DATA PROCESSING AGREEMENT (DPA)
Download as PDF | View previous versions
This Data Processing Agreement (the “DPA”), forms part of the applicable governing Master Service Agreement entered into by and between the applicable Contentsquare Contracting Entity (“Contentsquare”), and the contracting party identified on the applicable Order Form (together with Affiliates of such company or entity (for so long as they remain Affiliates) which have entered into Order Forms for CS Services for such Affiliate, each “you”, “your”, “Customer”) as of the Start Date of the first Order Form executed between Contentsquare and Customer, with regard to the Processing of Personal Data by Contentsquare in connection with the CS Service under the Agreement (“CS Service”). Contentsquare and Customer may each be referred to herein as a “Party” or collectively as the “Parties”.
Unless otherwise explicitly stated herein, the terms of the Agreement shall be incorporated as part of this DPA and any claims brought under this DPA shall be subject to the terms of the Agreement. In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
1. DEFINITIONS
1.1. In this DPA, the following terms shall have the following meanings:
(a) “Applicable Data Protection Laws” means, to the extent applicable:
(i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”), the UK Data Protection Act 2018 (“UK GDPR”), as well as any other data protection laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom;
(ii) the Personal Data Protection Act 2012 (“PDPA”), the Act of the Protection of Personal Information (“APPI”);
(iii) all privacy and data protection laws and regulations, worldwide (whether, national, state, provincial, local or otherwise), applicable to the Processing of Personal Data under the Agreement, as may be amended, extended, re-enacted, or interpreted from time-to-time; and including without limitation, any applicable jurisdiction-specific terms to the Processing of Personal Data under this Data Processing Agreement.
(b) “EU-U.S. Data Privacy Framework” means the adequacy mechanism adopted by the European Commission on July 10, 2023 for personal data transferred from the European Union (“EU”) to companies in the United States (“US”) which are certified under the EU-U.S. Data Privacy Framework, as adopted by the EU Commission on July 10, 2023, and its UK Extension to the EU-U.S. Data Privacy Framework for personal data transferred from the United Kingdom and Gibraltar to the United States to companies in the United States which are certified under the UK Extension to the EU-U.S. Data Privacy Framework, as adopted by the UK Government on October 12, 2023 (the “DPF”).
(c) “Standard Contractual Clauses” means, depending on the circumstances to Customer, (i) the Standard Contractual Clauses for the transfer of personal data to third countries, pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), or (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner on March 21, 2022 (“UK SCCs”).
(d) “Personal Data Incident” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Contentsquare or its Sub-Processors of which Contentsquare becomes aware.
(e) “Sub-Processor” means any Processor engaged by Contentsquare and Contentsquare Affiliates that Processes Personal Data under the instruction or supervision of Contentsquare.
(f) The terms, "Controller", "Data Subject", "Member State", “Personal Data”, "Processor", "Processing", "Supervisory Authority", and “Data Protection Impact Assessment” (“DPIA”), shall have the same meaning given to them under Applicable Data Protection Laws or if not defined thereunder, the GDPR.
1.2. Any other capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data for the purposes set out in Schedule 1 - Details of the processing of this DPA, (i) Customer is the Controller of Personal Data, (ii) Contentsquare is the Processor of Personal Data and (iii) Contentsquare may also process Customer Data as a Controller for the purposes set out in Contentsquare Services Privacy available here: https://contentsquare.com/privacy-center/services-privacy-policy/.
2.2 Purpose Limitation. Contentsquare will Process Personal Data as a Processor for the performance of the CS Service pursuant to the Agreement only for the purposes of the Processing, as set out in Schedule 1 or as otherwise agreed under the Agreement or by the Parties in writing. Schedule 1 further specifies the duration of the Processing, the nature of operations and purposes of the Processing, the location of Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA, depending on CS Service used by the Customer.
2.3 Customer Instructions. Customer appoints Contentsquare as a Processor to Process Personal Data on behalf of, and only in accordance with, Customer’s documented instructions (i) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the CS Service to Customer and (ii) as otherwise agreed in writing between the Parties, except where and to the extent otherwise required by applicable law and/or regulation. Customer grants the right to Contentsquare to render Personal Data fully anonymous, non-identifiable and non-personal when necessary. Customer understands that, through its use of the various functionalities of the CS Service, it is issuing instructions to Contentsquare as to the Processing of Personal Data to be carried out by Contentsquare on behalf of Customer.
