactive’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
      2. Let’s Talk Interactive’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Let’s Talk Interactive of any fault or liability Let’s Talk Interactive with respect to the Security Incident.
    4. Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Let’s Talk Interactive selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information at all times.
  7. Audits and Inspections.
    1. Internal Audits. Upon written request, Let’s Talk Interactive shall provide, at its own expense, if available, any data security compliance reports or audit reports that assess the effectiveness of Let’s Talk Interactive’s information security program, system(s), internal controls, and procedures relating to the Processing of Customer Personal Data.
    2. Customer Audits. Upon request, Let’s Talk Interactive agrees to respond, no more than once per year, to a reasonable information security questionnaire concerning security practices specific to the Services provided hereunder. Upon reasonable advance written notice in no case fewer than five (30) business days and Let’s Talk Interactive acceptance, Customer may, not more than once per year, during normal business hours and at its own expense, inspect Let’s Talk Interactive facilities, networks and procedures directly related to the processing of Customer Personal Data in order to determine compliance with this Agreement. Let’s Talk Interactive shall reasonably cooperate with such audit by providing access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Customer Personal Data. Customer shall be responsible for its costs and expenses of such audit. Customer acknowledges that certain information about Let’s Talk Interactive’ security standards and practices are sensitive confidential information which will not be disclosed by Let’s Talk Interactive to Customer.
    3. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Let’s Talk Interactive, Let’s Talk Interactive will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation.

  1. International Transfers
    1. Let’s Talk Interactive may Process Customer Personal Data in the United States and anywhere else in the world where Let’s Talk Interactive or its Sub-processors maintain data Processing operations. Let’s Talk Interactive shall at all times provide an adequate level of protection for Customer Personal Data, in accordance with the requirements of Data Protection Laws.
    2. To the extent performance of the Services requires the transfer of Customer Personal Data from within the European Union, the European Economic Area and their member states, Switzerland, or the United Kingdom to a country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR), the Standard Contractual Clauses will apply to the transfer and are incorporated by reference herein.
  2. Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”).
  3. Return or Deletion of Customer Data. At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Agreement, Let’s Talk Interactive will return or delete Customer Data when Customer uses the Service Controls to request such return or deletion.
  4. Sub-processing.
    1. Authorized Sub-processors. Customer provides general authorization to Let’s Talk Interactive’s use of sub-processors to provide processing activities on Customer Data on behalf of Customer (“Sub-processors”) in accordance with this Section. The Let’s Talk Interactive lists of Sub-processors that are currently engaged by Let’s Talk Interactive listed within Annex 1 of this agreement. At least 30 days before Let’s Talk Interactive engages a Sub-processor, Let’s Talk Interactive will update Annex 1 and provide Customer with a mechanism to obtain notice of that update. To object to a Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; or (ii) cease using the Service for which Let’s Talk Interactive has engaged the Sub-processor.
    2. Sub-processor Obligations. Where Let’s Talk Interactive authorizes a Sub-processor:
      1. 11.2.1.Let’s Talk Interactive will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Let’s Talk Interactive will prohibit the Sub-processor from accessing Customer Data for any other purpose;
      2. 11.2.2.Let’s Talk Interactive will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Let’s Talk Interactive under this DPA, Let’s Talk Interactive will impose on the Sub-processor the same contractual obligations that Let’s Talk Interactive has under this DPA; and
      3. 11.2.3.Let’s Talk Interactive will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Let’s Talk Interactive to breach any of Let’s Talk Interactive’s obligations under this DPA.
  5. Requests, Demands, And Inquiries from Governmental Or Regulatory Bodies.
    1. Unless prohibited to do so by applicable law, Let’s Talk Interactive shall inform Customer as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over Let’s Talk Interactive or Customer relating to Let’s Talk Interactive’s Processing of Customer Personal Data. Let’s Talk Interactive may attempt to redirect the government or regulatory body to request that data directly from Customer. As part of this effort, Let’s Talk Interactive may provide Customer’s basic contact information to the government or regulatory body. If compelled to disclose Customer Personal Data to a government or regulatory authority, then Let’s Talk Interactive shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Let’s Talk Interactive is legally prohibited from doing so.
    2. Let’s Talk Interactive shall provide commercially reasonable cooperation to assist Customer in its response to any requests from a Supervisory Authority relating to the Processing of Customer Personal Data under the Agreement and this DPA.
    3. Authority in the performance of its tasks relating to this Section, to the extent required under any Data Protection Laws.
  6. MISCELLANEOUS.
    1. Termination and Survival. This Agreement and all provisions herein shall survive so long as, and to the extent that, Let’s Talk Interactive Processes or retains Customer Personal Data.
    2. Counterparts. This Agreement may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this Agreement by executing a counterpart.
    3. Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

