Airship Data Processing Addendum
(Revised July 2018 with Privacy Shield)
This Data Processing Addendum (“Addendum”) forms part of the Master Subscription Agreement or the online Terms of Subscription Service (the “Agreement”) between the customer that has executed this Addendum here and is an Urban Airship customer on the date this Addendum is fully executed (“Customer”) and Urban Airship to reflect the parties’ agreement with regard to the processing of Personal Data in connection with Customer’s use of the Urban Airship SaaS platform identified in the Agreement (the “Service”), in accordance with the requirements of Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Urban Airship processes Personal data for which such Authorized Affiliates qualify as data controller. For the purposes of this Addendum only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates.
In the course of providing the Service to Customer pursuant to the Agreement, Urban Airship may Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions, each acting reasonably and in good faith. This Addendum applies where and only to the extent that Urban Airship processes Customer Data that originates from the EEA and/or that is otherwise subject to Data Protection Law on behalf of Customer as Data Processor in the course of providing Service pursuant to the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Service pursuant to the Agreement between Customer and Urban Airship, but has not signed its own Order Form with Urban Airship and is not a “Customer” as defined under the Agreement.
“Customer Data” means any Personal Data that Urban Airship processes as a Data Processor on behalf of Customer.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. Customer is the Data Controller with respect to Customer Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. Urban Airship, including its Affiliates, is the Data Processor with respect to Customer Data.
“Data Protection Laws” means EU Data Protection Laws and, and to the extent applicable, the data protection or privacy laws of any other country.
“EEA” means, for purposes of this Addendum, the European Economic Area, United Kingdom and Switzerland.
“EU Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation), as may be amended from time to time (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“Personal Data” shall have the same meaning as in the GDPR, provided, that with respect to this Addendum, the reference is to Personal Data processed in relation to Customer’s access to and use of the Service.
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“Request” means a written request from a Data Subject to exercise his/her specific data subject rights under the Data Protection Laws in respect of Personal Data.
“Security Measures” means the Security Measures applicable to the specific Service purchased by Customer described at https://www.urbanairship.com/legal/security-overview.
“Standard Contractual Clauses” means the agreement executed by and between Customer and Urban Airship and attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
“Sub-processor” means any Data Processor engaged by Urban Airship to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Addendum.
“Urban Airship” means Urban Airship, Inc., a company incorporated in Delaware, and Urban Airship UK Limited, a company registered in England and Wales and any other Affiliates of Urban Airship.
The terms, “Data Subject”, “Member State”, “Processing”, “Process” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller of Customer Data and Urban Airship will process Customer Data only as a Data Processor acting on behalf of Customer.
2.2 Customer’s Processing of Customer Data. Customer shall (i) comply with the Data Protection Laws and its obligations as a Data Controller under the Data Protection Laws in respect of its use of the Service and any processing instructions issued to Urban Airship, and (ii) provide notice and either have obtained or obtain all consents and rights necessary under Data Protection Laws for Urban Airship to process Customer Data and provide the Service pursuant to the Agreement and this Addendum. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquires and uses Customer Data.
2.3 Urban Airship’s Processing of Customer Data. Urban Airship shall only process Customer Data on behalf of and in accordance with Customer’s instructions for the period set out in the Agreement and shall treat Customer Data as Confidential Information. The following are deemed instructions by Customer to Urban Airship to process Customer Data: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Account Users in their use of the Service; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; and (iv) Processing in accordance with all configuration of the Service by or for Customer.
2.4 Details of Data Processing.
(a) Subject matter: The subject matter of the data processing under this Addendum is the Customer Data.
(b) Duration: As between Urban Airship and Customer, the duration of the data processing under this Addendum is until the termination of the Agreement in accordance with its terms.
(c) Purpose: The purpose of the data processing under this Addendum is the provision of the Service to the Customer and the performance of Urban Airship’s obligations pursuant to the Agreement (including this Addendum) or as otherwise agreed by the parties.
(d) Nature of the processing: Urban Airship provides a subscription to its notification and data platform, as described in the Agreement.