2.3.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Laws. Notwithstanding the terms of Section 2.4.2 below, Customer acknowledges and agrees that Contentsquare is neither responsible for determining which laws and/or regulations are applicable to Customer’s business or industry, nor whether Contentsquare’s provision of the CS Service meets or will meet the requirements of laws and/or regulations that are not applicable to Contentsquare. Customer will ensure that Contentsquare’s Processing of Customer Data, when done in accordance with Customer’s instructions, will not cause Contentsquare to violate any applicable law and/or regulation, including Applicable Data Protection Laws.
2.3.2 Conflict of Laws. To the extent that Contentsquare cannot comply with an instruction from Customer, or in case, at Contentsquare’s discretion, a Processing instruction is deemed to infringe Applicable Data Protection Laws, Contentsquare shall cease all Processing that are infringing Applicable Data Protection Laws and shall promptly inform Customer, providing relevant details on the aforementioned. The Parties shall meet in good faith to find a viable solution to address the issue encountered.
3. OBLIGATIONS OF THE PARTIES
3.1 Compliance with the Data Protection Regulation. Customer shall comply with its obligations under Applicable Data Protection Laws, including, establish and have any and all required legal basis for Contentsquare’s Processing of Personal Data on Customer’s behalf. Customer shall have sole responsibility for the accuracy, quality and the means by which the Customer collected Personal Data.
3.2 Information and Consent Collection. In accordance with section 2.1 of this DPA, Customer represents and warrants that it has (i) provided all information required under Applicable Data Protection Laws to Data Subjects about Contentsquare’s Processing of Personal Data by Contentsquare or on behalf of Contentsquare’s Customer, (ii) to the extent required by law, obtained consent from Data Subjects for Contentsquare’s Processing of Personal Data by Contentsquare or on behalf of Contentsquare’s Customer. Customer shall promptly provide to Contentsquare evidence thereof upon Contentsquare’s request. Contentsquare can conduct online audits to ensure the Customer provides the relevant information and, where applicable, obtains the relevant consent. Contentsquare shall inform the Customer about the results of the audits if all information is not delivered and if the consent is not obtained as required by law. For the sake of clarity, Customer being the Controller, the latter remains the sole responsible for performing the aforementioned (i) and (ii).
3.3 Cooperation for the Data Subject Requests.
3.3.1 Requests received by Contentsquare. Insofar as this is possible, Contentsquare shall, to the extent legally permitted, (i) notify Customer without undue delay if Contentsquare receives a direct request from a Data Subject to exercise their rights under Applicable Data Protection Laws or complaint (“Data Subject Request”) relevant to the Processing of Personal Data under this DPA, and shall refer such Data Subject Request received, and the concerned Data Subject, directly to Customer for its treatment of such request; and (ii) taking into account the nature of the Processing, Contentsquare shall assist Customer by appropriate technical and organizational measures, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws, and comply with the Customer’s instructions on such Data Subject Request.
3.3.2 Requests received by Customer. Customer shall forward any Data Subject Request it receives relevant to the Processing of Personal Data under the Agreement and this DPA to Contentsquare via Contentsquare’s Data Subject Request Portal at: https://contentsquare.com/privacy-center/data-subject-request-portal/.
3.4 DPIA. Upon Customer’s reasonable request, Contentsquare shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Applicable Data Protection Laws to carry out a DPIA related to Customer’s use of the CS Service as a Controller, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Contentsquare. It is acknowledged that it is the Customer’s responsibility to determine whether a DPIA must be conducted where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
3.5 Cooperation with the Supervisory Authority.
3.5.1 Prior Consultation. Contentsquare shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under Applicable Data Protection Laws.
3.5.2 Supervisory Requests. Contentsquare shall promptly notify Customer if it receives any complaint or inquiry from a Supervisory Authority that relates directly to the Processing of Personal Data under this DPA, or to either Party’s compliance with Applicable Data Protection Laws, unless prohibited from doing so by applicable law.
3.6 Personal Data Incident Notification.
In the event of a Personal Data Incident affecting Customer Data (“Customer Personal Data Incident”), Contentsquare shall without undue delay notify Customer to the email address set out in Section 10.7 of the Customer Personal Data Incident related to Contentsquare’s Processing of Personal Data as Processor and take necessary and reasonable action to remediate such incident. Additionally, Contentsquare shall, taking into account the nature of the Processing and the information available to Contentsquare, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Laws. Each party will reasonably assist the other party to mitigate any potential damages in connection with this Section.
