Engage Digital’s Data Processing Agreement

Last updated : July 17, 2019

 

This Data Processing Addendum (“DPA”) is made by and between RingCentral France and Customer (each a “party“, together the “parties“), pursuant to the Agreement for the provision of the Services (as defined below) to Customer.

This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is processed by RingCentral as a Processor on behalf of Customer for the services listed in Annex B.

Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.

          1. Definitions

1.1 For the purposes of this DPA:

(a) “Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.

(b) “Agreement” means the main written or electronic agreement between Customer and RingCentral for the provision of any of the services set out at Annex B to Customer (each a “Service“).

(b) “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, EU Data Protection Legislation.

(c) “EEA” means the European Economic Area, including the United Kingdom.

(d) “EU Data Protection Laws” means the applicable European data protection legislation, including, but not limited to, EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (also known as the General Data Protection Regulation) (the “GDPR”), and any and all applicable national data protection laws, rules and regulations in the United Kingdom, including the Data Protection Act 2018 and the EEA which may be adopted from time to time including the Law No 78-17 of 6 January 1978 on information technology, data files and civil liberties as last amended by the Ordonnance n° 2018-1125 of 12 December 2018.

(e) “Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

(f) “Processor” shall mean an entity which processes Personal Data on behalf of the Controller.

(g) “Personal Data” means any information relating to an identified or identifiable natural person.

(h) “Privacy Shield” means the EU-US and Swiss-US Privacy Shield self-certification programs operated and administered by the U.S. Department of Commerce.

(i) “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C/2016/4176 of July 12, 2016 (as amended, superseded or replaced, as the case may be).

(j) “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.

(k) “Usage Data” means any data resulting from the Customer’s use or operation of the Services, including, without limitation, traffic data, call detail records, metadata, log data, billing information, emails, customer authentication and audit logs, any data related to professional services; access logs, system logs, server logs.

          2. Applicability of DPA

2.1 Applicability of DPA. This DPA will apply to the extent that RingCentral processes Personal Data on behalf of a Customer or Customer Affiliate as a Processor.

2.2 Usage Data. Notwithstanding anything to the contrary contained in this DPA, RingCentral will have the right to collect, extract, compile, synthesize, process and analyse Usage Data. To the extent that such Usage Data is collected or generated by RingCentral, such data may be used by RingCentral for regulatory compliance, network security, fraud detection and prevention, billing, internal analytics and other lawful purposes. For the avoidance of doubt, this DPA will not apply to Usage Data

          3. Roles and responsibilities.

3.1 Parties’ Roles. As between the parties and for the purposes of this DPA, Customer shall be the Controller of the Personal Data that is processed by RingCentral under the Agreement as described in Annex A and RingCentral shall process the Personal Data as a Processor on Customer’s behalf.

3.2 Obligations of the Customer. Customer undertakes to:

(a) Ensure that it may lawfully disclose the Personal Data to RingCentral for the purposes set out in the Agreement;

(b) Comply with Applicable Data Protection Laws in its use of the Services, and its own collection and processing of Personal Data (for the avoidance of doubt, Customer’s instructions to RingCentral shall comply with Applicable Data Protection Laws and Customer shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Customer acquired Personal Data); and

(c) Ensure that no special categories of data or sensitive data (as defined in GDPR or Applicable Data Protection Laws), nor any Personal Data concerning minors, is stored within the Services.

3.3 Purpose Limitation. RingCentral shall process the Personal Data for the purposes of providing the Services as further described in Annex A, except where otherwise required by applicable law. Any additional processing required by Customer outside of the scope of the Agreement will require prior written agreement between the parties, including an agreement on any additional fees that Customer may be required to pay.

3.4 Confidentiality of processing. RingCentral shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty).

3.5 Security. RingCentral will maintain appropriate technical and organizational security measures to safeguard the security of Personal Data. RingCentral will maintain an information security and risk management programme based on commercial best practices to preserve the confidentiality, integrity and accessibility of Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices. RingCentral shall implement appropriate technical and organisational measures designed to protect the Personal Data from a Security Incident.

3.6 Security Incidents. Upon becoming aware of a Security Incident, RingCentral shall notify Customer without undue delay at the contact information that Customer has provided in the Administrative Portal and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under Applicable Data Protection Laws

3.7 Provision of Security Reports. RingCentral shall provide, upon Customer’s request, copies of any relevant summaries of external security certifications or security audit reports necessary to verify RingCentral’s compliance with this DPA.

