Data Processing Addendum
The purpose of this DPA is to reflect the agreement on the processing of personal data in accordance with data protection legislation.
Last revised on August 1, 2019
This Data Processing Addendum (the "Agreement") forms a part of the contract of Application Services between Processor and Controller (Terms & Conditions) listed on the Unless.com website. This Agreement shall reflect the parties' agreement with regards to Processing of Personal Data.
If the Controller signing this Agreement is a customer of UNLESS, this Agreement forms part of a contract of service with UNLESS. If the Controller is not a user or customer of UNLESS, this Agreement is not valid and not legally binding.
This Agreement is between Customer ("Controller") and UNLESS ("Processor"). Each individually is referred to as "Party", and jointly referred to as "Parties".
- Parties have agreed that the Controller will act as the sole Controller of the Personal Data, and that the Processor renounces any rights it may have to act as a data controller of the Personal Data held by the Controller.
- Parties agree that it may be necessary to process certain Personal Data on behalf of Controller.
- In light of this, UNLESS offers this Agreement to address compliance obligations imposed upon Controller.
- Parties agree that Application Services rendered by UNLESS may qualify as commissioned Data Processing as per sec. 28 of the General Data Protection Regulation (2016/679)
Applicable Law means the relevant Data Protection and Privacy laws to which Parties are subject, including the GDPR directive (2016/679).
Personal Data means any information which can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, and supplied by Controller to UNLESS under the Terms & Conditions, or which UNLESS or any of its Sub Processor generate, collect, store, transmit, or otherwise process on behalf of Controller in connection with this Agreement. Personal Data may include information which is related to Customer's users, employees, and other individuals.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure or destruction, as defined under Applicable Law.
Visitors means the identified or identifiable person to whom Personal Data relates.
Sub Processors means any affiliate, agent or assignee of UNLESS that may process Personal Data pursuant the terms of the Agreement, and any unaffiliated processor engaged by UNLESS.
Breach Incident means a breach leading to the accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Third-Party Application means any software, platform, data sources, software-as-a-service, or other products or services not provided by Unless that are integrated with our Services as described in the Agreement.
Customer will indemnify, defend, and hold UNLESS harmless against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees, and settlement amounts) made or brought against UNLESS by a third party alleging that Personal Data received by UNLESS from Customer or processed by UNLESS in accordance with Customer’s instructions, is in breach of Applicable Law.
Privacy By Design
The UNLESS platform is designed to be sensitive to the Visitors' privacy through several core design choices.
- UNLESS does not collect unnecessary data; we provide a real-time connection that typically gets actioned primarily in the Visitor's browser and sends asynchronous events to verify technical success.
- UNLESS aggregates and anonymizes data insofar possible; minimizing the chances of being able to identify individual visitors.
- UNLESS has extensive technical and physical safeguards protecting our customers' information.
- UNLESS provides Controller with a free Cookie opt-in notification bar to aid Controller in getting the appropriate informed consent from their Visitors.
Data Retention and Destruction
UNLESS will only retain Personal Data for as long as services are provided to Customer under this agreement. Following expiration or termination of the Agreement, UNLESS will delete or return to Customer all Personal Data in its possession as provided in the Agreement except to the extent UNLESS is required by Applicable Law to retain some or all of the Personal Data (in which case UNLESS will implement reasonable measures to prevent the Personal Data from any further processing).
- The Processor is appointed by the Controller to Process Such Personal Data for and on behalf of the Controller as is necessary to provide the Processing services.
- The Controller shall Process Personal Data in accordance with the requirements of the Applicable Laws. For the avoidance of doubt, the Controller's instructions for the Processing of Personal Data shall comply with the Applicable Law and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Law. The Controller shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which it acquires the Personal Data.
- Processor agrees to notify Controller if it becomes unable to comply with the terms of this Agreement, and take reasonable and appropriate measures to remedy such non-compliance.
The Processor shall process Personal Data for the Purpose as described in this agreement as entered into between Parties.
- Automatically personalize visitors interaction with Controller's online platforms across the web, mobile web, mobile apps and email.
- Build actionable visitor segments in real time, enabling Controller to take instant action via personalization, product/content recommendations, automatic optimization and real-time messaging.
Depending on how the Controller chooses to use the Application Services, the subject matter of Processing of personal data may cover the following types of information.
- Visitor information (first name, last name, etc.);
- Email address;
- Geographical information (City, State, Country, Currency);
- Audience membership, a collection of technical attributes based on real-time identifiers
- IP address;
- Data encoded into the URL or shown in plain format;
- Referring URL and domain;
- Online Identifiers (i.e. online data collected from visitors' devices, applications and protocols which leave traces which may identify them), such as UDID, cookie identifiers, device type, operating system, and browser type.
- Page views, interactions and time on site;
- Data and time when website pages were accessed.
Data Safety, Privacy & Security
- The Processor shall establish data security in accordance with the Applicable Laws. The measures taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems.
- These measures are listed in Exhibit A and outline commercially reasonable security-related policies, standards and practices in line with the complexity of the UNLESS platform.
- The technical and organizational measures are subject to technical process and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time, insofar as the security level of the defined measures is not reduced.
- Customer is responsible for using and configuring the UNLESS platform in a manner which enables Customer to comply with Applicable Laws, including the implementation of appropriate technical and organizational measures.
- UNLESS has appointed a Data Privacy Officer, who can be reached at email@example.com, and who oversees our privacy program.