3.7 Security and Data Protection Control Audit.
Contentsquare shall maintain industry-standard technical and organizational measures for protection of Personal Data Processed hereunder, including those measures set forth in the CS Security Safeguards, as may be amended by Contentsquare from time to time, (provided such amendment shall provide the same or materially similar security obligations as set out in this DPA). Contentsquare shall grant access to the Personal Data undergoing Processing to members of its personnel only to the extent strictly necessary for the performance of the Agreement and this DPA. Contentsquare shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Customer shall have the right to conduct a Data Protection Control Audit in accordance with the applicable Section of the Agreement.
4. SUB-PROCESSORS
4.1 Authorization for the use of current Sub-Processors. Customer acknowledges and agrees that Contentsquare uses the Sub-Processors linked in Schedule 1 (“Sub-Processor List”) to Process Personal Data in connection with the provision of the CS Service, all in accordance with and under the terms of this Section 4.
4.2Notification of Sub-Processors changes. Customer acknowledges and agrees that Contentsquare may engage new Sub-Processor(s) to Process Personal Data in connection with the provision of the CS Service. In order to receive notification of any new Sub-Processor(s) into the Sub-Processor List in advance of such Sub-Processor(s) having access to Visitor Data, Customer may subscribe by completing the form contained within Sub-Processors List link provided in Schedule 1 once the Agreement is executed.
4.3 Objection Right for new Sub-Processor. Customer may present objections, which shall be on the basis of reasonable privacy or security concerns, to Contentsquare’s use of a new Sub-Processor, by sending an email to privacy@contentsquare.com within thirty (30) calendar days after receipt of Contentsquare’s notice as set out in Section 4.2 above. Failure to object to such a new Sub-Processor in writing within such a time period shall be deemed as acceptance of the new Sub-Processor by Customer. In the event Customer reasonably objects to a new Sub-Processor, Contentsquare shall have the right to cure the objection through one of the following options (to be selected at Contentsquare’s sole discretion): (i) Contentsquare shall cease to use the new Sub-Processor with regard to Customer Data; or (ii) Contentsquare instructs, and the new Sub-Processor implements the corrective steps curing the gaps listed by Customer in its objection (which steps will be deemed to resolve Customer’s objection) and proceed to use the new Sub-Processor to process Customer Personal Data(“Objection Remediations”). If Contentsquare is unable to implement any of the above Objection Remediations within thirty (30) calendar days of receipt of objection notice, Customer may, as a sole remedy, terminate the Agreement and this DPA with respect only to those CS Service or Professional Services which cannot be provided by Contentsquare without the use of the objected-to Sub-Processor. Contentsquare shall refund to Customer on a pro rata basis, based on the then current Term, all prepaid Fees which relate to those CS Service or Professional Services which cannot be provided by Contentsquare. Customer will have no further claims against Contentsquare due to the use of approved Sub-Processors in accordance with the terms of this Section 4 or the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this Section 4.3.
4.4 Agreements with Sub-Processors. Contentsquare or a Contentsquare Affiliate has entered into a written agreement with each Sub-Processor containing appropriate safeguards to the protection of Personal Data. Where Contentsquare engages a new Sub-Processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws.
5. RETURN, ANONYMIZATION, AND DELETION OF PERSONAL DATA
Upon termination of the Agreement, or via a written notification to Contentsquare by sending an email to privacy@contentsquare.com, and at the choice of the Customer, Contentsquare shall delete or return to Customer the Personal Data Processed by Contentsquare on behalf of the Customer (including temporary files), and Contentsquare shall dispose existing copies of such Personal Data unless it has a legal right or obligation to retain a copy under Applicable Data Protection Laws, in which case Contentsquare shall continue to comply with this DPA for as long as it will retain copies of such Personal Data.
6. CROSS-BORDER DATA TRANSFERS
6.1 Conditions for cross-border data transfers. Customer acknowledges and agrees that Contentsquare may Process Personal Data on a global basis as necessary for the performance of the Agreement, including in countries outside the European Economic Area (EEA) and/or the United Kingdom (“Third Countries”), as provided in the Sub-Processor List. Customer hereby approves the transfer of Personal Data to the locations stated in the Sub-Processor List and acknowledges that the basis of such transfer between jurisdictions is acceptable.
6.2 Adequacy Decisions. Personal Data may be transferred to Third Countries that offer an adequate level of data protection recognized by the European Commission, or the competent authority for the United Kingdom and Switzerland (“Adequacy Decisions”), without any further safeguards being necessary.
