Last Modified: October 9, 2024
PLEASE READ THIS DATA PROCESSING AGREEMENT (“DPA”), INCLUDING ITS SCHEDULES, CAREFULLY. BY ENTERING INTO THE TERMS OF SERVICE (“AGREEMENT”) WITH BRIGHTMETRICS, CUSTOMER AGREES ALSO TO THE TERMS AND CONDITIONS OF THIS DPA.
I. Introduction/Scope
This Brightmetrics Data Processing Agreement is an addendum to and, with its Schedules (collectively, “DPA”) incorporated herein by reference into the Terms of Service (“Agreement”) between Brightmetrics and Customer, effective upon Customer’s execution of the Agreement.
Table of Contents
I. Introduction/Scope
II. Definitions
III. Relationship & Obligations of the Parties
IV. Sub-Processors
V. Security
VI. Audits & Assessments
VII. Data Subject/Consumer Requests
VIII. Processing Location(s); International Data Transfers
IX. General Provisions
Schedule 1. Details of Processing
Schedule 2. Security: Technical and Organizational Measures
Schedule 3. EEA/Switzerland Transfers
Schedule 4. UK Transfers
Schedule 5. United States – State Laws
II. Definitions
Any capitalized term used but not defined in the body of this DPA has the meaning provided to it in the Agreement.
“Account Data”: Records related to managing or otherwise administering Customer’s account with Brightmetrics (as opposed to by use of the System), including without limitation payments and billing; Contact Data.
“Administrative User”: Customer’s employee executing the Agreement on Customer’s behalf.
“Agent”: Customer’s employee or other agent who respond to Callers.
“Agreement”: The Terms of Service entered into between Brightmetrics and Customer.
“Applicable Data Protection Law(s)”: All laws and regulations, if, where, and to the extent applicable to Brightmetrics’ processing of Personal Data as a result of the Agreement, which may include, without limitation, in the United States and its States, the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”), all as may be amended and replaced from time to time.
“Brightmetrics Data”: Account Data; marketing history with Contacts; and Usage Data that has been De-Identified (defined in Section 6.5 of the Agreement).
“Caller”: Any identified or identifiable natural person who places a call to a Customer telephone, which call is processed by the System.
”Caller Data”: For calls to Customer telephones processed by the System, Caller’s telephone number, name (if provided), time and duration of call, reason for contact (if/as annotated in System by Agent). If Customer purchases Transcript Services, also audio, recording, and/or transcript of call.
“Clauses”: Then-current Standard Contractual Clauses of the European Economic Area (“EEA”) for certain international transfers of Personal Data, described in DPA Section VIII and Schedule 3.
“Contact(s)”: Customer’s representative(s) acting as a point of contact with Brightmetrics, including without limitation the Administrative User.
“Contact Data”: Contacts’ names, work e-mail addresses, work telephone numbers/extensions, title/role, company/affiliation.
“Customer” or “you”: The Brightmetrics’ customer identified in the Agreement.
“Customer Data”: All information processed or stored through the System by Customer or on Customer’s behalf, provided however, for the avoidance of doubt (a) Customer Data does not include Account Data; or Usage Data that has been De-Identified (defined in Section 6.5 of the Agreement); and (b) for purposes of this definition, use of the System by Guests is considered “by Customer” or “on Customer’s behalf.”
“Customer Personal Data”: Personal Data of Users, and whether or not they are Users, of Agents, Callers, and Guests, which is processed by Brightmetrics as a result of the Agreement (for avoidance of doubt, excludes Contact Data).
“Guest”: Any of Customer’s clients or customers or other third parties to which Customer gives access to the System, including without limitation such companies’ agents and employees.
“Instructions”: Customer instructs Brightmetrics to process Customer Personal Data, only in accordance with Applicable Data Protection Laws, to (a) provide, secure, and monitor the System, provide the Offerings, and otherwise administer and satisfy the Agreement and relationship between Brightmetrics and Customer; and (b) as further specified via Customer’s use of the System and the Professional Services, and (c) as otherwise documented in written instructions by Customer, including this DPA.
“Offerings”: For purposes of this DPA “Offerings” means the System and Professional Services (as defined in the Agreement), and any other products, Deliverables, or services provided by Brightmetrics pursuant to the Agreement.
“Online Identifiers”: Data, some of which may be Personal Data, collected (by cookies and other technologies) from browsers or the System automatically when accessing the System, or Caller or Agent activity is being processed by, the System. These include without limitation IP addresses, browser characteristics, device characteristics, operating system, language preferences, referring URLs, actions taken on, and dates and times and duration of visits.
