Data processing addendum

This Data Protection Addendum (“Addendum”) forms part of, and is incorporated by reference into, the Subscription Agreement (collectively, the “Agreement”) between the undersigned customer which is a party to such Agreement (Customer), and CometChat Inc. (“CometChat”).  Customer and CometChat are each referred to as a “Party” and collectively as the “Parties.”If you need a signed copy of this DPA or if you think we should tailor this DPA to your specific activities, please contact us at privacy@cometchat.com

Except as modified below, the terms of the Agreement shall remain in full force and effect.  Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control.  In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to their subject matter.

1. Definitions

The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader.  Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement.  The following terms have the meanings set forth below:

  1. 01.

    Affiliate means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either CometChat or Customer, respectively. 

  2. 02.

    Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which CometChat is subject, including, but not limited to, (a) the California Consumer Privacy Act as amended by the California Privacy Rights Act and any binding regulations promulgated thereunder (“CCPA”);(b) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State (“EU GDPR”); (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”); (d) the Swiss Federal Act on Data Protection of 25 September 2020; (e) any other applicable law with respect to any Personal Data,  in respect of which the CometChat is subject to and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.“Claim” shall mean any third-party action, claim, assertion, demand or proceeding.

  3. 03.

    Data Subject” shall mean an identified or identifiable natural person.

  4. 04.

    EEA” shall mean the European Economic Area.

  5. 05.

    Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by CometChat, on behalf of Customer, in connection with CometChat’s performance of the Services.

  6. 06.

    “CometChat Entity” shall mean CometChat and/or any CometChat Affiliate.“

  7. 07.

    "Privacy Authority" shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of CometChat.

  8. 08.

    “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

  9. 09.

    Security Breach” shall mean a breach of CometChat’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in CometChat’s possession, custody or control.  Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

  10. 10.

    Services” shall mean the services as described in the Agreement or any related order form or statement of work.

  11. 11.

    Standard Contractual Clauses” shall mean (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), and (b) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”).

  12. 12.

    Subprocessor” shall mean any subcontractor (including any third party and/or CometChat Affiliate) engaged by CometChat to Process Personal Data on behalf of Customer.  

  13. 13.

    Supervisory Authority” shall mean: (a) in the context of the UK GDPR, the UK Information Commissioner’s Office; and (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.

2. Processor’s Obligations

2.1 CometChat shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Customer’s instructions, and as may subsequently be agreed between the Parties in writing. 

CometChat shall promptly inform Customer if

a) in CometChat’s opinion, an instruction from Customer violates Applicable Privacy Law; or

b) CometChat is required by applicable law to otherwise Process Personal Data, unless CometChat is prohibited by that law from notifying Customer under applicable law.

2.2 CometChat shall implement and maintain reasonable and appropriate technical measures that will ensure that Customer’s reasonable and lawful instructions can be complied with, including the following:u

a) Updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time;

 
b) cancelling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer; 


c) Otherwise facilitating Customer’s responses to Data Subject requests as required under Applicable Privacy Law;


d) CometChat shall promptly re-direct any request from a Data Subject to exercise any of its Data Subject rights to Customer and shall not respond directly to the Data Subject unless instructed so by Customer in writing. 

2.3 CometChat acknowledges that

a) Customer discloses Personal Data to Customer solely for the business purpose of Customer, and

b) CometChat has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to CometChat under the Agreement relates only to CometChat’s provision of the Services. 

CometChat shall not collect, retain, use, disclose, or otherwise Process the Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Customer, or for any commercial purpose, or (ii) outside of the direct business relationship between CometChat and Customer.  In addition, CometChat shall (i) not ‘sell’ or ‘share’ as defined under Applicable Privacy Law (including, without limitation, the CCPA), or otherwise disclose any Personal Data except to authorised Subprocessors needed to render the Services, (ii) not combine Personal Data with any third-party data, except as specifically instructed by Customer in writing, and (iii) comply with all applicable sections of the CCPA, including but not limited to, providing the same level of privacy protection to the personal data as is required of Customer under the CCPA.  Customer shall have the right, upon written notice to CometChat, to take reasonable and appropriate steps to stop and remediate CometChat’ s unauthorized use of Personal Data.

2.4 CometChat shall provide to Customer such co-operation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Customer’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority.

3. Security of Personal Data.

  1. 01.

    CometChat shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Exhibit B. 

  2. 02.

    CometChat shall ensure the reliability of any employees who Process Personal Data. 

