ScheduleOnce Data Processing Addendum

Last updated: May 12, 2018

Controller to Processor

The Client agreeing to this ScheduleOnce Data Processing Addendum (the DPA or “Addendum”) and ScheduleOnce LLC (“ScheduleOnce”) have executed the online version of the ScheduleOnce Master Service Agreement (the “Service Agreement”), of which this Addendum forms a part.

It is the intention of the Parties that this Addendum forms part of the Service Agreement subject to the limitations of Section 2 ("Applicability"), as set out below, and is hereby integrated into the Service Agreement by reference.

The Parties agree that in the event of any conflict between the Service Agreement and this Addendum, the provisions of this Addendum shall control.

ScheduleOnce has committed to adhere to and has certified to the Department of Commerce that it adheres to the EU-U.S. Privacy Shield Framework, and shall use its best effort to maintain these certifications or to provide an alternative cross-border data transfer solution, where maintaining these certifications is not reasonably possible.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this document and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:

  1. 1.Definitions

    1. The definitions used in this Addendum shall have the meanings set forth in this Addendum. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Service Agreement. Except as modified or supplemented below, the definitions of the Service Agreement, as well as all the other terms and conditions of the Service Agreement, shall remain in full force and effect.

    2. For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below:

      • "Applicable Laws" means (i) European Union or Member State laws with respect to any Client Personal Data in respect of which the Client is subject to EU Data Protection Laws; and (ii) any other applicable law with respect to any Client Personal Data in respect of which the Client is subject to any other Data Protection Laws;
      • "Client" means the Client, as defined in the Service Agreement, including all affiliates of that entity, if any;
      • "Client Personal Data" means any Personal Data Processed by ScheduleOnce or a Subprocessor on behalf of the Client pursuant to or in connection with the Service Agreement;
      • "Contracted Processor" means ScheduleOnce, a Subprocessor, or both collectively;
      • "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
      • "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
      • "GDPR" means EU General Data Protection Regulation 2016/679;
      • “Restricted Transfer” means any transfer of Client Personal Data that would be prohibited by EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of EU Data Protection Laws) in the absence of the execution of the Standard Contractual Clauses or another lawful data transfer mechanism, as set out in Section 12 below;
      • "Services" means the services and other activities to be supplied to or carried out by or on behalf of ScheduleOnce for the Client pursuant to the Service Agreement; and
      • "Subprocessor" means any person (including any third party, but excluding an employee of ScheduleOnce or an employee of any of its sub-contractors) appointed by or on behalf of ScheduleOnce to Process Personal Data on behalf of the Client in connection with the Service Agreement.
    3. The terms, "Controller", "Data Subject", "Rights of the Data Subject(s)", "Member State", "Personal Data", "Personal Data Breach", all forms of the verb "Process", “Processor”, "Supervisory Authority", and "Third Country", whether capitalized or not, shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

  2. 2.Applicability

    1. This Addendum will not apply to the processing of Client Personal Data, where such processing is not regulated by EU Data Protection Laws. The Parties to this Addendum hereby agree that the terms and conditions set out herein shall be added as an addendum to the Service Agreement. Except where the context requires otherwise, references in this Addendum to the Service Agreement are to the Service Agreement as amended or supplemented by, and including, this Addendum.

    2. This Addendum shall enter into force and effect on the Effective Date (as defined in the Service Agreement) or on 25th May 2018, whichever is later (the "Addendum Effective Date").

  3. 3.Processing of Client Personal Data

    1. In the context of this Addendum, the Client acts as a data controller and ScheduleOnce acts as a data processor with regard to the Processing of Client Personal Data.

    2. ScheduleOnce warrants that it will:

      • comply with all applicable Data Protection Laws in the Processing of Client Personal Data;
      • not Process Client Personal Data other than on the Client’s relevant documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless such Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case ScheduleOnce shall to the extent permitted by Applicable Laws inform the Client of that legal requirement before the respective act of Processing of that Personal Data; and
      • only transfer Client Personal Data outside the European Economic Area (EEA), where such transfers are regulated by EU Data Protection Laws, in compliance with EU Data Protection Laws.
    3. The Client instructs ScheduleOnce (and authorizes ScheduleOnce to instruct each Subprocessor) to Process Client Personal Data, and to transfer Client Personal Data to those countries or territories where those Subprocessors identified in Exhibit B are located, consistent with the Service Agreement and the present Addendum. In the event that in ScheduleOnce’s opinion a Processing instruction given by the Client may infringe Applicable Laws, ScheduleOnce shall immediately inform the Client upon becoming aware of such a Processing instruction.