(e) Categories of data subjects: Any individual accessing and/or using the Service through the Customer’s Account as authorized by Customer (“Account Users”); and any end user of a mobile application, web domains, devices, software applications and/or communication channels owned or controlled by Customer and to or with respect to whom Customer sends notifications or processes Personal Data via the Service (collectively, “End Users”).
(f)Types of Customer Data:
- Customer and Account Users: Account User’s login information to the Service;
- End Users: Customer may process Personal Data via the Service, the extent of which is determined by Customer based on Customer’s configuration and use of the Service, which may include at Customer’s sole discretion based on the Service package subscribed by the Customer, but is not limited to the following categories of Personal Data: Push tokens, names, email addresses (if Customer uses the email notification channel), Online identifiers, and location data (if Customer’s order includes the location feature).
- Special classes of data. Customer is contractually prohibited from processing via the Service any “special classes of data” as defined in Data Protection Laws as well as any individual financial data, credit or debit card numbers, individual health information, or government issued identification numbers.
2.5 Legitimate Interests. Notwithstanding anything to the contrary in the Agreement and this Addendum, Customer acknowledges that Urban Airship will have a right to use and disclose data relating to the operation, support and/or use of the Service for its legitimate business purposes, such as billing, account management, technical support, and product development, and use and disclose Usage Data to the extent provided in the Agreement.
- RIGHTS OF DATA SUBJECTS AND COOPERATION
3.1 Data Subject Requests. The Service provides Customer with a number of controls that Customer may use to retrieve, correct, delete, or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the Data Protection Laws including, for example, its obligations relating to responding to Requests from Data Subjects or applicable data protection authorities. To the extent Customer is unable to independently access the relevant Customer Data within the Service, Urban Airship will provide reasonable cooperation to assist Customer, at Customer’s cost to the extent legally permissible, to respond to any requests from Data Subjects or applicable data protection authorities relating to the processing of Personal Data under the Agreement and this Addendum. In the event any such request is made directly to Urban Airship, Urban Airship will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Urban Airship is required to respond to such a request, Urban Airship will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
3.2 Records of Processing. The Service provides Customer with ability to access Customer Data to provide records of processing. To the extent Customer is unable to independently access the relevant records of processing of Customer Data within the Service, Urban Airship will provide reasonable cooperation to assist Customer in a timely manner as is required by Customer to demonstrate Urban Airship’s compliance with its obligations under the Data Protection Laws and under this Addendum.
3.3 Government Requests. If a law enforcement agency sends Urban Airship a demand for Customer Data (for example, through a subpoena or court order), Urban Airship will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Urban Airship may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Urban Airship will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Urban Airship is legally prohibited from doing so.
3.4 Data Protection Impact Assessments. To the extent Urban Airship is required under Data Protection Laws, Urban Airship will (at Customer’s expense to the extent legally permitted) provide reasonably requested information regarding the Service to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
- URBAN AIRSHIP PERSONNEL
Urban Airship shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Urban Airship shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Urban Airship shall ensure that Urban Airship’s access to Personal Data is limited to those personnel who require such access to perform the Agreement.
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Urban Airship’s Affiliates may be retained as Sub-processors; and (b) Urban Airship may engage third-party Sub-processors in connection with the provision of the Service. Urban Airship has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Service provided by such Sub-processor. Urban Airship shall make available to Customer the current list of Sub-processors for the Service by posting that list online at: https://www.urbanairship.com/legal/subprocessors.
5.2 Objection Right for new Sub-processors. If Customer has a reasonable basis to object to Urban Airship’s use of a new Sub-processor, Customer shall notify Urban Airship promptly in writing within 10 business days after receipt of Urban Airship’s notice regarding such new Sub-processor. In the event Customer objects to a new Sub-processor(s) on a reasonable basis, Urban Airship will use reasonable efforts to work in good faith with Customer to find an acceptable, reasonable, alternate solution. If the parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days), Customer may terminate the applicable Order Form(s) in respect only to the specific Service which cannot be provided by Urban Airship without the use of the objected-to new Sub-processor, by providing written notice to Urban Airship.
6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Urban Airship shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, the measures described in the Security Measures. Customer is responsible for reviewing the information made available by Urban Airship relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Urban Airship may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer.
