KLIPFOLIO DATA PROCESSING ADDENDUM

Effective Date: May 25,2018

THIS ADDENDUM is made between:

KLIPFOLIO INC, incorporated under the laws of Ontario, Canada whose registered office is at 300-111 Albert St., Ottawa, ON, Canada K1P 1A5 (“Klipfolio”); and

The Klipfolio customer subscribing for Klipfolio services pursuant to Klipfolio’s Terms of Service and requiring a GDPR Data Processing Addendum (“Customer”),

together the “parties”.

WHEREAS:

  • (A) Klipfolio and the Customer have entered or desire to enter into Terms of Service for the provision by Klipfolio to the Customer of certain data visualization and business intelligence services (the “Terms”); and
  • (B) Klipfolio and the Customer have agreed to enter into this Addendum to the Terms in relation to data processing.

IT IS NOW AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

  • 1.1. The parties agree that this Addendum will be incorporated as an addendum to the Terms. To the extent of any conflict between this Addendum and the remaining sections of the Terms, this Addendum will prevail.
  • 1.2. In this Addendum, the following words and expressions will have the following meanings:
  • “Addendum”

    shall mean this addendum, including its appendix;

    “Terms”

    shall have the meaning given in recital (A) above;

    “Customer Personal Information”

    shall mean all Personal Information controlled by the Customer which is processed by Klipfolio in connection with the Service;

    “Data Protection Legislation”

    shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU Information Protection Directive (95/46/EC) as implemented in each jurisdiction, the EU General Information Protection Regulation (2016/679) (“GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time;

    “Personal Information”

    means any information relating to an identified or identifiable natural person; and

    “Service”

    shall mean any of the services provided by Klipfolio to the Customer pursuant to the Terms.

  • 1.3. In this Addendum, the terms "process", “data controller”, “data processor” and "data subject" shall have the meanings set out in the Data Protection Legislation.

2. NATURE OF THE INFORMATION

  • 2.1. The categories of Customer Personal Information to be processed by Klipfolio and the processing activities to be performed under this Addendum are set out in Appendix 1.
  • 2.1. The parties record their intention that the Customer shall be the data controller and Klipfolio shall be a data processor in relation to all Customer Personal Information.

3. OBLIGATIONS OF THE CUSTOMER

  • 3.1. The parties shall each comply with their respective obligations under the Data Protection Legislation in respect of Customer Personal Information.
  • 3.2. The Customer shall ensure that its instructions and disclosures of Customer Personal Information to Klipfolio are lawful and acknowledges that Klipfolio is entitled to rely on the Customer’s instructions in respect of the processing of Customer Personal Information.

4. OBLIGATIONS OF KLIPFOLIO

  • 4.1. Klipfolio agrees to:
    • 4.1.1. only process Customer Personal Information for and on behalf of the Customer, in accordance with the instructions set out under the Terms or as otherwise given by the Customer from time to time. Klipfolio shall notify the Customer if it is required by applicable law to process Customer Personal Information other than in accordance with those instructions, and shall inform the Customer of the relevant legal requirement before undertaking such processing (unless the relevant legal requirement prohibits the provision of such information on important grounds of public interest);
    • 4.1.2. ensure that those of its personnel who are involved in processing Customer Personal Information are bound by appropriate obligations of confidentiality;
    • 4.1.3. implement and maintain appropriate technical and organizational security measures to safeguard Customer Personal Information from unauthorized or unlawful processing or accidental loss, damage or destruction;
    • 4.1.4. taking into account the nature of the processing and the information available to Klipfolio, provide reasonable assistance to the Customer in ensuring compliance with its obligations under the Data Protection Legislation in relation to security, data breach notification, data protection impact assessments and prior consultation with a supervisory authority and the fulfilment of data subject’s rights, where applicable from time to time; and
    • 4.1.5. upon written request, make available to the Customer such records as the Customer may reasonably require from time to time to demonstrate compliance by Klipfolio with its obligations under this Addendum. In addition, Klipfolio agrees to permit an audit to be conducted of its facilities no more than once per year, by the Customer or the Customer’s representatives (bound by appropriate obligations of confidentiality), provided such an audit is carried out: (i) upon ten (10) business days’ prior, written notice to Klipfolio and during Klipfolio’s normal business hours; (ii) in a manner that causes minimal disruption to Klipfolio’s business and excludes from its scope any internal pricing information, information relating to other customers of Klipfolio or other Klipfolio’s own internal reports; and (iii) at the Customer’s own cost.
  • 4.2. Klipfolio shall notify the Customer without undue delay and in any event within 72 (seventy-two) hours of becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Information ("Security Breach"). Klipfolio shall provide Customer with reasonable assistance in relation to the Security Breach, including the provision of such information as is known to Klipfolio regarding the nature of the breach, the categories and approximate number of data subjects and records concerned.
  • 4.3. Nothing in this Addendum shall prevent either party from complying with any legal obligation imposed by a regulator or court. Each party shall however, where possible, discuss with the other party the appropriate response to any request from a regulator or court for disclosure of information.