4. Customer Obligations

Customer is solely responsible for its use of the Services, including (a) obtaining any needed consents or authorizations for CometChat to Process Personal Data; (b) without limitation of CometChat’s obligations under Section 3 (Security of Personal Data), making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (c) securing the account authentication credentials, systems and devices Customer uses to access the Services; (d) securing Customer’s systems and devices that CometChat uses to provide the Services; and (e) backing up Personal Data.

5. Sub Processors

  1. 01.

    CometChat shall not, without Customer’s prior written consent, sub-contract or outsource any Processing of Personal Data to any Subprocessor; provided that Customer shall not unreasonably withhold or delay consent to CometChat’s appointment of any Subprocessor.  Without limiting the foregoing, Customer generally authorizes CometChat to engage the Subprocessors specified in Exhibit C.  CometChat will post any changes to approved Subprocessors to https://www.cometchat.com/legal-sub-processors-list. com.  Customer may reasonably object to any new Subprocessor appointed by CometChat, in which case CometChat will use reasonable efforts to make a reasonable change in the Service to avoid Processing by such Subprocessor.  If CometChat is unable to provide an alternative, Customer may terminate the Services.

  2. 02.

    CometChat shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.

  3. 03.

    CometChat will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on CometChat under this Addendum.

  4. 04.

    For the avoidance of doubt, and notwithstanding any provision herein to the contrary, Customer acknowledges and agrees that any third party engaged by Customer via CometChat’s Extensions Marketplace option (further details of which can be found at https://www.cometchat.com/extensions) will not be considered a Subprocessor for purposes of this DPA, and CometChat shall have no responsibility or liability in connection with the Processing of Personal Data by such third party.

6. Breach Notification

  1. 01.

    Notification to Customer

    Unless otherwise prohibited by applicable law, CometChat shall notify Customer without undue delay after CometChat becomes aware of a Security Breach.  Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned).  In addition, CometChat shall communicate to Customer (i) the name and contact details of CometChat’s data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by CometChat to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects. 

  2. 02.

    Investigation

    CometChat shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.

7. Privacy Impact Assessment.

CometChat shall, promptly upon receipt of written request by Customer (a) make available to Customer such information as is reasonably necessary to demonstrate Customer’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Customer in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to CometChat.  CometChat shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment.  Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Customer shall not make any such request more than once in any 12-month period.

8. Audit Rights

Customer may audit CometChat’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Supervisory Authority.  CometChat will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance that CometChat considers appropriate in the circumstances and reasonably necessary to conduct the audit.  To request an audit, Customer must submit a proposed audit plan to CometChat at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. 

The proposed audit plan must describe the proposed scope, duration, and start date of the audit.  CometChat will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise CometChat security, privacy, employment or other relevant policies).  CometChat will work cooperatively with Customer to agree on a final audit plan.  Nothing in this Section 8 shall require CometChat to breach any duties of confidentiality.  If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and CometChat has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.  The audit must be conducted during regular business hours, subject to the agreed final audit plan and CometChat’s safety, security or other relevant policies, and may not unreasonably interfere with CometChat business activities.  Any audits are at Customer’s sole expense.  Customer shall reimburse CometChat for any time expended by CometChat and any third parties in connection with any audits or inspections under this Section 8 at CometChat’s then-current professional services rates, which shall be made available to Customer upon request.  Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.  

9. Deletion of Personal Data

CometChat shall, promptly and in any event within 90 days of expiration or termination of the Agreement, or following receipt of written notice from Customer, (a) return a complete copy of all Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to CometChat; and (b) enable Customer to delete all copies of Personal Data Processed by CometChat. 

10. Third Party Disclosure Requests

  1. 01.

    Unless prohibited by applicable law, CometChat shall promptly notify Customer of any inquiry, communication, request or complaint, to the extent relating to CometChat’s Processing of Personal Data on behalf of Customer, from:any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/orany Data Subject,and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines.  CometChat shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 10.1 and Section 10.2.

  2. 02.

    In the event that CometChat is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer, including any national security authority or other government body, CometChat shall attempt to redirect the government request to Customer.  If CometChat is unable to redirect the request, CometChat shall, unless prohibited by applicable law, notify Customer promptly and shall provide all reasonable assistance to Customer to enable Customer to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines.  If CometChat is prohibited by applicable law from providing notice to Customer of a Legal Request, CometChat shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data.  CometChat shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 10.2.

11. Transfers out of the EEA

 If Customer transfers Personal Data out of the EEA to CometChat in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this Addendum. CometChat shall provide a copy of the signed version of the EU SCCs to Customer upon request.  In furtherance of the foregoing, the parties agree that:

  1. 01.