    4. The Client shall provide to ScheduleOnce and also promptly update, when necessary, the information indicated below, in the Account settings section of their ScheduleOnce account. (login required)

      • identity and contact information of the Data Protection Officer of the Client, if applicable;
      • identity and contact information of the EU representative of the Client, if applicable;
      • description of the categories of Processing carried out by Client in the ScheduleOnce Service;
      • types of Client Personal Data to be Processed; and
      • categories of Data Subjects to whom the Client Personal Data relates.
  4. 4. ScheduleOnce Personnel

    1. ScheduleOnce shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Client Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to formal confidentiality undertakings or professional or statutory obligations of confidentiality.

  5. 5. Security of Processing

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ScheduleOnce shall, with regard to Client Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

    2. In assessing the appropriate level of security, ScheduleOnce shall take account in particular of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.

  6. 6. Subprocessing

    1. The Client authorizes ScheduleOnce to appoint (and permit each Subprocessor appointed in accordance with this Section 6 to appoint) Subprocessors in accordance with this Section 6 and any possible further restrictions, as set out in the Service Agreement.

    2. ScheduleOnce may continue to use those Subprocessors already engaged by ScheduleOnce as of the date of this Addendum, subject to ScheduleOnce meeting the obligations set out in Section 6.4. The list of current ScheduleOnce Subprocessors is set out in Exhibit B to this Addendum.

    3. ScheduleOnce shall give the Client prior written notice of the appointment of any new Subprocessor, by way of sending notice e-mails to the Client, including full details of the Processing to be undertaken by that respective Subprocessor. If within 10 days of receipt of each such notice e-mail, the Client does not explicitly notify ScheduleOnce in writing of any objections (on reasonable grounds) to the proposed appointment, it shall be deemed that the Client has consented to the proposed appointment.

    4. With respect to each Subprocessor, ScheduleOnce shall:

      • before the Subprocessor first Processes Client Personal Data (or, where relevant, in accordance with Section 6.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Client Personal Data required by the present Addendum, the Service Agreement, and EU Data Protection Laws; and
      • ensure that the arrangement between: on the one hand, (i) ScheduleOnce, or (ii) the relevant intermediate Subprocessor; and on the other hand, the respective envisaged Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Client Personal Data as those set out in this Addendum, and that such terms meet the requirements of Article 28(3) of the GDPR.
  7. 7. Rights of the Data Subjects

    1. Taking into account the nature of the Processing, ScheduleOnce shall assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client's obligations, as reasonably understood by the Client, to respond to requests to exercise Rights of the Data Subjects under the Data Protection Laws.

    2. With regard to Rights of the Data Subjects within the scope of this Section 7, ScheduleOnce shall:

      • promptly notify the Client if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and
      • ensure that the Contracted Processor does not respond to that request except on the documented instructions of the Client, or as required by Applicable Laws to which the Contracted Processor is subject, in which case ScheduleOnce shall, to the extent permitted by Applicable Laws, inform the Client of that legal requirement before the Contracted Processor responds to the request.
  8. 8. Personal Data Breach

    1. ScheduleOnce shall notify the Client without undue delay upon ScheduleOnce or any Subprocessor becoming aware of a Personal Data Breach affecting Client Personal Data, providing the Client with sufficient information to allow the Client to meet any obligations pursuant to the Data Protection Laws to report to the Supervisory Authorities and/or inform the Data Subjects of the Personal Data Breach.

    2. ScheduleOnce shall co-operate with the Client and take all reasonable commercial steps to assist the Client in the investigation, mitigation, and remediation of each such Personal Data Breach.

    3. ScheduleOnce’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by ScheduleOnce of any fault or liability with respect to the Personal Data Breach.

  9. 9. Data Protection Impact Assessment and Prior Consultation

    1. ScheduleOnce shall provide the Client with relevant documentation, such as a SOC 2 audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, when the Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Article 35 or 36 of the GDPR or pursuant to the equivalent provisions of any other Data Protection Law, but in each such case solely with regard to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the respective Contracted Processors.

