Vantage Circle Data Processing Addendum
(GDPR, Vantage Circle Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses)
Data Protection Addendum
In the course of providing the Vantage Circle service’s to our customers, Vantage Circle may process personal data on our customer’s behalf where such personal data is subject to EU data protection laws like GDPR. To this end, we offer a data protection addendum (DPA) as provided below. The DPA will only be legally binding and effective if: (1) it is duly signed by new customers ; and (2) you are Vantage Circle customer on the date it is fully executed. Please note that because we have so many customers, we are not able to change this data protection addendum for any particular customer.
1. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means either the Vantage Circle Terms of Use or Vantage Circle Service Agreement (as applicable) and the related Order Form, which together govern the provision of the Services to Customer.
Customer Data means any Personal Data that Vantage Circle processes on behalf of Customer as a Data Processor in the course of providing Services.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data by Vantage Circle pursuant to the Agreement, including, where applicable, EU Data Protection Law.
“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” has the meaning given to it in the GDPR and “process”, “processes”, and “processed” will be interpreted accordingly.
“Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Data.
“Services” means any product or service provided by Vantage Circle to Customer pursuant to the Agreement.
“Sub-processor” means any Data Processor engaged by Vantage Circle or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
2. Processing Of Personal Data
“Roles of the Parties” The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Vantage Circle is the Processor and that Vantage Circle or members of the Vantage Circle Group will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
“Customer’s Processing of Personal Data” Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
“Processing of Personal Data” Vantage Circle shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
“Details of the Processing” The subject-matter of Processing of Personal Data by Vantage Circle is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 4 (Details of the Processing) to this DPA.
3. Rights Of Data Subjects
“Data Subject Request” Vantage Circle shall, to the extent legally permitted, promptly notify Customer if Vantage Circle receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Vantage Circle shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Vantage Circle shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Vantage Circle is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Vantage Circle’s provision of such assistance.
4. Details of Data Processing
“Types Of Personal Data Processed” The categories of personal data are determined by the customer in its sole discretion and may include, but are not limited to: first and last name; employer, business role, professional title, contact information(eg. email, phone , physical address); business network, business experience, business interests, localisation data and device identification data.
“Special Categories Of Personal Data” Special categories of personal data, if any, are determined by customer in its sole discretion and may include, but are not limited to, information revealing racial/ethnic origin, political, religious or philosophical beliefs, trade union membership or health data.
“Nature of processing operations” Vantage Circle will process personal data as necessary to perform the subscription services pursuant to the agreement. The processing operations performed on the personal data will depend on the scope of customer’s subscription services and customer’s configuration of its vantage circle instance. Such processing operations of personal data as necessary for Vantage Circle to provide the subscription services may include the following: collecting, organise, store, use, transmission, combining, retrieval, consultation, archiving and/or destruction.
5. Subprocessing
“Appointment of Sub-processors” Customer acknowledges and agrees that (a) Vantage Circle Affiliates may be retained as Subprocessors; and (b) Vantage Circle and Vantage Circle’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Vantage Circle or a Vantage Circle’s Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
“Liability” Vantage Circle shall be liable for the acts and omissions of its Sub-processors to the same extent Vantage Circle would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
Customer provides a general authorization for Vantage Circle to engage onward sub-processors that is conditioned on the following requirements:
(a) Vantage Circle will restrict the onward sub-processor’s access to Customer Content only to what is strictly necessary to provide the Services, and Vantage Circle will prohibit the sub-processor from processing the personal data for any other purpose;
(b) Vantage Circle agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law.
(c) Vantage Circle will remain liable for any breach that is caused by an act, error, or omission of its sub-processors.
The Processor (Vantage Circle) shall not engage another processor (hereby called ‘Subprocessor’) to carry out all or part of the Processing activities entrusted to Processor by Vendors without the prior written authorization of Vendors of Vantage Circle.
To that effect, the Processor shall communicate to Vendors in writing (i) the identity of the Subprocessor, (ii) the location of the Subprocessor and (iii) the location of the Processing activities carried out by the Subprocessor.
Vendors can (i) refuse a Subprocessor or (ii) accept the Subprocessor under specific conditions.
The same process as above will apply “mutatis mutandis” to any replacement of an authorized Subprocessors.
The Subprocessor shall be subject to the same obligations as the Processor. Therefore, the Subprocessor shall comply with all obligations set out in this Data Protection Addendum and the obligations applicable to the Processor under the GDPR and any applicable data protection laws and regulations. The Processor must impose these obligations on the Subprocessor, in writing by the way of a contract.
The Processor will cause the Subprocessor to strictly comply with all obligations set out in this Data Protection Addendum and the Processor will in any case remain fully liable to Vendors of Vantage Circle for the due and timely performance of all and any such obligations by the Subprocessor.
Vantage Circle will provide details of any change in sub-processors as soon as reasonably practicable. With respect to changes in infrastructure providers, Vantage Circle will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to Vantage Circle’s other sub-processors, Vantage Circle will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
List Of Sub Processors
1.Digital Ocean.
2. Mandrill.
3. MSG91.
4. Spark Post.
5. Cloudinary.
6. Hubspot.
7. Amazon Web Services.
6. Security
“Controls for the Protection of Customer Data” Vantage Circle shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Documentation. Vantage Circle regularly monitors compliance with these measures. Vantage Circle will not materially decrease the overall security of the Services during a subscription term.
“Third-Party Certifications and Audits”Vantage Circle has obtained the third-party certifications and audits set forth in the Security, Privacy and Architecture Documentation. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Vantage Circle shall make available to Customer that is not a competitor of Vantage Circle (or Customer’s independent, third-party auditor that is not a competitor of Vantage Circle) a copy of Vantage Circle’s then most recent third-party audits or certifications, as applicable.
7. Customer Data Incident Management And Notification
Vantage Circle maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Vantage Circle or its Sub-processors of which Vantage Circle becomes aware (a “Customer Data Incident”). Vantage Circle shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Vantage Circle deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Vantage Circle’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
8. Return And Deletion Of Customer Data
Vantage Circle shall return or delete Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security, Privacy and Architecture Documentation.
(a) Vantage Circle Services. Prior to the termination of the Agreement, Vantage Circle will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and Customer agrees that it is solely responsible for deleting Customer Content via the Services, upon termination of the Agreement, Vantage Circle will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services.
Upon termination of the Agreement, Vantage Circle will (i) at Customer’s election, delete or return to Customer the Customer Content (including copies) stored within any services and application programming interfaces branded as Vantage Circle.
Vantage Circle will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Vantage Circle’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Vantage Circle Privacy Notice.Vantage Circle will anonymize or delete Customer Usage Data when Vantage Circle no longer requires it for the purposes.