6.3 Standard Contractual Clauses. If the Processing of Personal Data includes transfers (either directly or via onward transfer) from the EEA and/or the United Kingdom to Third Countries which have not been subject to an Adequacy Decision (“Other Countries”), and such transfer or disclosure is not permitted through alternative means approved under Applicable Data Protection Laws, the Parties agree that the terms set forth in Schedule 2 (Standard Contractual Clauses) will apply. In the event that any provision of this DPA or the Agreement contradicts, directly or indirectly, with the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail. Contentsquare undertakes to comply with transfer obligations required by Applicable Data Protection Law.
6.4 Data Privacy Framework. For the transfers of Personal Data from the EU, UK, Gibraltar, and Switzerland to the U.S., Contentsquare has certified to the U.S. Department of Commerce that it adheres to the requirements of (i) the EU-U.S. Data Privacy Framework with respect to the processing of Personal Data received from the EU, (ii) the UK Extension to the EU-U.S. Data Privacy Framework with respect to the processing of Personal Data received from the UK and Gibraltar, and (iii) the Swiss-U.S. Data Privacy Framework with respect to the processing of Personal Data received from Switzerland. Contentsquare’s official certification can be found at the following link: https://www.dataprivacyframework.gov/list. In the event of invalidation of any of the above transfer mechanisms by the respective data protection authority or government, or in the event Contentsquare ceases to be certified under the applicable Data Privacy Framework, the Parties mutually agree to rely on the Standard Contractual Clauses attached in Schedule 2 to carry out transfers as part of the provisions of services.
7. COMMUNICATION WITH AFFILIATES
The Customer shall remain responsible for coordinating all communication with Contentsquare under this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.
8. DISCLOSURE TO THIRD PARTIES
Contentsquare shall notify Customer and, where required by applicable law, the Data Subjects, without undue delay and in any case within seven (7) business days, if it receives a request from any third party for disclosure of Personal Data processed under this DPA where compliance with such request is required or purported to be required by applicable law unless such notification is prohibited by applicable law. Contentsquare shall reject any requests for Personal Data disclosures that are not legally binding.
9. CALIFORNIA CONSUMER PRIVACY ACT
9.1 The definition of “Applicable Data Protection Laws” includes the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including by the California Privacy Rights Act of 2020 (together, “CCPA”).
9.2 Except as described otherwise, the definitions of: “Controller” includes “Business”; "Processor" includes “Service Provider”; “Data Subject” includes “Consumer”; “Personal Data” includes “Personal Information”; in each case as defined under the CCPA.
9.3 When Contentsquare acts as a Service Provider, Contentsquare shall not:
9.3.1 retain, use, or disclose Personal Data for any purpose other than the purposes for which such Personal Data was provided to it, as stipulated in the Agreement and this DPA;
9.3.2 retain, use, or disclose Personal Data outside of the direct business relationship between the Parties to the Agreement;
9.3.3 combine Personal Data that Contentsquare receives from, or on behalf of, Customer with Personal Data that Contentsquare receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, except where permitted under the law; or
9.3.4 Sell or Share (as such terms are defined in the CCPA) any Personal Data Processed hereunder, without Customer’s prior written consent, nor take action that would cause any transfer of Personal Data to or from Contentsquare under the Agreement or this DPA to qualify as “selling” or “sharing” such Personal Data under the CCPA.
9.4 Contentsquare represents and warrants that it understands the rules, requirements and definitions of the CCPA, and shall notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA.
9.5 Contentsquare certifies that its Sub-Processors, as set forth in Section 4 (Sub-Processors) of this DPA, are Service Providers under CCPA, with whom Contentsquare has entered into a written contract that includes terms substantially similar to this DPA. Contentsquare conducts appropriate due diligence on its Sub-Processors.
9.6 Contentsquare’s obligations regarding data subject requests, as described in Section 3.3 (Cooperation and Data Subject Requests) of this DPA, apply to Consumer rights under the CCPA.
10. OTHER PROVISIONS
10.1 Modifications. Any modification to this DPA shall be made by mutual written agreement of both Parties; provided however that Customer may, by at least forty-five (45) calendar days' prior written notice to Contentsquare, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under, any Applicable Data Protection Laws, to allow Processing of those Personal Data to be made (or continue to be made) without breach of that Applicable Data Protection Law. Upon receipt of such request (a) Contentsquare shall make commercially reasonable efforts to accommodate such modification request; and (b) Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Contentsquare to protect Contentsquare against additional risks. If Customer gives notice under this Section 10.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days of Customer’s notice, then Customer or Contentsquare may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof). Customer will have no further claims against Contentsquare pursuant to the termination of the Agreement and the DPA as described in this Section 10.1.
10.2 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
10.3 Limitation of Liability. Each Party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA and the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Agreement and any reference in such section to the liability of a party means aggregate liability of that Party and all of its Affiliates under the Agreement (including this DPA).