“On-Premise Components”: Such elements of the System as Customer is to run on its computers, including without limitation computers provided to Customer as infrastructure-as-a-service or otherwise provided by third parties.
“Personal Data“: Information processed by Brightmetrics as a result of the Agreement that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person (and, if/where required by an Applicable Data Protection Law only, also a household or device linked to same), wherever located, subject to exclusions as set forth in Applicable Data Protection Laws. For purposes of this DPA, Personal Data means “Personal information” and terms of similar intent protected under an Applicable Data Protection Law.
“Security Incident”: A confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Usage Data”: Data created by and from calls processed by the System, and/or by use of the System by Users, including without limitation On-line Identifiers, and reports including error logs created by the System, Users, and/or Brightmetrics.
“User”: Any company or individual who uses the System on Customer’s behalf or through Customer’s account or passwords, whether authorized or not, including without limitation Customer’s Administrative User and other employees and agents, Customer’s Guests, and Customer’s Guest’s employees and agents.
“User Data”: User’s name, e-mail address, work telephone number/extension, username and encrypted password (“log-in credentials”); User’s Usage Data.
Terms defined in this DPA, or if not defined in the DPA then as defined in the Agreement, or for which definitions in Applicable Data Protection Laws are incorporated herein by reference, will apply to the greatest extent consistent with their meanings to terms of similar effect in Applicable Data Protection Laws that apply to natural persons governed by such laws (including without limitation, “consumer,” “controller,” “data subjects,” “personal data,” “personal information,” “process,” “processing,” “processor”).
III. Relationship & Obligations of the Parties
a. As described in Schedule 1, Customer is the controller of Customer Personal Data (as defined above), and Brightmetrics is the processor. Brightmetrics will process Customer Personal Data only pursuant to Customer’s Instructions, except to the extent otherwise permitted or required by law.
b. Schedule 1 describes the nature and purposes of processing Customer Personal Data.
c. Customer shall ensure: (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Offerings, and its Instructions to Brightmetrics; (b) it has, and will continue to have, the right to transfer, and provide access to, the Personal Data to Brightmetrics as described in the Agreement and this DPA; and (c) that Customer provides to individuals any and all notices relating to this Agreement that are required by Applicable Data Protection Law and, if/where applicable, obtain their consent.
d. Certain DPA terms apply only as to particular Personal Data, that is subject to an Applicable Data Protection Law requiring that subject of this DPA. Neither party has given the other any reason to believe it cannot comply with this DPA or any of its obligations under Applicable Data Protection Law. Each party will inform the other if it becomes aware or reasonably believes that Customer’s Instructions violate any Applicable Data Protection Law, or that either party is no longer able to comply with its obligations under the DPA or Applicable Data Protection Law.
e. Confidential Information. Customer Personal Data is Customer’s Confidential Information, and all information identified in this DPA as Brightmetrics’ Confidential Information is Brightmetrics’ Confidential Information, each governed by Article 9 (Confidential Information) of the Agreement, provided that notwithstanding Article 9 of the Agreement it remains Confidential Information regardless of whether it becomes known publicly.
f. Notwithstanding the foregoing, Brightmetrics may use and disclose Customer Data, including Customer Personal Data, and Brightmetrics Data (i) in the event Brightmetrics sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation), in which case such data will be among the assets transferred to the buyer or acquirer; (ii) for fraud and Security Incident prevention and investigation; and (iii) as required by applicable law or by proper government authority, subject to Section 6.8 (Required Disclosure) of the Agreement and, if applicable, the Clauses. Further, Customer agrees that the Agreement, including the DPA, does not limit Brightmetrics’ use or disclosure of Brightmetrics Data (as defined above), including without limitation to improve or create Brightmetrics’ products and services; analytics; and to communicate with Customer through its Contacts regarding Brightmetrics’ or other products and services that may be of interest to Customer (subject to Customer’s or Contacts’ right to opt out of marketing at any time); provided however, Brightmetrics will not sell, nor disclose to a third party for that third party’s commercial purposes, Personal Data (if any) within Brightmetrics Data (such as of Contacts); if Brightmetrics Data contains Personal Data that is subject to Applicable Data Protection Law, Brightmetrics acts as its controller, it being understood that De-Identified Data is not Personal Data).