Signed for and on behalf of:

Let’s Talk Interactive

[Customer]

Signature:

Signature:

Name:

Name:

Title:

Title:

Date:

Date:

Annex 1 - List of Subprocessors

As of the date of this agreement, Let’s Talk Interactive engages the following Subprocessors that may process Personal Data:

Subprocessor (entity name)

Provided Service

Amazon Web services (AWS)

Infrastructure as a Service and Platform as a Service

Twilio / SendGrid

Email and SMS notifications sent through products

Vonage

Video Provider

Zoom

Video Provider

PubNub

In app alerts and chat

Nylas

Calendar integration

Annex 2 - Information Security Measures

Security Program. Let’s Talk Interactive has developed, implemented, and will consistently update and maintain as needed: (i) a written and comprehensive information security program in compliance with applicable Data Protection Law; and (ii) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft. Let’s Talk Interactive will maintain appropriate measures to protect the integrity, security and confidentiality of all Customer Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include the following:

In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Customer Personal Data;

the encryption of Personal Data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;

measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Customer;

Access. Let’s Talk Interactive shall reasonably update all access rights based on personnel or computer system changes, and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Customer Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the Agreement. Access controls include:

Changes. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Let’s Talk Interactive will therefore evaluate the measures as on a periodic basis and will take reasonable measures to maintain compliance with the requirements. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.

Where an amendment to the Service Agreement is necessary in order to execute a Customer instruction to the Let’s Talk Interactive to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the underlying agreement in good faith.

Physical Security Measures. Let’s Talk Interactive shall maintain appropriate physical security measures for any facility used to Process Customer Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.

Let’s Talk Interactive maintains physical security standards designed to prohibit unauthorized physical access to Let’s Talk Interactive facilities and equipment by using the following practices:

  1. physical access to locations is limited to Let’s Talk Interactive employees, subcontractors, and authorized visitors;
  2. Let’s Talk Interactive employees, subcontractors, and authorized visitors are issued identification cards that must be worn while on premises;
  3. monitoring access to Let’s Talk Interactive facilities, including restricted areas and equipment within facilities;
  4. access to the data center where Customer Personal Data is hosted is logged, monitored, and tracked; and
  5. data centers are secured with alarm systems and video cameras.
  6. Technical Security Measures. Let’s Talk Interactive shall:
  7. Perform vulnerability scanning on key applications and infrastructure
  8. Identify computer systems and applications that warrant security event monitoring
  9. Encrypt Personal Data in transit, and where needed, at rest.
  10. Deploy necessary system security patches to all software and systems that process or store Personal Data.
  11. Use up-to-date commercial virus/malware scanning software that identifies malicious code on all of its systems that collect, use, disclose, store, retain or otherwise Process Personal Data.
  12. Use an up-to-date multi-factor authentication solution to ensure that only authorized personnel have access to Customer Personal Data.
  13. Computers and servers have reasonable up-to-date versions of system security software which may include host firewall, anti-virus protection, and up-to-date patches and virus definitions.
  14. Let’s Talk Interactive maintains logs of various components of the infrastructure and an intrusion detection system.