10.4 GDPR Limitation of Liability and Compensation. Subject to Section 10.3 above, Contentsquare shall only be liable for damages caused by processing for which (i) it has not complied with the obligations of the GDPR specifically related to Data Processors or (ii) it has acted outside or contrary to lawful written instructions of the Customer. Where Contentsquare and Customer are involved in a processing under the Agreement (including this DPA) that caused damage to a data subject, the Party that received the compensation request shall first take charge of the full indemnification (or any other compensation) which is due to the Data Subject and then may claim back from the other Party the part of the Data Subject’s compensation corresponding to its part of responsibility for the damage in accordance with the conditions set out in this Section.
10.5 Penalties and Fines. It is acknowledged by the Parties that in case a Party infringes any provision of Applicable Data Protection Laws, it may be subject to penalties and/or administrative fines, which may include, without limitation, concerning the GDPR where applicable, such administrative fines referred to paragraphs 4, 5 and 6 of Article 83.
10.6 Governing Law. This DPA will be governed by and construed in accordance with the Governing Law section of the Agreement, unless required otherwise by Applicable Data Protection Laws.
10.7 Notice. Unless otherwise specifically indicated, all notices under this DPA, must be in English, in writing, and addressed as follows: (i) in the case of Contentsquare to privacy@contentsquare.com, and (ii) in the case of Customer to the contact information provided in the Order Form. In case a Party wants to change such email, it will inform the other one in writing at its contact email.
11. SCHEDULES
11.1 Schedule 1 “Details of the processing”. This Schedule 1 forms part of the DPA and describes the Processing of Personal Data that Contentsquare will perform as described in Section 2.1 of this DPA depending on the CS Service used by the Customer.
11.2 Schedule 2 “Standard Contractual Clauses for data transfers”.
SCHEDULE 1 - DETAILS OF THE PROCESSING
Applicable CS Service schedules
Depending on the CS Service provided to the Customer under an Order Form, the following schedule(s) shall apply to the Processing of Personal Data performed by Contentsquare on behalf of the Customer:
Experience Analytics: Schedule 1.A
Product Analytics (“PA”): Schedule 1.B
Voice Of Customer (“VoC”): Schedule 1.C
SCHEDULE 1.A - EXPERIENCE ANALYTICS DETAILS OF PROCESSING
Product name | Experience Analytics |
Purpose of processing | Contentsquare shall Process Personal Data for the following purposes: Analyze Visitor digital behavior and visualize Visitor’s journey to improve digital Visitor experience and Customer’s website/mobile app performance; Provide support and technical maintenance; If the Client Facing Adoption Dashboard is used by Customer: Provide reporting on CS Service platform usage by Customer’s authorized Users; and Assist Customer in Data Subjects Requests management. |
Subject matter | Contentsquare’s provision of the CS Service as applicable to the Customer’s instructions and pursuant to the DPA, Agreement and Services Schedules. |
Categories of Data Subject | The categories of Data Subjects whose Personal Data are processed: Customer’s website and mobile app visitors (“Visitors”); and If the Client Facing Adoption Dashboard is used by the Customer: Customer’s employees, agents, advisors, freelancers, and vendors (who are natural persons) authorized by Customer to use the CS Service (“Users”). |
Categories of Personal Data | The processed categories of Visitor Personal Data are as follows: Online identification information (e.g., IP addresses (for website only), cookie ID, Unique User IDs and other similar unique identifiers); Behavioral information (e.g., how a visitor has interacted with the website or app, mouse or touch movements, scrolls, mouse clicks, screen taps or zoom information; time of engagement, etc.); Website and mobile app technical information (e.g., pages of a website or app a visitor visited, visitor’s type of computer operating system, visitor’s type of web browser, JS error, other backend technical data, etc.); and Additional Visitor Personal Data submitted by the Customer via the CS Service such as email address, username, or other Personal Data. These additional types of Personal Data are not processed by default by Contentsquare on behalf of the Customer and require an explicit choice by the Customer to process.