    Customer will act as the data exporter and CometChat will act as the data importer under the EU SCCs;

  2. 02.

    For purposes of Appendix 1 to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A; 

  3. 03.

    For purposes of Appendix 2 to the EU SCCs, the technical and organizational measures shall be as set out in Exhibit B; 

  4. 04.

    The audits described in Clause 8.9 of the EU SCCs shall be performed in accordance with Section 8 of this Addendum;

  5. 05.

    Customer’s authorizations in Section 5 (Subprocessors) of this Addendum will constitute Customer’s prior written consent to the subcontracting by CometChat of the Processing of Personal Data under Clause 9(a)(Option 2) of the EU SCCs; 

  6. 06.

    The Supervisory Authority for the EU SCCs shall be satisfied by the information in Section C of Exhibit A. 

  7. 07.

    Option 1 of Clause 17 shall apply, and the EU SCCs will be governed by the law of Ireland; and

  8. 08.

    Any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.

12. Transfers out of the UK

 If Customer transfers Personal Data out of the UK to CometChat in a country not deemed by the UK Government to have adequate data protection, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this Addendum.  CometChat shall provide a copy of the signed version of the UK SCCs to Customer upon request.  In furtherance of the foregoing, the parties agree that Tables 1 through 4 of the UK SCCs shall be satisfied by the following information:

  1. 01.

    Table 1: Reference to Table 1 shall be satisfied by the information in Section A of Exhibit A.

  2. 02.

    For Table 2, the version of the Approved EU SCCs shall be the EU SCCs, Controller to Processor module.

  3. 03.

    Reference to Table 3 shall be satisfied by the information in Exhibit A.

  4. 04.

    Table 4: For Table 4, the Exporter and Importer shall have the rights outlined in Section 19 of the UK SCCs.

13. Claims

Any claims brought under, or in connection with, this Addendum, shall be subject to the exclusions and limitations of liability set forth in the Agreement.

Exhibit A

A. List of Parties


Data exporter: The Customer identified in the Agreement, which is sharing Personal Data with data importer in order for data importer to perform its Services.

Data importer:

Name - CometChat Inc.

Address - 1580 N Logan St, Ste 660 PMB 43373 Denver, Colorado 80203 USA

Contact person’s name, position and contact details - Anant Garg, CTO - anant.garg@cometchat.com
Melissa Ordway, VP Finance - melissa.ordway@cometchat.com

Activities relevant to the data transferred under these Clauses - To perform the Services identified in the Agreement that involve the Processing of Personal Data on behalf of the data exporter. 

Role (Controller or Processor) - Processor

 B. DESCRIPTION OF TRANSFER


Categories of data subjects whose Personal Data is transferred

Customers, business partners, vendors, and prospects (who are natural persons) of data exporter; and data exporter’s users and prospective users, authorized by data exporter to use the Service (who are natural persons).

Categories of Personal Data transferred

Name, email address, phone number, conversation/chat content (voice, video, or text)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

Data importer does not expect to receive sensitive data from data exporter or its end users. 


The frequency of the transfer (whether the data is transferred on a one-off or continuous basis)

On a continuous basis during the term of the Agreement. 

Nature of the Processing

As described in the Agreement.

Purpose(s) of the data transfer and further Processing

As described in the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

Duration of performance of the Services.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing

As described in the Agreement. 

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be the supervisory authority that has jurisdiction over the data exporter/controller. 

Exhibit B

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


The data importer has implemented and maintains comprehensive technical and organizational safeguards, which contain those safeguards described below:

  • Organizational management and dedicated staff responsible for the development, implementation and maintenance of the CometChat’s information security program.

  • Audit and risk assessment procedures for the purposes of periodic reviews and assessment of risks to CometChat’s organization, monitoring and maintaining compliance with the CometChat’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

  • Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly or at rest or stored on portable media (i.e., laptop computers). 

  • Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

  • Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the CometChat’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the CometChat’s computer systems; (iii) must have defined complexity; and (iv) newly issued passwords must be changed after first use.System audit or event logging and related monitoring procedures to proactively record user access and system activity. 

  • Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the CometChat’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

  • Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the CometChat’s possession.

  • Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the CometChat’s technology and information assets.Incident management procedures design to allow CometChat to investigate, respond to, mitigate and notify of events related to the CometChat’s technology and information assets. 

  • Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.

  • Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

  • Disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters. 

Exhibit C

LIST OF SUB-PROCESSORS


The Customer has authorized the use of the following Subprocessors