3.8 Deletion or return of data. Upon termination or expiry of the Agreement, and upon written request, RingCentral shall, at Customer’s election, either delete or return to Customer the Personal Data (including copies) in RingCentral’s possession, save to the extent that RingCentral is required by applicable law to retain some or all of the Personal Data.

          4. GDPR obligations

4.1 Applicability of Section. This Section 4 shall apply to the processing of Personal Data that is subject to the protection of the GDPR.

4.2 Sub-processors. Customer agrees that RingCentral may engage RingCentral affiliates and third party sub-processors (collectively, “Sub-processors“) to process the Personal Data on RingCentral’s behalf. RingCentral shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. The Sub-Processors engaged by RingCentral in respect of each of Office Services are noted on the RingCentral Sub-processor List available at https://www.ringcentral.com/legal/dpa-subprocessor-list.html, and for Engage Service in Annex C

4.3 Changes to Sub-processors. RingCentral may, by giving reasonable notice to the Customer, add or make changes to the Sub-processors. If the Customer objects to the appointment of an additional Sub-processor within 30 calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then the parties will discuss such concerns in with a view to achieving resolution. If such resolution cannot be reached, then RingCentral will either not appoint the Sub-processor or if this is not possible, Customer will be entitled to suspend or terminate the affected RingCentral Service in accordance with the termination provisions of the Agreement. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a Sub-processor failure) that can provoke a degradation or interruption of the Service, RingCentral reserves the right to immediately change the failing Sub-processor in order to maintain or restore the standard conditions of Service. In this situation, the notification of Sub-processor change may be exceptionally sent after the change.

4.4 Cooperation and data subjects’ rights. Some of the RingCentral Services may provide direct technical means to enable Customer to fulfill its duties to respond to requests from data subjects exercising their rights of access, rights to rectification, rights to erasure, rights to object, rights to restrict processing, and rights to portability. For avoidance of doubt, it is the Customer’s responsibility to respond to any data subject request. If Customer is unable to address the data subject’s request through such technical means, or where such functionality is not available, RingCentral shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to such data subject requests. In the event that such request is made directly to RingCentral, RingCentral shall promptly inform the data subject to contact the Customer of the same. It is Customer’s sole responsibility to ensure that any account Administrator identified for Customer’s RingCentral account to manage and carry out data subject requests has appropriate authority to do so.

4.5 Data Protection Impact Assessments. RingCentral shall, to the extent required by EU Data Protection Laws, and upon Customer’s request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Laws in relation to the scope of the Services to be provided by RingCentral pursuant to the Agreement.

4.6 International Transfers. To the extent that RingCentral processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, RingCentral shall put in place such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Laws, which may include reliance on RingCentral, Inc.’s self-certification to the Privacy Shield Framework and its compliance with the Privacy Shield Principles, the execution of standard contractual clauses approved by the European Commission, or the putting in place of any other valid transfer mechanism under EU Data Protection Laws.

4.8 Audits. While it is the parties’ intention ordinarily to rely on the provision of the security reports at Section 3.7 above to verify RingCentral’s compliance with this DPA, RingCentral shall permit the Customer (or its appointed third-party auditors) to carry out an audit of RingCentral’s processing of Personal Data under the Agreement following a Security Incident suffered by RingCentral, or upon the instruction of a data protection authority. Customer must give RingCentral thirty (30) days prior notice of such intention to audit, conduct its audit at Customer’s own costs and during normal business hours, and take all reasonable measures to prevent unnecessary disruption to RingCentral’s operations. Any such audit shall be subject to RingCentral’s security and confidentiality terms and guidelines.

 

4.9 Customer shall use its reasonable endeavours to ensure that the conduct of each audit does not unreasonably disrupt RingCentral or delay the provision of the Services. RingCentral shall provide Customer (and its auditors and other advisers) with all reasonable cooperation, access and assistance in relation to each audit. The audit shall be conducted at RingCentral’s place of business during normal business hours, without disrupting RingCentral’s normal business operations and shall last no longer than two business days.