IV. Sub-Processing
a. Customer agrees that Brightmetrics may, and Customer grants general authorization to Brightmetrics to, engage sub-Processors (which may be referred to as “subcontractors” in the Agreement) of Personal Data with respect to the Agreement.
b. Where required by Applicable Data Protection Law, Brightmetrics’ written agreements with its sub-Processors impose upon them the level of data protection required for Customer Personal Data by the Agreement, including this DPA (and the Clauses, where applicable), as and to the extent applicable to the services each sub-Processor provides.
c. Brightmetrics maintains a list of the names and locations of all such sub-Processors, published with at least 30 days’ prior notice of the addition or removal of any sub-Processor (“30 Day Notice Period”), available at https://brightmetrics.com/sub-processors. You can request that notices of changes be e-mailed to you by subscribing through the form on Brightmetrics’ website.
d. Where Applicable Data Protection Law provides Customer the right to object to sub-Processors (only): Customer may object by notifying [email protected] within the 30 Day Notice Period. At Brightmetrics’ discretion, the parties may discuss the objection to determine if a commercially reasonable resolution may be available. If resolution is not reached, Customer may suspend or terminate the affected Service in accordance with the termination provisions of the Agreement, without liability, provided that suspension or termination does not relieve Customer of its obligation to compensate Brightmetrics for Offerings performed prior to the suspension or termination.
e. Brightmetrics is responsible for its sub-Processors’ compliance with its obligations pursuant to this DPA, and for any of their acts or omissions that cause Brightmetrics to breach its obligations.
f. Where Applicable Data Protection Law provides a right that sub-Processor agreements be disclosed to Customer (only): (i) commercial information, proprietary or sensitive information, and any other information unnecessary for compliance with Applicable Data Protection Law will be redacted; (ii) any sub-Processor agreements or portions disclosed shall be Brightmetrics’ Confidential Information governed by Article 9 (Confidential Information) of the Agreement; and (iii) this Section IV.f satisfies Brightmetrics’ obligations as to disclosure of sub-Processor agreements under Applicable Data Protection Law including without limitation the Clauses (where applicable).
V. Security
a. Brightmetrics has implemented, and will maintain throughout the term of the Agreement, reasonable administrative, physical, and technical safeguards, consistent with good industry practices, to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, Customer Personal Data. All information shared with Customer (or prospective customers) about Brightmetrics’ security practices is Brightmetrics’ Confidential Information, governed by Article 9 (Confidential Information) of the Agreement.
b. A summary of Brightmetrics’ current security practices is set forth in Schedule 2.
c. To the extent not addressed in Schedule 2, on Customer’s (or prospective customer’s) reasonable request (and, at Brightmetrics’ option, execution by Customer or prospective customer of a separate non-disclosure agreement) Brightmetrics may provide a reasonable additional summary of referenced policies.
d. Customer acknowledges that the degree of security Brightmetrics may provide for transfers of Customer Personal Data from Customer to Brightmetrics will be affected and may be limited by Customer’s systems and protocols (for example, if Customer’s systems are not as up-to-date as required to fully enable Brightmetrics’ then-preferred or available type of encryption in transit, or if Customer’s data sources do not support encryption in transit from the On-Premise Components). Customer is urged to provide data sources which support encryption in transit. If Customer nonetheless deploys the On-Premise Components for collection from a data source that does not support encryption in transit, Customer shall not deploy components which are intended for on-premise deployment on public networks including the internet, and shall only deploy them within the security perimeter of a private network which Customer controls and monitors. Customer is solely responsible for any Security Incident resulting from its systems and protocols.
e. Security Incidents
Brightmetrics will notify Customer without undue delay after Brightmetrics confirms or reasonably suspects a Security Incident impacting Customer Personal Data. Brightmetrics will notify Customer’s representative identified in Agreement Section 14.2. Brightmetrics will make reasonable efforts to identify the cause of any Security Incident and shall (i) provide Customer with a description of the Security Incident, including the type of Customer Personal Data, the approximate number of individuals and records potentially impacted; (ii) take reasonable actions to minimize the effects of the Security Incident, (iii) provide timely information and reasonable cooperation for Customer to meet any obligations Customer has under Applicable Data Protection Law to report or inform data subjects or relevant data protection authorities. All information regarding a Security Incident shall be Brightmetrics’ Confidential Information, governed by Article 9 (Confidential Information) of the Agreement. Brightmetrics’ efforts, including notices, with regard to Security Incidents shall neither be interpreted nor construed as an admission of fault or liability by Brightmetrics.