If the Client Facing Adoption Dashboard is used by the Customer: the processed categories of User Personal Data are: Personal Data submitted by the Customer via the CS Service or relating to its usage of the CS Service. |
Nature of Processing | As applicable to the Customer’s instructions and pursuant to this DPA, the Agreement and Services Schedules, Personal Data shall be subject to the following processing operations: collection, record, organization, structuration, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, anonymization, and destruction. |
Duration of the Processing | Contentsquare shall Process Personal Data pursuant to this DPA and the Agreement for the duration of CS Service under the terms of the Agreement and shall not retain Personal Data more than 13 months from the date of initial collection, unless otherwise agreed upon in writing by the Parties. |
Subprocessors | The complete list of subprocessors is available here: https://contentsquare.com/privacy-center/subprocessors/. |
Location of Processing and storage | The location of Processing and storage are described here: https://contentsquare.com/privacy-center/subprocessors/ |
Security Measures | Security measures are described here: https://trust.contentsquare.com/ |
SCHEDULE 1.B - PRODUCT ANALYTICS (PA) DETAILS OF THE PROCESSING
Product name | Product Analytics |
Purpose of processing | Contentsquare shall Process Personal Data for the following purposes: Analyze Visitor’s journey across Customer’s website, mobile app, and other means to improve Customer’s products and services and Visitor conversion and retention Provide support and technical maintenance Assist the Customer in Data Subjects Requests management. |
Subject matter | Contentsquare’s provision of the CS Service as applicable to the Customer’s instructions and pursuant to the DPA, Agreement and Services Schedules. |
Categories of Data Subject | The categories of Data Subjects whose Personal Data are processed: Visitors. |
Categories of Personal Data | The processed categories of Visitor Personal Data are as follows: Online identification information (e.g., IP addresses, Unique User IDs and other similar unique identifiers); Behavioral information (e.g., how a Visitor has interacted with the website or app, view page, click, submit, change; time of engagement); Website and mobile app technical information (e.g., pages of a website or app a Visitor visited, Visitor’s type of computer operating system, Visitor’s type of web browser, other backend technical data); Additional Visitor Personal Data submitted by the Customer via the CS Service such as email address, username, or other Personal Data. These additional types of Personal Data are not processed by default by Contentsquare on behalf of the Customer and require an explicit choice by the Customer to process. |
Nature of Processing | As applicable to the Customer’s instructions and pursuant to this DPA, the Agreement and Services Schedules, Personal Data will be subject to the following processing operations: collection, record, organization, structuration, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, anonymization, and destruction. |
Duration of the Processing | Contentsquare will Process Personal Data pursuant to this DPA, Agreement and Services Schedules for the duration of CS Service under the terms of the Agreement and will not retain Personal Data more than 37 months from the date of initial collection, unless otherwise agreed upon in writing by the Parties. |
Subprocessors | The complete list of subprocessors is available here: https://www.heap.io/sub-processors. |
Location of Processing and storage | The location of Processing and storage are described here: https://www.heap.io/sub-processors. |
Security Measures | Security measures are described here: https://trust.contentsquare.com/?product=heapio. |
SCHEDULE 1.C - VOICE OF CUSTOMER (VOC)/USER TESTS AND INTERVIEWS - DETAILS OF THE PROCESSING
1/ Surveys and Feedback
Product name | Surveys and Feedback |
Purpose of processing | Contentsquare will Process Personal Data for the following purposes: Analyze Visitor’s surveys and feedback regarding a Customer’s product, service or experience to understand Visitor’s expectations, improve Visitor’s satisfaction and Customer’s website/mobile app. Provide support and technical maintenance. Assist the Customer in Data Subjects Requests management. |
Subject matter | Contentsquare’s provision of the CS Service as applicable to the Customer’s instructions and pursuant to the DPA, Agreement and Services Schedules. |
Categories of Data Subject | The categories of Data Subjects whose Personal Data are processed: Visitors. |
Categories of Personal Data | The processed categories of Visitor Personal Data are as follows: Online identifier (user ID); Geolocation data (country only); Technical data (referring URL, device type timestamps); Any additional Personal Data requested by Customer in the feedback or surveys, such as name, email address; Any additional Personal Data voluntarily submitted by Visitor in the feedback or surveys. |
Nature of Processing | As applicable to the Customer’s instructions and pursuant to this DPA, the Agreement and Services Schedules, Personal Data will be subject to the following processing operations: collection, record, organization, structuration, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, anonymization, and destruction. |
Duration of the Processing | Customers can manually delete their data at any time within the platform on a self-serve basis. Data is automatically deleted upon deletion of the Account. |
Subprocessors | The complete list of subprocessors is available here: https://contentsquare.com/privacy-center/subprocessors/. |
Location of Processing and storage | The location of Processing and storage are described here: https://contentsquare.com/privacy-center/subprocessors/ |
Security Measures | Security measures are described here: https://trust.contentsquare.com/?product=hotjar |
2/ Interviews
Product name | Interviews |
Purpose of processing | Contentsquare will Process Personal Data for the following purposes: Obtain real-time Visitor’s feedback regarding a Customer’s product, service or experience to understand Visitor’s expectations, improve Visitor’s satisfaction and Customer’s website/mobile app. Providing support and technical maintenance Assisting the Customer in Data Subjects Requests management. |