 

4.10 For the avoidance of doubt, RingCentral is not obligated to disclose to the Customer any documents or other material relating to RingCentral’s profitability, legally privileged documents, or information, or documents that the RingCentral is bound to maintain as confidential by written obligation to a third party or under applicable law or regulation. Audit results, including information and documentation disclosed or made available to Customer in the course of any such audit, will be deemed RingCentral’s Confidential Information. The parties shall bear their own costs and expenses incurred in respect of compliance with their obligations under this clause.

 

          5. Miscellaneous 

5.1 Except as amended by this DPA, the Agreement will remain in full force and effect.

5.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.

5.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

 

ANNEX A

DESCRIPTION OF THE DATA PROCESSING –

 

          I. RingCentral Office Plan Services

 

Nature and Purposes of Processing

RingCentral Office is a cloud-based communications and collaboration services for high-definition voice, video, SMS, messaging and collaboration, conferencing, online meetings, and fax. As part of the Service, RingCentral processes the Personal Data of the individuals who participate in these communications, including the Customer’s employees and authorized users and other third parties who are involved in communications taking place through the Customer’s use of the Services.

RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, for the purposes of customer relationship management, and customer support.

 

Categories of Data Subjects

  • Customer’s employees and authorized users who use the Services in connection with the business of the Customer.
  • Any other third party individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer’s use of the Services.

 

Types of Personal Data Processed

The Personal Data transferred concerns the following categories of data:

  • Identification information for Customer, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title);
  • Identification information for anyone who uses the Service at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Any other Personal Data that the Customer, its authorized users or third parties involved in the communications choose to include in the content of the communications that are sent and received using the Service.

The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.

 

Special Categories of Data

RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time.

 

Duration of Processing

The Personal Data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.

 

II. RingCentral Engage Digital

Nature and Purposes of Processing

RingCentral Engage Digital is an omni-channel digital customer communication management platform that unifies all customer-facing communication channels, including email, SMS, website, mobile app, chat and social media communications, onto a single platform. RingCentral Engage Digital publishes authorized users contents onto the public or private communication channels connected to their platform and synchronizes end user contents from the same channels. RingCentral Engage Digital stores and displays Customer information and conversations history to the authorized users. Authorized users are identified, have accesses and permissions defined by authorized users with administrator roles and all their actions are logged into an application journal.

RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of publishing content on public/private communications channels, customer relationship management, Service user management, customer support.

Categories of Data Subjects

  • Customer’s employees and authorized users who use the Services in connection with the business of the Customer.
  • Any other third party individuals who are involved in or referred to in the content of communications taking place or otherwise managed through the Services.

 

Types of Personal Data Processed

The Personal Data transferred can be classified in the following categories:

  • Identification information for Customer, full name, gender, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title) and company name;
  • Identification information for anyone who uses the Service at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Content published on communication channels connected to the Service, including public information on social media channels connected to the Service;
  • Any other Personal Data that the Customer’s users or individuals involved in the communications choose to include in the content of the communications that take place or are otherwise managed using the Service;
  • Information regarding login data, especially the activity on the Service Software and IP addresses used for login (only for RingCentral Engage Digital users).

The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.

 

Special Categories of Data

RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time.

 

Duration of Processing

The data retention duration (between 1 day and 2 years) is defined by the Customer, based on the Customer’s needs and context, and can be configured on the Service by the Customer’s Users or by RingCentral.

 

III. RingCentral Engage Communities

Nature and Purposes of Processing

RingCentral Engage Communities is an online community management platform enabling community responses to customer service inquiries. Community administrators manages all different aspects of the platform regarding the registered community members: they can create, edit and give specific permissions and roles to the community members. The Community administrators also manage the community members contents creation, restriction, moderation, publishing, edition.

RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of the online platform management, customer relationship management, and customer support.

 

Categories of Data Subjects

– Customer’s employees or authorized users

– Any other third party individuals who are contributors to the online sharing space.

 

Types of Personal Data Processed

The Personal Data transferred can be classified in the following categories:

  • Identification information of Customer’s employees or authorized users or other third party contributors, including name, e-mail address;
  • Content published on the online sharing space, including any public posts and private messages;
  • Any other Personal Data that the Customer’s users or third party contributors choose to include in content posted, sent or received using the Service.

 

Special Categories of Data

RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data, sensitive categories of data or data regarding minors to RingCentral at any time.