Upon becoming aware of a Breach Incident, Processor will notify Controller without undue delay and will provide information relating to the Breach Incident as reasonably requested by the Controller. UNLESS will use reasonable endeavours to assist customer in mitigating, where possible, the adverse effects of any Breach Incident.
The Controller agrees to the commissioning of the following Sub-Processors (including, but not limited to, Processors on the Unless website and dashboards) on the condition of a contractual agreement in accordance with applicable data protection laws. This list may be updated from time to time.
Sub-processors for our entire product, including customer and visitor data on the Controller's website:
- Amazon Web Services, hosting and storage
Strictly on our own website and in our dashboard, we use the following processors:
- Stripe, Inc., payment provider for customers only
- Chargebee, automated subscription billing for customers only
- Auth0, identity provider for customer dashboard access
- Intercom, customer messaging platform for customer support
- Mixpanel, product analytics for our dashboard
- Google Analytics, product analytics for our website and dashboard
- Google Tag Manager, tag management system on our website and dashboard
- Mailchimp, email management for onboarding emails and newsletters
- Logrocket, session replay for dashboard analysis
- Retool, customer account data querying and lookup
Furthermore, the Controller agrees to the following.
- Controller provides a general consent to UNLESS to engage onward Sub-Processors (including but not limited to the provision of cloud based analytics services, machine learning and recommendation engines, personalized search and cloud processing), provided that UNLESS has entered into an agreement with Sub-Processor which is equally restrictive to the obligations set forth under this Agreement (the the extent applicable to the services rendered).
- Outsourcing to further Sub-Processors or changing any existing Sub-Processors is permissible if Processor informs the Controller of the identity of the Sub-Processor and the scope of the planned Sub-Processing in writing or in text form, and the controller does not object to the planned Sub-Processing in writing or in text within 10 business days. The Controller shall not unreasonably object to the planned Sub-Processing.
- UNLESS may transfer and process Personal Data to and in other locations around the world where UNLESS or its Sub-Processors may perform data processing as necessary to provide Application Services.
- If UNLESS Processes Personal Data from the EEA, EU or Switzerland, UNLESS shall ensure that it (or the relevant Sub-Processor) has a legally approved mechanism in place to allow for the international transfer of data (i.e. Privacy Shield for the US)
The Processor may support integrations with certain third-party platforms or applications. These integrations can be activated by Controller at will.
By enabling such Third-party Applications, Controller authorizes Processor to access the Controller’s accounts at such third-party application for the purposes described in this Agreement. Controller may be required to input their credentials in order for Processor to access such Third-party Applications.
Controller is responsible for complying with any relevant terms and conditions of the provider of the Third-party Application. Controller acknowledges and agrees that Processor has no responsibility or liability for any Third-party Application, or any data exported to a Third-party Application.
Processor does not guarantee that it will maintain any integrations with any Third-party Application, and Processor may disable such integrations at any time with or without notice to Controller.
- This Agreement, including Exhibits attached, supersedes any and all prior agreements (Excluding Terms of Service and Privacy Agreement), understandings, negotiations and discussions of the Parties.
- The provisions in this Agreement are severable; if any phrase, clause or provision is invalid or unenforceable in whole or in part, this shall only affect such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.
Your site and visitor data are safe with UNLESS. There are a number of steps we take to ensure only Controller can access your site data and that your visitors' privacy is respected.
All usage data that Unless collects is stored electronically in Ireland, Europe on the Amazon Web Services infrastructure. Our application servers and database servers run inside an Amazon VPC, Virtual Private Cloud. The databases containing visitor and usage data are only accessible from the application servers and no outside sources are allowed to connect to the database. Our data retention times are no longer than 365 days.
- Site visitors are assigned an unique user identifier, UUID, so that Unless can keep track of returning visitors without relying on any personal information, such as the IP address.
- IP addresses of visitors are always suppressed before being stored. We set the last octet of IPv4 addresses, all connections to Unless are made via IPv4, to 0 to ensure the full IP address is never written to disk. For example, if a visitor's IP address is 126.96.36.199, it will be stored as 188.8.131.52. The first three octets of the IP address are only used to determine the geographic location of the visitor.
Data collection and transmission
- Firewalls are in place exposing only the necessary ports through the internet and between different servers. Intrusion protection system (IPS) software is in place as a second layer of security, which will block access as soon as any suspicious login activity is detected.
- Unless transmits data from the visitor's browser to our systems using HTTPS.
- The protocols and ciphers suite used to encrypt data in transfer is available at the end of this article.
Data access and authentication
Only Unless engineers which require such access to perform their job efficiently are given access. Different engineers are given different access rights on different system components as well depending on what their job requires. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs. SSH Key-Based authentication is used for server access.
Data collected through Unless is exclusively reserved for use by our users and customers. Unless does not make use of the data collected in any form or way unless consent is officially given by an admin of the Unless account, clearly outlining what the data will be used for.
Data access and backup
At Unless we use DynamoDB continuous backups to keep your data safe in the case of system failure. Full database backups are taken continuously, and are kept for thirty five days as an electronic copy.
Compliance, certifications and audit reports:
- Unless is compliant with Payment Card Industry (PCI) Data Security Standard. We use Chargebee’s hosted pages (SAQ A compliance - https://www.chargebee.com/security/pci/) and Stripe (https://stripe.com/docs/security/stripe).
- Unless uses Auth0 for secured logins and fully encrypted identity management: https://auth0.com/security.
- Cloud security: https://aws.amazon.com/security/.