VI. Audits & Assessments
Customer, upon reasonable notice to Brightmetrics, may take reasonable and appropriate steps to help ensure that Brightmetrics uses Customer Personal Data in a manner consistent with the Agreement, including this DPA, and the parties’ obligations under Applicable Data Protection Law. Without limiting the generality of the foregoing:
a. Audits
i. Upon Customer’s written request, at reasonable intervals Brightmetrics will make available to Customer a summary of Brightmetrics’ most recent vulnerability assessment (“Audit Report”), which is Brightmetrics’ Confidential Information governed by Article 9 (Confidential Information) of the Agreement. Customer agrees that any audit rights granted by Applicable Data Protection Law (including, if and where applicable, Article 28(3) of the GDPR (defined in DPA Section VIII), and the Clauses) will be satisfied by these Audit Reports.
ii. Additionally, if Customer and Brightmetrics agree or if required by government authorities consistent with Applicable Data Protection Law, and at Customer’s expense (where consistent with Applicable Data Protection Law), Brightmetrics will provide reasonable assistance for, and cooperate with a mutually agreed-upon audit plan (“Independent Audit”) which shall: (a) use an independent third party; (b) provide at least 30-days’ advance written notice to Brightmetrics; (c) request access only during Brightmetrics’ standard business hours; (d) occur no more than once annually; (e) restrict its findings to Customer Personal Data, not data of other Brightmetrics’ customers; (f) obligate Customer to keep confidential any information gathered that, by its nature, should be confidential; and (g) provide a full copy of the audit results and report to Brightmetrics, which information described in subsections (f) and (g) is Brightmetrics’ Confidential Information governed by Article 9 (Confidential Information) of the Agreement. Customer agrees that any audit rights granted by Applicable Data Protection Law (including, where applicable, Article 28(3) of the GDPR, and the Clauses) will, if/to the extent not satisfied by the Audit Reports, be satisfied by this Independent Audit.
b. Assessments/Consultations
Where a Personal Data assessment other than as described above (e.g., data protection and/or transfer impact assessment) is required of a party by Applicable Data Protection Law, including by government authorities: If necessary in addition to the DPA, the details provided in Schedules 1 and 2, and Schedule 3 and its Annexes 1 and 2 (where applicable), Brightmetrics will reasonably cooperate with and assist Customer in connection with such assessments, or consultations with government authorities, that may be required under Applicable Data Protection Law (at Customer’s expense if/to the extent permitted by Applicable Data Protection Law). Such assessments are the parties’ respective Confidential Information governed by Article 9 (Confidential Information) of the Agreement.
VII. Data Subject/Consumer Requests
a. If any request, correspondence, inquiry or complaint from a data subject or consumer is made directly to Brightmetrics in connection with Brightmetrics’ processing of Customer Personal Data, Brightmetrics will promptly inform Customer (unless doing so is prohibited by law).
b. Unless legally obligated to do so in its own role, Brightmetrics will not respond to any data subject or consumer who makes a request to Brightmetrics regarding his/her Personal Data (such as exercising a “right to know,” or “to be forgotten”) that is Customer Personal Data, except (at its option, or if required to do so by Applicable Data Protection Law) to confirm that the request relates to Customer.
c. Brightmetrics will, taking into account the nature of the processing, to the extent required by Applicable Data Protection Law provide reasonable assistance to enable Customer to respond to data subjects and consumers. Where Customer requests such assistance, Customer shall not transmit or otherwise provide access to Brightmetrics any Customer Personal Data other than the minimum amount necessary for Brightmetrics to assist Customer with data subject/consumer requests. Customer agrees to use any tools Brightmetrics’ System makes available to assist Customer in fulfilling Customer’s obligations under Applicable Data Protection Laws, including but not limited to Customer’s importing of and deleting Customer Personal Data from the System. If Customer is unable to reasonably do so on its own, if requested by Customer Brightmetrics will delete (which may include by De-Identifying) or return Customer Personal Data to Customer, including that identifying data subjects and consumers.
d. Customer is responsible for information that resides on its systems or those of Customer’s call-center providers.
e. Nothing in the Agreement or this DPA restricts Brightmetrics from asserting rights or defenses it may have under Applicable Data Protection Laws, including without limitation related to data subject or consumer requests.