 

Duration of Processing

The data retention duration (between 1 day to 2 years since the last user action) is defined by the Customer, based on the Customer’s needs and context, and can be configured on the Service. Content can also be deleted by administrators and moderators of RingCentral Engage Communities or by RingCentral.

 

Annex B

List of RingCentral Services covered by DPA

  • RingCentral Office Plan Services
  • RC Contact Center
  • RingCentral Engage Digital
  • RingCentral Engage Communities

 

Annex C 

LIST OF SUBCONTRACTORS PROCESSING PERSONAL DATA FOR ENGAGE SERVICE

Subprocessors common to all setups Engage platforms 

The Client acknowledges and accepts that RingCentral will have recourse to the following subcontractors for the Engage Service.

Subprocessor Purpose of subprocessing activities SaaS platform concerned Processing location Adequate Security and Compliance measures
LanguageTooler GmbH

Karl-Liebknecht-Str. 21/22

14482 Potsdam, Germany

Orthographic and grammatical check before publication (no storage) Engage Digital Germany Not required (Transfer and Processing in EU)
Claranet S.A.S.

18-20 rue du Faubourg du Temple 75011 Paris

Managed services and hosting of the SaaS platforms Engage Digital and Engage Communities France Not required (Transfer and Processing in EU)
Heroku (SalesForce Inc.)

The Landmark @ One Market

San Francisco, California 94105, USA

Reverse proxy used to transfer images conveyed without encryption (no storage) Engage Digital Europe Model Contractual Clauses

Privacy Shield certified

Data Processing Agreement

Mailjet S.A.S.

13-13 bis, rue de l’Aubrac

75012 Paris

Application internal Mailing system (internal notifications for DC and DD) (storage of the message content for 6 days) Engage Digital and Engage Communities France Not required (Transfer and Processing in EU)
Amazon Web Services, Inc.

410 Terry Avenue North,

Seattle, WA 98109-5210, USA

Files and attachments storage Engage Communities Ireland Not required (Transfer and Processing in EU)

 

Subprocessors specific to Engage Digital setup

Depending on the configuration (connected channels and/or configured extensions), the concerned channels or extensions companies could be Subcontractors for the Client, for RingCentral or for each of the Parties.

Channels and extensions concerned which are Software Editor Subprocessors are listed below.

 

Software Service configuration Subprocessor Purpose of subprocessing activities Processing location Adequate Security measures
– Connection of a Facebook page

– or Connection of a Facebook Messenger account

– or Connection of an Instagram account

Facebook Ireland Ltd.

4 Grand Canal Square

Dublin 2 Dublin

Publication application and collection of information (published contents and public profile data) USA Internal Model Contractual Clauses

Privacy Shield certified

– Connection of a Google plus page

– or Connection of Google Play developer account

Google Inc.

1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA

Publication application and collection of information (published contents and public profile data) USA Model Contractual Clauses

Privacy Shield certified

– In the case where the mail server for the email address connected to the SaaS platform is managed by the Software Editor (exclusive of direct connection to a Client IMAP/SMTP server)

– In the case the DC private messages feature is activated

Postmark Inc.

225 Chestnut St. Philadelphia,

PA 19106, USA

Sending / Receiving mails

(storage of mail content and metadatas for 45 days)

USA Model Contractual Clauses

Privacy Shield certified

Data Processing Agreement

Customer satisfaction surveys extension configured SurveyGizmo

4888 Pearl East Cir, Suite 100W

Boulder, CO, USA

Management of Customer satisfaction surveys USA Model Contractual Clauses

Privacy Shield certified

Data Processing Agreement

Customer satisfaction surveys extension configured surveygizmo.eu

(Widgix EU Ltd.)

5 New Street Square, London, UK

Management of Customer satisfaction surveys Germany  Not required (Transfer and Processing in EU)
Connection of a Twitter Account Twitter Inc.

1355 Market Street, Suite 900

San Francisco, CA 94103, USA

Publication application and collection of information (published contents and public profile data) USA Model Contractual Clauses

Privacy Shield certified

Connection of a Youtube account Youtube Inc.

901 Cherry Avenue, San Bruno, California, USA

Publication application and collection of information (published contents and public profile data) USA Model Contractual Clauses

Privacy Shield certified