DATA PROCESSING ADDENDUM
This Addendum sets out terms that apply to Togetherly’s Processing of Customer Data (including without limitation Personal Data) under the Agreement.
a. “Addendum Effective Date” means the date on which Customer signed this Addendum.
b. “Adequate Country” means a country which is deemed adequate by the European Commission under Article 25(6) of Directive 95/46/EC or Article 45 of GDPR.
c. “Alternative Transfer Mechanism” means an alternative data export solution for the lawful transfer of Customer Data (as recognised under EU or UK Data Protection Law) outside the EEA.
d. “Customer Data” means any data submitted to Togetherly by the Customer, or collected by Togetherly on behalf of the Customer, connected with the provision and delivery of the Service and related support.
e. “Data Controller” means the party that determines the purposes and means of the Processing of Personal Data.
f. “Data Processor” means the party that Processes Personal Data on behalf of, or under the instruction of, the Data Controller.
g. “Data Protection Authority” means the competent body in the jurisdiction charged with enforcement of applicable Data Protection Law.
h. “Data Protection Laws” means with respect to a party, all privacy, data protection, information security-related and other laws and regulations applicable to such party, including, where applicable, EU or UK Data Protection Law.
i. “Data Subject” means the identified or identifiable person who is the subject of Personal Data.
j. “EEA” means the European Economic Area, United Kingdom and Switzerland.
k. “EU or UK Data Protection Law” means (i) prior to 25th May 2018, European Union Directive 95/46/EC; and (ii) on and after 25th May 2018, European Union Regulation 2016/679 (“GDPR”), and (iii) The UK Data Protection Act 2018.
l. References to “instructions” or “written instructions” and related terms mean Data Controller’s instructions for Processing of Customer Data, which consist of (1) the terms of the Agreement and this Addendum, (2) Processing enabled by Data Controller through the Service, and (3) other reasonable written instructions of Data Controller consistent with the terms of the Agreement.
m. “GDPR” refers to EU or UK Data Protection law
n. “Model Contracts” means the Standard Contractual Clauses or UK Addendum for the internal transfer of data, whichever is applicable.
o. “Processing” has the meaning given to it in the applicable EU or UK Data Protection Law and “process”, “processes” and “processed” will be interpreted accordingly.
p. “Personal Data” means any information included in the Customer Data relating to an identified or identifiable natural person; an identifiable person is one who can be identified , directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
q. “Security Incident” means any unauthorised or unlawful confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data in Data Processor’s control.
r. “Sensitive Data” means Personal Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
s. “Standard Contractual Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission under Decision 2021/914 of 4 June 2021.
t. “Subprocessor” means any Third Party engaged by Data Processor or its affiliates to process any Customer Data pursuant to the Agreement or this Addendum.
u. “Third Party” shall mean any natural or legal person, public authority, agency or any otherbody other than the Data Subject, Data Controller, Data Processor, or Subprocessors or other persons who, under the direct authority of the Data Controller or Data Processor, are authorised to Process the data.
v. “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
w. Other capitalised terms not defined herein have the meanings given in the Agreement.
2. General Termination
a. This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of that conflict in connection with the Processing of Customer Data.
b. All activities under this Addendum (including without limitation Processing of Customer Data) remain subject to the applicable limitations of liability set forth in the Agreement.
c. Data Controller agrees that any regulatory fines or penalties incurred by Data Processor in relation to the Customer Data that arise as a result of, or in connection with, Data Controller’s failure to comply with its obligations under this Addendum or any applicable Data Protection Laws shall count toward and reduce Data Processor’s liability under the Agreement as if it were liability to Data Controller under the Agreement.
d. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
e. This Addendum will automatically terminate upon expiration or termination of the Agreement.
3. Scope and Applicability of this Addendum
a. This Addendum applies where and to the extent that Togetherly processes Customer Data that is subject to EU or UK Data Protection Law on behalf of Customer in the course of providing the Service pursuant to the Agreement, as detailed at Appendix A.
b. Part A (being Sections 5-11 (inclusive) as well as Appendixes A and B of this Addendum) shall apply to the processing of Customer Data within the scope of this Addendum from the Addendum Effective Date.
c. Part B (being Sections 12-14 (inclusive) of this Addendum) shall apply to the processing of Customer Data within the scope of this Addendum from and including 25th May 2018. For the avoidance of doubt, Part B shall apply in addition to, and not in substitution for, the terms in Part A.