6.2 Third-Party Certifications. Urban Airship and Urban Airship ‘s Sub-processors have obtained the third-party certifications and audits set forth in the Security Measures. Upon Customer’s written request at reasonable intervals, Urban Airship shall provide a copy of Urban Airship’s and/or a Sub-processor’ then most recent third-party audits or certifications, as applicable, or any summaries thereof, that Urban Airship or such Sub-processor, as applicable, generally makes available to its customers at the time of such request.
6.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except to the extent expressly provided in this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.
6.4 Audits. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Urban Airship shall make available to Customer information regarding the Urban Airship ‘s compliance with the obligations set forth in this Addendum in the form of the third- party certifications and audits described in the Security Measures. Customer may contact Urban Airship in accordance with the “Notices” Section of the Agreement to schedule an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse Urban Airship for any time expended for any such on-site audit at the Urban Airship ‘s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Urban Airship shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Urban Airship with information regarding any non-compliance discovered during the course of an audit.
- SECURITY INCIDENT MANAGEMENT AND NOTIFICATION
Urban Airship maintains security incident management policies and procedures specified in the Security Measures and shall, to the extent permitted by law, notify Customer without undue delay (no more than 72 hours of becoming aware) of any actual unauthorized disclosure of Customer Data by Urban Airship or its Sub-processors of which Urban Airship becomes aware (a “Security Incident”) and provide details of the Security Incident to the Customer. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by Urban Airship, Urban Airship shall identify and remediate the cause of such Security Incident.
- DELETION OF CUSTOMER DATA
Urban Airship shall delete Customer Data in accordance with the procedures and timeframes specified in the Agreement and the Data Retention Schedule available online at: https://docs.urbanairship.com/reference/general/#data-retention-schedule. The parties agree that the certification of deletion of Personal Data shall be provided by Urban Airship to Customer only upon Customer’s written request. Within ninety (90) days of termination or expiration of the Agreement, Urban Airship will delete all Customer Data (including copies) in its possession or control, save that this requirement will not apply to the extent Urban Airship is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Urban Airship will securely isolate and protect from any further processing, except to the extent required by applicable law.
- INTERNATIONAL TRANSFERS
9.1 Processing Locations. Urban Airship stores Customer Data in the United States. For purposes of providing the Service, Customer Data may transfer from the originating location of Customer Data to the Service located in the United States. Additionally, for purposes of providing the Service including technical support, Customer Data may be accessed from locations where Urban Airship’s Affiliates are located.
9.2 Privacy Shield. To the extent that Urban Airship processes any Personal Data protected by Data Protection Laws under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Urban Airship will be deemed to provide adequate protection (within the meaning of Data Protection Laws) for any such Personal Data by virtue of having self-certified its compliance with Privacy Shield. Urban Airship agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles. If Urban Airship is unable to comply with this requirement, Urban Airship will inform Customer.
9.3 Standard Contractual Clauses. As an alternative transfer mechanism to the Privacy Shield certification referenced in Section 9.2, to the extent that Urban Airship processes any Personal Data protected by Data Protection Laws under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, Urban Airship and Company may enter into the standard clauses approved by the European Commission from time to time for the transfer of Personal Data to Data Processors established in third countries, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=EN.
- RELATIONSHIP WITH THE AGREEMENT
10.1 Status of Agreement. The parties agree that this Addendum will replace any existing data protection addendum or similar agreement the parties may have previously entered into in connection with the Service. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will prevail to the extent of that conflict.
10.2 Claims. Any claims brought under or in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Other than liability that may not be limited under applicable law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all Addenda together.
10.3 No Third Party Beneficiary. No one other than a party to this Addendum, its successors and permitted assignees will have any right to enforce any of its terms. Any claims against Urban Airship or its Affiliates under this Addendum will be brought solely against the entity that is a party to the Agreement. Customer further agrees that any regulatory penalties or other liability incurred by Urban Airship in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Addendum or any applicable Data Protection Laws will count toward and reduce Urban Airship’s liability under the Agreement as if it were liability to the Customer under the Agreement.
10.4 Governing Law. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- LEGAL EFFECT
This Addendum shall only become legally binding between Customer and Urban Airship when executed as described in the introductory paragraphs to this Addendum.