Subject matter | Contentsquare’s provision of the CS Service as applicable to the Customer’s instructions and pursuant to the DPA, Agreement and Services Schedules. |
Categories of Data Subject | The categories of Data Subjects whose Personal Data are processed: Participants, Affiliates and other participants (including but not limited to your employees, freelancers or contractors) from time to time to whom the Controller has granted the right to access the platform in accordance with the terms of the Agreement; any other categories of Data Subjects as added by the Controller from time to time. All together “Participants”. |
Categories of Personal Data | The processed categories of Participants Personal Data are as follows: Identification data, contact details, including but not not limited to: name, gender, nationality, country, phone number, age, marital status, public facebook or linkedin profile (shared voluntarily by Participants); Education and professional data: education background, job title; Scheduled time for an interview and topic names; any Personal Data shared by the Participant in the research screener responses; Interview recording content, including but not limited to: Video recording of video, audio, and screen sharing Audio recording Textfile document of all in meeting chats and notes Audio transcript text file In-meeting Questions & Answers, polls, and survey information Any additional Personal Data as requested by Customer from time to time. |
Nature of Processing | As applicable to the Customer’s instructions and pursuant to this DPA, the Agreement and Services Schedules, Personal Data will be subject to the following processing operations: collection, record, organization, structuration, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, anonymization, and destruction. |
Duration of the Processing | Contentsquare will Process Personal Data pursuant to this DPA, Agreement and Services Schedules for the duration of the CS Services under the terms of the Agreement. Contentsquare will keep Interview recordings for 2 years from the date of the Interview. |
Subprocessors | The complete list of subprocessors is available here: https://help.hotjar.com/hc/en-us/articles/360058514233-Sub-Processors-Used-by-Hotjar. |
Location of Processing and storage | The location of Processing and storage are described here: https://help.hotjar.com/hc/en-us/articles/360058514233-Sub-Processors-Used-by-Hotjar. |
Security Measures | Security measures are described here: https://trust.contentsquare.com/?product=hotjar. |
3/ User Tests
Product name | User Tests |
Purpose of processing | Contentsquare will Process Personal Data for the following purposes:
Observe Visitor’s digital experience to understand Visitor’s expectations, improve Visitor’s satisfaction and Customer’s website/mobile app. Provide support and technical maintenance Assist the Customer in Data Subjects Requests management. |
Subject matter | Contentsquare’s provision of the CS Service as applicable to the Customer’s instructions and pursuant to the DPA, Agreement and Services Schedules. |
Categories of Data Subject | The categories of Data Subjects whose Personal Data are processed: authorized users such as Testers, Affiliates and other participants (including but not limited to your employees, freelancers or contractors) from time to time to whom the Controller has granted the right to access the platform in accordance with the terms of the Agreement; any other categories of Data Subjects as added by the Controller from time to time. All together “Participants”. |
Categories of Personal Data | The processed categories of Participants Personal Data are as follows: Identification data, contact details, including but not not limited to: name, gender, nationality, country, phone number, age, marital status, public facebook or linkedin profile (shared voluntarily by Participants); Education and professional data: education background, job title; Scheduled time for a User test and topic names; any Personal Data shared by the Participant in the research screener responses; User test recording content, including but not limited to: Video recording of video, audio, and screen sharing Audio recording Textfile document of all in meeting chats and notes Audio transcript text file In-meeting Questions & Answers, polls, and survey information Any additional Personal Data as requested by Customer from time to time. |
Nature of Processing | As applicable to the Customer’s instructions and pursuant to this DPA, the Agreement and Services Schedules, Personal Data will be subject to the following processing operations: collection, record, organization, structuration, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, anonymization, and destruction. |
Duration of the Processing | Contentsquare will Process Personal Data pursuant to this DPA, Agreement and Services Schedules for the duration of CS Service under the terms of the Agreement. Contentsquare will keep User Test recordings for 2 years from the date of the User Test. |
Subprocessors | The complete list of subprocessors is available here: https://help.hotjar.com/hc/en-us/articles/360058514233-Sub-Processors-Used-by-Hotjar. |
Location of Processing and storage | The location of Processing and storage are described here: https://help.hotjar.com/hc/en-us/articles/360058514233-Sub-Processors-Used-by-Hotjar. |
Security Measures | Security measures are described here: https://trust.contentsquare.com/?product=hotjar. |
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES FOR DATA TRANSFERS
1. EU SCCs
For transfers from the EEA to Other Countries, the EU SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
1.1 Applicable Module
The module indicated below shall apply:
X Module Two (Controller to Processor): it will apply for Data Processing as described in Section 2.1 of this DPA, whereby Customer acts as Controller and Contentsquare acts as Processor;
X Module Three (Processor to Processor): it will apply for data processing as described in Section 2.1 of this DPA, whereby Customer acts as Processor and Contentsquare acts as a Sub-Processor.