Part A: General Data Protection Obligations
5. Role and Scope of the Processing
a. Customer will act as the Data Controller and Togetherly will act as the Data Processor under this Addendum. Both Customer and Togetherly shall be subject to applicable Data Protection Laws in the carrying out of their responsibilities as set forth in this Addendum.
b. Customer retains all ownership rights in the Customer Data, as set forth in the Agreement. Except as expressly authorised by Customer in writing or as instructed by Customer, Togetherly shall have no right directly or indirectly to sell, rent, lease, combine, display, perform, modify, transfer or disclose the Customer Data or any derivative work thereof. Togetherly shall act only in accordance with Customer’s instructions regarding the Processing of the Customer Data except to the extent prohibited by applicable Data Protection Laws.
c. Additional instructions not consistent with the scope of the Agreement require prior written agreement of the parties, including agreement on any additional fees payable by Customer.
d. Notwithstanding the above, Customer acknowledges that Togetherly shall have a right to use Aggregated Anonymous Data as detailed in the Agreement.
e. Togetherly shall not disclose the Customer Data to any Third Party in any circumstances other than in compliance with Customer’s instructions or in compliance with a legal obligation to disclose. Togetherly shall inform Customer in writing prior to making any such legally required disclosure, to the extent permitted by Data Protection Laws.
f. Customer agrees that they are responsible for determining whether the data security provided for in the Service adequately meets their obligations under applicable Data Protection Laws.
g. Customer agrees that they are solely responsible for the accuracy, quality and legality of Customer Data and the means by which it was acquired, including obtaining the necessary consents (particularly for audio recording).
h. Customer agrees that any Sensitive Data submitted to the service is done so in accordance with Article 9 of GDPR.
a. Customer agrees that Togetherly is authorised to use Subprocessors (including without limitation cloud infrastructure providers) to Process the Personal Data, provided that Togetherly:
(i) enters into an agreement with any Subprocessor, imposing data protection obligations substantially similar to this Addendum; and
(ii) remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Togetherly to breach any of its obligations under this Addendum.
b. Information about Subprocessors, including their functions and locations, is detailed in Appendix C or at: https://together.lydpa (as may be updated by Togetherly from time to time in accordance with this Addendum).
a. Togetherly shall implement and maintain appropriate technical and organisational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with Togetherly’s security standards described in Appendix B (“Security Measures”).
b. Customer is responsible for reviewing the information made available by Togetherly relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and that Togetherly may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by Customer.
8. Onward Transfer
a. Togetherly may, subject to complying with this Section 8, store and process Customer Data anywhere in the world where Togetherly, its affiliates or Subprocessors maintain data processing operations.
b. To the extent that Togetherly processes any Personal Data protected by GDPR and/or originating from the EEA in the United States or another country outside the EEA that is not designated as an Adequate Country, then the parties shall sign the Model Contracts.
c. The parties agree that Togetherly is the “data importer” and Customer is the “data exporter” under the Model Contracts (not withstanding that Customer may be an entity located outside of the EEA).
9. Regulatory Compliance
a. At Customer’s request and expense, Togetherly shall reasonably assist Customer as necessary to meet its obligations to Data Protection Authorities.
b. Togetherly shall (at Customer’s expense) reasonably assist Customer to respond to requests from individuals in relation to their rights of data access, rectification, erasure, restriction, portability and objection. In the event that any such request is made directly to Togetherly, Togetherly shall not respond to such communication directly without Customer’s prior authorisation unless required by Data Protection Laws.
10. Audits of Data Processing
a. At Customer’s request, Togetherly shall provide Customer with written responses to all reasonable requests for information made by Customer relevant to the Processing of Personal Data under this Addendum, including responses to security and audit questionnaires, in each case solely to the extent necessary to confirm Togetherly’s compliance with this Addendum.
b. Upon request Togetherly will allow Customer on-site perform an audit, review processes and procedures and interview staff.
c. Except as expressly required by Data Protection Laws, any audit under this Section will:
(i) be conducted no more often than once per year during Togetherly’s normal business hours, in a manner so as not to interfere with standard business operations;
(ii) be subject to Togetherly’s reasonable confidentiality and security constraints;
(iii) be conducted at Customer’s expense; and
(iv) not extend to any information, systems or facilities of Togetherly’s other customers or its Third Party infrastructure providers.
d. Any information provided by Togetherly under this Section 10 constitutes Togetherly’s Confidential Information under the Agreement.
