Click here to download the full PDF version of this data processing agreement, including Exhibit A (Standard Contractual Clauses) and Appendix (List of Parties, Description of Transfer, Competent Supervisory Authority, Technical and Organizational Measures, List of Sub-Processors).
Updated: February 21, 2022
This data processing agreement (DPA), pursuant to art. 28 General Data Protection Regulation (GDPR), is made between the following parties:
Controller: a customer of Userlist (“Customer”, “you”);
Processor: Userlist, operated by Userlist, Inc. ("Userlist," "we," "our", or “us”).
The subject matter of this DPA and the thereto related processing activities result from Userlist Terms of Service Agreement (“Agreement”) between you and Userlist. This DPA amends and supplements your Agreement and requires no further action on your part.
The parties agree that to the extent Userlist operates and manages the Service, Userlist is acting as a processor under data protection laws on the Customer’s behalf, and the Customer is acting as the controller under data protection laws for the Customer’s end users.
The term of this DPA corresponds to the term of the Agreement.
Categories of Personal Data
The categories of personal data processed are:
- personally identifying data such as first and last name;
- contact data;
- key contract data;
- customer history;
- billing, invoicing and payment data;
- data related to user behavior within Customer’s software product (including, but not limited to, user events and properties);
- data related to communication (email and other types of messages) between the Customer and their end users;
- aggregated data and analytics gained by processing any of the above data categories;
- other Customer and end user data uploaded by the Customer.
Categories of Data Subjects
The personal data collected and processed related to:
- potential customers;
- employees, subcontractors, collaborators;
- authorised agents;
- reference persons.
The Customer acknowledges that, in connection with the Services, personal data will be transferred to Userlist in the United States.
The Standard Contractual Clauses attached as Exhibit A to this DPA (the “SCCs”) apply with respect to personal data that is transferred outside the European Economic Area (“EEA”), either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the data protection laws).
Technical and Organisational Measures
Prior to the execution of this DPA, the Processor shall demonstrate that all necessary technical and organisational measures, specifically with regard to the detailed performance of this DPA, have been adopted and shall, upon request, provide documented evidence thereof to the Controller. Upon acceptance by the Controller, such documented measures become binding part of this DPA and are attached to it. Insofar as an inspection/audit by the Controller shows the necessity for amendments, such amendments shall be implemented by mutual agreement.
The Processor shall guarantee security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. Such measures shall guarantee data security and a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the likelihood of data breaches and the severity of risks to the rights and freedoms of natural persons possibly resulting thereof within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.
The technical and organisational measures are subject to technical and technological progress and development. Hence, the Processor may adopt alternative adequate measures adapted to the changed technological environment. When doing so, the processing security level may not be reduced. Substantial changes must be documented.
Rectification, Restriction and Erasure of Data
The Processor will not rectify, erase or restrict the processing of data that is being processed on the Controller's behalf at its own initiative but only upon documented instructions by the Controller, unless the Controller violates Userlist Terms of Service or Anti-Spam Policy and their access to Service is terminated as a result of such violation.
Should a Data Subject contact the Processor directly concerning a rectification, erasure, or restriction of processing, the Processor shall immediately forward such Data Subject’s request to the Controller. The requests of erasure, rectification, data portability and access shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.
Quality Assurance and Other Duties of the Processor
In addition to complying with the provisions of this DPA, the Processor commits to meet all applicable statutory requirements set forth at Articles 28 to 33, GDPR. In particular, the Processor ensures compliance with the following requirements:
Appointment of a Data Protection Officer (DPO). The current DPO is:
Address: 6595 Roswell Road, STE G2130, Atlanta, GA 30328, USA
Email address: email@example.com
The Processor shall inform the Controller without delay about any changes to the identity or contact information of the Data Protection Officer.
Confidentiality. Processing activities under this DPA shall only be performed by such employees or collaborators and agents that have been instructed by the Processor about the appropriate dealing with personal data and have been contractually subjected to confidentiality pursuant to art. 28 par. 3 (b) and art. 32, GDPR. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by statutory law.
Cooperation with Supervisory Authorities. The Controller and the Processor shall cooperate, on request, with the supervisory authority. The Controller shall be informed immediately of any inspections and measures executed by the supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the Processor shall make every effort to support the Controller.
Supervisory Powers of the Controller
Pursuant to the applicable provisions of the SCCs, the Controller has the right to carry out inspections or to have them carried out by an auditor to be designated on a case-by-case basis. The auditor shall have the right to assess the Processor's compliance with this DPA in his business operations by means of random checks, which are ordinarily to be announced in advance.
The Processor may charge a reasonable fee to the Controller for enabling inspections.
Assistance to the Controller
The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations set forth at Articles 32 to 36 of the GDPR, including
- ensuring adequate protection standards through technical and organisational measures, taking into account the type, circumstances and purposes of processing, the likelihood of data breaches and the severity of the risk to natural persons possibly resulting thereof;
- ensuring immediate detection of infringements;
- reporting data breaches without undue delay to the Controller;
- assisting the Controller in answering to data subjects' requests or the exercise of their rights.
The Processor may claim a reasonable fee for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
Deletion and Return of Personal Data
The Processor shall not create copies or duplicates of the data without the Controller's knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory data retention requirements.
After conclusion of the provision of services, the Processor shall, at the Controller's choice, delete in a data-protection compliant manner or return to the Controller all the personal data collected and processed under this DPA, unless any applicable legal provision requires further storage of the personal data. In any case the Processor may retain all information necessary to demonstrate orderly and compliant processing activities beyond termination of the Contract, in accordance with the statutory retention periods.The deletion and return of any Controller data shall otherwise be governed by the terms of the SCCs.
Should you have any questions, or need a signed version of this DPA, please contact us at firstname.lastname@example.org or using the address below:
6595 Roswell Road, STE G2130
Atlanta, GA 30328
Userlist is a trademark of Userlist, Inc. Userlist reserves all rights not expressly granted in this Data Protection Agreement.