  10. 10. Deletion or Return of Client Personal Data

    1. ScheduleOnce shall provide the Client with the means to request the deletion of Client Personal Data within the term of this Addendum and the Service Agreement, unless Applicable Laws require retention of any such Client Personal Data.

  11. 11. Audit Rights

    1. Where the Client is entitled to and desires to review ScheduleOnce’s compliance with the EU Data Protection Laws, the Client may request, and ScheduleOnce will provide (subject to obligations of confidentiality) ScheduleOnce’s annual SOC 2 audit report, VeraSafe Privacy Program audit report, or other substantially similar audit report. If the Client, after having reviewed such audit report(s), still reasonably deems that it requires additional information, ScheduleOnce shall further reasonably assist and make available to the Client, upon a written request and subject to obligations of confidentiality, all other information and/or documentation necessary to demonstrate compliance with this Addendum, and the obligations pursuant to Articles 32 to 36 of the GDPR in particular, and shall allow for and contribute to audits, including remote inspections of the Services, by the Client or an auditor mandated by the Client with regard to the Processing of the Client Personal Data by the Contracted Processors.

  12. 12. Restricted Transfers

    1. The Client (as “data exporter”) and ScheduleOnce (as “data importer”) hereby enter into, as of the Addendum Effective Date, the Standard Contractual Clauses, which are incorporated by this reference and constitute an integral part of this Addendum. The Parties are deemed to have accepted and executed the Standard Contractual Clauses in their entirety, including the appendices.

    2. With regard to any Restricted Transfer from the Client to ScheduleOnce within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

      • ScheduleOnce’s EU-U.S. and Swiss-U.S. Privacy Shield Framework self-certifications (if any);
      • the Standard Contractual Clauses (insofar the prospective Restricted Transfer would be considered lawful under this mechanism); or
      • any other lawful basis, as laid down in EU Data Protection Laws, as the case may be.
    3. Where ScheduleOnce has appointed or will appoint a Subprocessor and no other lawful basis or derogation for Restricted Transfers under EU Data Protection Laws applies, ScheduleOnce shall use Standard Contractual Clauses as the transfer mechanism for Restricted Transfers with that respective Subprocessor.

    4. In cases where the Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control.

  13. 13. General Terms

    1. All clauses of the Service Agreement, that are not explicitly amended or supplemented by the clauses of this Addendum, and as long as this does not contradict with compulsory requirements of Applicable Laws under this Addendum, remain in full force and effect and shall apply, including, but not limited to: Governing Law and Dispute Resolution, Jurisdiction, Limitation of Liability (to the maximum extent permitted by Applicable Laws).

    2. Should any provision of this Addendum be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.

    3. If ScheduleOnce makes a determination that it can no longer meet its obligations in accordance with this Addendum, it shall promptly notify the Client of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate.

Exhibit A

  1. 1. Pursuant to Article 28(3) of the GDPR, further details of the Processing, in addition to the ones laid down in the Service Agreement and this Addendum, include:

    1. The subject matter of the Processing of Client Personal Data is:

      • The subject matter of the Processing of Client Personal Data pertains to the provision of Services, as requested by the Client.
    2. The duration of the Processing of Client Personal Data is:

      • The duration of the Processing of Client Personal Data is generally determined by the Client and is subject to the term of this Addendum and the Service Agreement, respectively, in the context of the contractual relationship between ScheduleOnce and the Client.
    3. The obligations and rights of the Client are:

      • The rights and obligations of the Client are set out in the Service Agreement and this Addendum.

Exhibit B

  1. Pursuant to Art. 6.2 of the Addendum, below is a list of ScheduleOnce’s current Subprocessors as of the Effective Date:

    Subprocessor Name Location of Processing
    Microsoft Corporation United States of America
    Google LLC United States of America
    Amazon Web Services, Inc. United States of America
    Salesforce.com United States of America
    Atlassian Australia
    Nexmo Inc. United States of America
    Elastic search United States of America
    Zoom United States of America
    Elastic email United States of America
    Enuke Software Private Limited India
    Evon Technologies Pvt. Ltd. India
    ScheduleOnce LTD Israel