11. Return or deletion of data
a. Upon request by Customer at the termination or expiration of the Agreement, Togetherly shall, delete or return, at Customer’s choice, all of the Personal Data from Togetherly’s systems in accordance with our data retention policy. Within a reasonable period following deletion, at Customer’s request, Togetherly will provide written confirmation that Togetherly’s obligations of data deletion or destruction have been fulfilled.
b. Not withstanding the foregoing, Customer understands that Togetherly may retain Customer Data as required by Data Protection Laws, which data will remain subject to the requirements of this Addendum.
c. Information on how long it takes us to delete or return data is published on our data retention policy at: https://www.Togetherly.com/legal/data-retention-policy (as may be updated by Togetherly from time to time in accordance with this Addendum).
Part B: GDPR Obligations from 25 May 2018
12. Additional Security
a. Upon becoming aware of a confirmed Security Incident, Togetherly shall notify Customer as set out in the Security Measures.
13. Changes to Subprocessors
a. When any new Subprocessor is engaged, Togetherly will, at least ten (10) calendar days before the new Subprocessor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by sending an email to the Billing Email Address.
b. Customer may object in writing to Togetherly’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If Togetherly cannot provide an alternative Subprocessor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience, on condition that Customer provides written notice to Togetherly within five (5) calendar days of being informed of the engagement of the Subprocessor.
14. Further cooperation
a. Where and when required by Data Protection Laws, Togetherly will provide the relevant Data Protection Authorities with information related to Togetherly’s Processing of Personal Data. Togetherly further agrees that it will maintain such required registrations and where necessary renew them during the term of this Addendum. Any changes to Togetherly’s status in this respect shall be notified to Customer immediately.
b. To the extent Togetherly is required under Data Protection Laws, Togetherly shall (at Customer’s expense) provide reasonably requested information regarding the Service or prior consultations with Data Protection Authorities to enable Customer to carry out data protection impact assessments.
a. If one party is held liable for a violation of this Addendum committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred in accordance with the provisions of the “Limitation of Liability” Section of the Agreement.
b. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, Togetherly’s total liability for all claims from the Customer or any third party arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.
Appendix A – Description of Processing
Details of Processing Subject Matter:
The subject matter of the data processing under this Addendum is the Customer Data provided to Togetherly via the Service by (or at the direction of) Customer.
Duration of the Processing:
The duration of the data processing under this Addendum is continuous until the termination of the Agreement plus the period from the expiry of the Agreement until deletion of all Customer Data by Togetherly in accordance with the terms of the Addendum.
Nature and Purpose of the Processing:
The purpose of the Processing under this Addendum is the provision of the Service to Customer and the performance of Togetherly’s obligations under the Agreement (including this Addendum) or as otherwise agreed by the parties.
Data Subjects: Data subjects include the individuals about whom data is provided to Togetherly via use of the Service by (or at the direction of) Customer including all users of the Service.
Categories of Data:
Data relating to individuals provided to Togetherly via the Service by (or at the direction of) Customer includes the following:
• Contact information (name, address, email, telephone numbers).
• Call detail records including numbers of the calling and the receiving party, start date and time of the call, duration of the call.
• Customer initiated audio recordings.
• Any other Personal Data submitted by the Customer during use of the Service include in the content of the communications that are sent and received using the Services
Sensitive Data: The Service is not designed to recognise or classify data as special categories of data or sensitive data (as defined in applicable Data Protection Laws). Insofar as Customer choses to process special categories of data, Customer undertakes to process this category in accordance with all applicable Data Protection Laws.
Appendix B – Security Measures
Security Measures Introduction
Togetherly considers protection of Customer Data a top priority. As further described in these Security Measures, Togetherly uses commercially reasonable organisational and technical measures designed to prevent unauthorised access, use, alteration or disclosure of Customer Data stored on systems under Togetherly’s control.
1. Access to Customer Data.
Togetherly limits its personnel’s access to Customer Data as follows:
a. Requires unique user access authorisation through secure logins and passwords, including individually-assigned Secure Socket Shell (SSH) keys for external engineer access;
b. Limits the Customer Data available to Togetherly personnel on a “need to know” basis;
c. Restricts access to Togetherly’s production environment by Togetherly personnel on the basis of business need; and
d. Encrypts user security credentials for production access.