5. SUB-CONTRACTING

  • 5.1. The Customer consents to Klipfolio engaging subcontractors listed here to process the Customer Personal Information on its behalf ("Sub-processors"). Klipfolio shall ensure that Sub-processors are subject to contractual obligations which are the same as or equivalent to those imposed on Klipfolio under this Addendum. Klipfolio shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. In the event of the Customer objecting to such change, Klipfolio shall make reasonable efforts to address the Customer's concerns (including making reasonable efforts to find an alternative Sub-processor).
  • 5.2. The Customer acknowledges and agrees that Customer Personal Information may be processed by Sub-processors outside the European Economic Area or the country where the Customer is located in order to carry out the Service and Klipfolio's other obligations under the Terms. Klipfolio shall implement a data transfer solution to ensure any such transfers are compliant with the Data Protection Legislation.
  • 5.3. For the avoidance of doubt, where a Sub-processor fails to fulfil its obligations under any sub-contract, Klipfolio shall remain fully liable to the Customer for the fulfilment of its obligations under this Addendum.

6. TERM AND TERMINATION

  • 6.1. This Addendum shall commence on May 25th, 2018 and shall continue in full force and effect until the later of:
    • 6.1.1. the termination or expiration of the Terms; or
    • 6.1.2. the termination of the last of the Services to be performed pursuant to the Terms.

7 Within six (6) months of the termination of this Addendum, Klipfolio shall delete the Customer Personal Information and delete any existing copies in its possession unless; (i) required to retain such Customer Personal Information under applicable law; or, (ii) the Customer requests that Klipfolio return the Customer Personal Information to it.

8. GOVERNING LAW

  • 8.1. This Addendum and any dispute arising out of or in relation to it (whether contractual or non-contractual) shall be governed by and construed in accordance with the laws of England and Wales.

APPENDIX 1: Description of Information Processing

The data processing activities carried out by Klipfolio under this Addendum are as follows:

Description of Service: Klipfolio is a read-only application that enables Customers to display their data in visualizations and quickly create a new, actionable perspective on their business.
Subject-matter of Processing: Klipfolio processes certain Customer Personal Information on behalf of its Customers in relation to data visualization and being able to quickly create a new, actionable perspective on their business. The content of the Customer Personal Information is determined by its Customers, the data controllers, who either push data to Klipfolio or prepare queries to be requested by Klipfolio to capture data from Customers’ systems or third party software platforms.
Duration of Processing For the duration of the Services to which this Addendum relates.
Nature and purpose of Processing: To enable Klipfolio to provide the Customer with certain Services in relation to data visualization and being able to quickly create a new, actionable perspective on their business in accordance with the Terms.
Type of Personal Information: Customer Personal Information relating to Customers and provisioned end users of the Services which is uploaded by such Customers or provisioned end users and/or otherwise collected by or on behalf of the Customer or provisioned end user as a result of use of the Services. Klipfolio also collects information about visitors to it web properties. The collected information may include without limitation, data uploaded or pulled into Klipfolio, personal contact information, demographic information, location information, profile data, unique IDs, passwords, usage activity, transaction history, and online behaviour and interest data.
Categories of Information Subjects: Klipfolio’s Customers and their provisioned users of its Services, as well as visitors to Klipfolio’s web properties.