Convesio Data Processing Addendum
1. This Data Processing Addendum (“DPA”) is an addendum to the Terms of Service (“Terms”) viewable here: https://convesio.com/terms-of-service/.
2. This DPA only applies to Clients if and to the extent (a) Convesio Processes Client Personal Data (defined below) for or on behalf of the Client pursuant to the Agreement (b) and the Data Protection Laws apply to such Client Personal Data.
3. We reserve the right to make changes to this DPA at any time. If we make changes to this DPA, we will provide notice of such changes by revising the date at the top of this DPA. Your continued use of our Services following notification of changes will constitute your acceptance of such changes.
1. Capitalized terms which are not defined herein shall have the meaning provided in the Agreement. In addition, the following defined terms apply solely with respect to this DPA.
2. “Applicable Law” means any statute, regulation, executive order, and other rule or rules issued by a government office or agency that have binding legal force and are generally applicable to Personal Data or the provision of the Services with respect to Personal Data, including GDPR, CCPA, and the state and federal laws of the United States.
3. “CCPA” means the California Consumer Privacy Act of 2018.
4. “Data Subject” means an identified or identifiable natural person whose rights are protected by GDPR or a “Consumer” as defined under CCPA.
5. “GDPR” means Regulation 2016/679 of the European Parliament.
6. “Personal Data” means any information about a natural person that is identified or identifiable to the natural person, either alone or in combination with other information, that Convesio will Process or have access to as part of providing the Services, including any such information that is created by means of the Services.
7. “Process,” when used with respect to Personal Data, means: (i) to record, store, organize, structure, analyze, query, modify, combine, encrypt, display, disclose, transmit, receive, render unusable, or destroy, by automated means or otherwise; (ii) to provide cloud or other remote technology hosting services for applications or services that do any of the foregoing; and (iii) any other use or activity that is defined or understood to be processing under Applicable Law.
8. “Security Event” means any of the following: (i) unauthorized Processing or other use or disclosure of Personal Data; (ii) unauthorized access to or acquisition of Personal Data or the systems on which Personal Data is Processed; (ii) any significant corruption or loss of Personal Data that Convesio is unable to repair within a minimal period of time; (iii) any event that has or is reasonably likely to significantly disrupt the Processing of the Personal Data as part of the Services; and (iv) any material unsuccessful attempt to gain unauthorized access to, or to destroy or corrupt, the Personal Data, but not including any routine, unsuccessful events such as pings, port scans, blocked malware, failed log in attempts, or denial of service attacks.
3. Roles of the parties
1. Client is the Controller and Convesio is the Processor with respect to Client Personal Data. Convesio shall only Process Client Personal Data in accordance with terms of service viewable here: https://convesio.com/terms-of-service/, which include the provisions of the Agreement, unless otherwise required to comply with any Data Protection Laws.
2. Client and Convesio shall comply with the Data Protection Laws. Client shall obtain any required authorizations, consents, releases, or permissions, and provide all required privacy notices, regarding the Client Personal Data. For the avoidance of doubt, Client shall have sole responsibility for the accuracy, quality, and legality of all Client Personal Data and the bases on which it is collected from the Data Subject.
4. Nature, Purpose, and Duration of Processing
1. Convesio will Process Client Personal Data as necessary to perform the Services – which is generally limited to passive hosting of Client websites and related support – or to protect Convesio’s legal rights, for the duration of the Agreement, unless otherwise agreed upon in writing.
2. Client’s transfer of Client Personal Data to Convesio in connection with the Services is determined and controlled by Client in its sole discretion.
3. Convesio may Process the following categories of Client Personal Data: any Personal Data collected, used, or otherwise Processed from End Users of Client Websites.
4. Convesio may Process Client Personal Data from the following categories of Data Subjects: End Users of Client Websites.
1. Convesio engages third-party subcontractors that Process Client Personal Data (“Sub-processors“) for the purposes of providing the Services. A current list of Sub-processors is available in Appendix A of Convesio’s online DPA, located here: https://www.convesio.com/data-processing-addendum (the “Sub-processor List”). Client authorizes Convesio to engage these Sub-processors for the purpose of providing the Services.
2. Convesio may update the Sub-processor List from time to time, and such updates shall be the sole means of providing notice of Sub-processor changes to Client.
3. Convesio shall impose obligations on its Sub-processors that are the same as or substantially equivalent to those set out in this DPA by way of written contract. Convesio shall be liable to Client for the Sub-processors’ performance of its data protection obligations with respect to Client Personal Data.
6. Security Event Notification
1. In the event of a discovered or suspected Security Event, Convesio shall provide notice without undue delay to Client’s technical and account contacts using those means established for routine account-related communications (or other such method of notice as agreed between us). Our notice shall include the following information to the extent it is reasonably available to Convesio at the time of the notice, and Convesio shall update its notice as additional information becomes reasonably available: (i) the dates and times of the Security Event; (ii) the facts that underlie the discovery of the Security Event, or the decision to begin an investigation into a suspected Security Event, as applicable; (iii) a description of the Personal Data involved in the Security Event, either specifically, or by reference to the data set(s), and (iv) the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Security Event. We will take those measures available, including measures reasonably requested by you, to address a vulnerability giving rise to a successful Security Event, both to mitigate the harm resulting from the Security Event and to prevent similar occurrences in the future. We will cooperate with your reasonable requests in connection with the investigation and analysis of the Security Event, including a request to use a third-party investigation and forensics service. Convesio shall retain all information that could constitute evidence in a legal action arising from the Security Event and shall provide the information to you upon your request. Except to the extent required by law in the written and reasonable opinion of Convesio’s legal counsel, or as reasonably required by our investigation of the Security Event or our other contractual obligations, we will not disclose to any third party the existence of a Security Event or suspected Security Event or any related investigation without Customer’s prior written consent.
7. Audit and Inspection
1. Subject to and conditioned on a written confidentiality and non-disclosure agreement, Convesio shall provide Client with information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA.
2. Any audits shall be (i) subject to and conditioned on reasonable advance written notice, not less than sixty (60) days, to Convesio; (ii) subject to and conditioned on a written confidentiality and non-disclosure agreement and a detailed written audit plan reviewed and pre-approved by Convesio; (iii) limited to once every three (3) calendar years; (iv) at Client’s sole cost and expense; (v) limited in scope and purpose to evaluate a specifically identified suspected failure by Convesio to comply with the provisions of this DPA and only after Client has exhausted all other reasonable means as determined by Convesio; and (vi) in the presence of a Convesio representative without unreasonably disrupting Convesio’s business operations.
8. Deletion or Return of Client Personal Data
Upon proper termination of the Agreement and at the written direction of the Client, Convesio shall take reasonable measures to delete Client Personal Data or return Client Personal Data and copies thereof to the Client, subject to applicable laws or other Convesio obligations requiring the continued storage of the Client Personal Data by Convesio.
List of Sub-processors
• Cloudflare: We use Cloudflare to secure and improve the performance of the Services.
• Google Cloud Platform: We use Google Cloud Platform host and secure Client Websites and store data related to Client Websites.
• Google Workspace: We use Google Workspace applications to process email communication and manage online documents.
• Hubspot: We use Hubspot to communicate with leads and customers.
• Intercom: We use Intercom to communicate with our customers and provide support.
• KeyCDN: We use KeyCDN to power Convesio CDN.
• Mailchannels: Mailchannels is an SMTP provider that sends transactional emails from Client Websites.
• New Relic: Used to troubleshoot Client Website performance.
• Slack: We use Slack for internal communication.