1.2 Options
For each Module, where applicable:
in Clause 7, the optional docking clause will apply;
in Clause 9, Option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 4.2 (Notification of Sub-Processor Changes) of this DPA;
in Clause 11, the optional language will not apply;
in Clause 17, Option 1 will apply and the EU SCCs will be governed by French law;
in Clause 18(b), disputes will be resolved before the courts of France.
1.3 Data Exporter and Data Importer
Pursuant to schedule I, Part A of the EU SCCs, the Parties have identified the Data Exporter and Data Importer as described below:
Data Exporter | As defined in the Agreement |
Address | As set out in the Order Form |
Contact person’s name, position and contact details | As set out in the Order Form |
Activities relevant to the data transferred under these EU SCCs | Procuring the CS Service from Contentsquare and in the course of receiving the CS Service |
Signature and date | By entering into the Agreement, Customer is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement |
Role | As set forth in the Section 2.1 (Roles of the Parties) of this DPA |
Data Importer | Contentsquare |
Address | As set out in the Order Form |
Contact person’s name, position and contact details | Contentsquare Privacy Team – privacy@contentsquare.com |
Activities relevant to the data transferred under these EU SCCs | Processing of Personal Data in connection with Customer’s use of the CS Service under the Agreement |
Signature and date | By entering into the Agreement, Contentsquare is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement |
Role | As set forth in the Section 2.1 (Roles of the Parties) of this DPA |
1.4 Description Of Transfer
Categories of data subjects whose personal data may be transferred | As described in Schedule 1 (Details of the processing) of this DPA depending on the purchased products by the Customer. |
Categories of personal data transferred
| As described in Schedule 1 (Details of the processing) of this DPA depending on the CS Service provided to the Customer under an Order Form. |
Sensitive data transferred (if applicable)
| None |
The frequency of the transfer
| Continuous basis for the duration of the Agreement |
Nature of the processing
| As described in Schedule 1 (Details of the processing) of this DPA, depending on the CS Service provided to the Customer under an Order Form. |
Purpose(s) of the data transfer and further processing
| As described in Schedule 1 (Details of the processing) of this DPA depending on the CS Service provided to the Customer under an Order Form |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
| As described in Schedule 1 (Details of the processing) of this DPA depending on the CS Service provided to the Customer under an Order Form. |
For transfers to (sub) processors, the subject matter, nature, and duration of the processing shall be as described below:
| Any transfers to Sub-Processors will be consistent with the terms of the EU SCCs, the Agreement and its Service Schedules, and this DPA. |
1.5 Competent Supervisory Authority
For the purposes of Annex I, Part C of the EU SCCs, the French Data Protection Authority will be the competent supervisory authority.
1.6 Security of Processing
CS Security Safeguards set forth in Section 3.7 (Security and Data Protection Control Audit) of this DPA will serve as Annex II of the EU SCCs.
1.7 Sub-Processors
The list referenced in Section 4.1 of this DPA will serve as Annex III of the EU SCCs.
2. UK SCCs
2.1. For transfers from the United Kingdom to Other Countries, the UK SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
2.1.1 The Table 1 of the UK SCCs shall be deemed completed with the corresponding information set out in Section 1.3 (Data Exporter and Data Importer) of this Schedule 2;
2.1.2 The Table 2 of the UK SCCs shall be deemed completed with the corresponding information set out in Section 1.2 (Options) of this Schedule 2;
2.1.3 In the Table 3 of the UK SCCs:
(a) Annex 1,A shall be deemed completed with the corresponding information set out in Section 1.3 (Data Exporter and Data Importer) of this Schedule 2;
(b) Annex 1,B shall be deemed completed with the corresponding information set out in Section 1.4 (Description of Transfer) of this Schedule 2;
(c) CS Security Safeguards set forth in Section 3.7 (Security and Data Protection Control Audit) of this DPA will serve as Annex II;
(d) Section 4.1 (List of Sub-Processors) of this DPA will serve as Annex III.
2.1.4 The Table 4 of the UK SCCs shall be completed with “neither Party”.