2. Data Encryption.
Togetherly provides industry-standard encryption for Customer Data:
a. In-transit: Togetherly requires HTTPS encryption to access all customer data online.
b. At-rest: Togetherly stores user passwords that follow industry standard practices for security.
3. Data Management
a. Togetherly logically separates each of its customers’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other customers.
4. Network Security, Physical Security and Environmental Controls
a. Togetherly uses a variety of techniques designed to detect and/or prevent unauthorised access to systems processing Customer Data, including firewalls and network access controls.
b. Togetherly maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Service.
c. Togetherly monitors privileged access to applications that process Customer Data, including cloud services.
d. The Service is hosted on and operates from only ISO27001 certified data centres.
5. Independent Security Assessments.
Togetherly periodically assesses the security of its systems and the Service as follows:
a. Periodic detailed security and vulnerability assessments of the Service conducted by independent third-party security experts.
b. Periodic penetration testing of Togetherly systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.
c. Regular vulnerability scanning.
6. Incident Response.
If Togetherly becomes aware of a Security Incident, Togetherly will:
a. Take reasonable measures to mitigate the harmful effects of the Security Incident and prevent further unauthorised access or disclosure.
b. Upon confirmation of the Security Incident, notify Customer in writing of the Security Incident without undue delay. Notwithstanding the foregoing, Togetherly is not required to make such notice to the extent prohibited by Laws, and Togetherly may delay such notice as requested by law enforcement and/or in light of Togetherly’s legitimate needs to investigate or remediate the matter before providing notice.
c. Each notice of a Security Incident will include: The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Security Incident;
(ii) A description of what happened, including the date of the Breach and the date of discovery of the Security Incident, if known;
(iii) The scope of the Security Incident, to the extent known; and (iv) A description of Togetherly ‘s response to the Security Incident, including steps Togetherly has taken to mitigate the harm caused by the Security Incident.
7. Business Continuity Management
a. Togetherly maintains processes to ensure failover redundancy with its systems, networks and data storage.
8. Personnel Management
a. Togetherly performs employment verification, including proof of identity validation and appropriate background checks for all new hires.
b. Togetherly provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorisation and that they keep Customer Data confidential.
c. Togetherly conducts routine and random monitoring of employee systems activity.
d. Upon employee termination, whether voluntary or involuntary, Togetherly immediately disables all access to critical and noncritical systems, including Togetherly’s physical facilities.
Appendix C – Data Subprocessors
Togetherly works with certain third parties to provide specific functionality within the Service. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Service Data. Their use is limited to the indicated Services.
This list may be updated from time-to-time, the latest version of which will be published at: https://together.ly.com/dpa
• Amazon Data Services Ireland Ltd Cloud Service Provider Ireland DPA ISO 27001
• Elastic, Inc. AKA Close.io Togetherly uses Close.io to track sales and leads. We do not share any Customer Data with Close.io only Account data.
• FreeAgent Holdings plc SaaS Accounting software. FreeAgent provide our accounting software, we also use them to produce and track invoices. We do not share any Customer Data with Close.io only Account data.
• Google Inc. Email, Calendar, Analytics and Back Office service provider.
• Intercom R&D Unlimited Company. We use intercom to process support tickets and live chat from our users which may include Customer Data.
• Mailchimp / Intuit Inc. We use Mailchimp to send product update emails to our users.
• Rollbar, Inc. Real-time error monitoring, alerting, and analytics. We utilise Rollbar to help our developer and operations teams quickly identify and fix coding issues. In the course of application usage some errors sent to Rollbar may include user data. Togetherly is, again, the only consumer of this data.
• Slack Technologies, Inc. Team collaboration tool. Our team use Slack to collaborate on work related tasks, and to alert teams to business events that are occurring in real-time. As such some Customer Data is shared with Slack.
• Stripe Payments Europe, Ltd. Payment Processing Service. We utilise Stripe for all of our payment processing.
• Wildbit, LLC (“Wildbit”) AKA Postmark Email delivery service. We use Postmark to help ensure high email delivery rates to customers’ inboxes. We share email addresses with Postmark in order for them to deliver emails from Togetherly such as “Invites” and “Reminders”.