VIII. Processing Location(s); International Data Transfers
a. Brightmetrics’ processing facilities, and that of some or all its sub-Processors, are or may be in the United States of America, in a country or State that may provide different or lesser protections for Personal Data than applicable where Customer does business or where data subjects/consumers are located whose Personal Data may be processed as a result of the Agreement.
b. Mechanisms for Transfers: Standard Contractual Clauses/UK Addendum
Customer, as the party with knowledge of whether it is subject to laws outside the United States, and whether any Personal Data processed by Brightmetrics as a result of the Agreement is likely to originate from outside the United States, is responsible for determining if a supplemental contractual mechanism is required to transfer Personal Data to Brightmetrics. Customer has determined that the Offerings and this DPA (including applicable Schedule(s) and Annexes) meet Customer’s obligations with respect to processing of Personal Data by Brightmetrics, and for transfers of Personal Data to Brightmetrics. Where applicable to the Personal Data and the Agreement, Customer and Brightmetrics agree to the following contractual mechanism(s) as the lawful basis/bases for transfers to Brightmetrics of Personal Data:
(i) originating from the European Economic Area (“EEA”) and/or Switzerland (respectively), where subject to the “GDPR” (General Data Protection Regulation (EU) 2016/679) and/or Swiss Data Protection Laws (respectively), the 2021 Standard Contractual Clauses (European Commission Implementing Decision (EU) 2021/914 of 4 June 2021), “SCCs”) (Schedule 3),
and/or (as applicable)
(ii) originating from the United Kingdom, where subject to UK Data Protection Laws, the “UK Addendum” to the SCCs (UK Information Commissioner’s International Data Transfer Addendum version B1.0 in force 21 March 2022) (Schedules 3 and 4).
Brightmetrics recognizes that laws regarding personal data are rapidly evolving, around the world. For transfers of Personal Data originating from and subject to the law of other jurisdictions outside the United States that you believe may require other or modified clauses (if any), see Section IX(b) (Updates/Amendments).
c. Additional privacy/security measures: Data Privacy Frameworks
Brightmetrics is self-certified to the EU-U.S. Data Privacy Framework (the “EU-US DPF”), the Swiss-US Data Privacy Framework, and the UK Extension to the EU-U.S. DPF programs operated by the U.S. Department of Commerce (collectively, the “Frameworks”). Brightmetrics intends to maintain its Framework certifications during the term of this DPA, until such time as the U.S. federal government determines it will no longer enforce one or more of the Frameworks, or Brightmetrics determines any are no longer useful to its customers. Brightmetrics does not solely rely on the Privacy Frameworks as the lawful bases for a Transfer (as described in Schedules 3 and 4). More information is available by searching for “Brightmetrics” here: https://www.dataprivacyframework.gov/list.
IX. General Provisions
a. No Waiver
Nothing in the Agreement, including this DPA, waives or purports to waive either party’s obligations, defenses, or other rights pursuant to law, including without limitation Applicable Data Protection Laws. In the event that Customer requests Brightmetrics to assist, cooperate, or provide documents because of a data protection law, as a condition to complying Brightmetrics may (in addition to fees, where consistent with Applicable Data Protection Law) require Customer to identify the data protection law on which Customer relies; if Brightmetrics determines such law is inapplicable to the Agreement, or if applicable does not require what is requested, Brightmetrics may decline Customer’s request.
b. Updates/Amendment
i. Brightmetrics may amend the DPA, and any Schedule, from time to time by following the procedure described in Section 14.12 of the Agreement.
ii. Brightmetrics recognizes that laws regarding personal data are rapidly evolving. If you believe terms different from those addressed in the Agreement or DPA (including its Schedules and Annexes) are required to comply with law applicable to you and the Agreement, please contact [email protected].
iii. If the terms set forth herein, as amended from time to time, do not satisfy a party’s obligations pursuant to Applicable Data Protection Law, it may, without liability, following notice to the other pursuant to the Agreement, suspend Transfer or processing of the affected Personal Data, or terminate the Agreement, provided however that termination does not relieve Customer of its obligation to compensate Brightmetrics for Offerings performed prior to termination.
c. Regulatory Penalties/Indemnities
Unless required otherwise by Applicable Data Protection Law: Neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of Applicable Data Protection Law. For the avoidance of doubt, Section 11.3 (Litigation & Additional Terms) of the Agreement shall apply to any indemnification obligation imposed by Applicable Data Protection Law; and nothing in the Agreement including this DPA is intended to restrict nor restricts compensation rights of data subjects or consumers, responsibility for which as between the parties shall be determined by Applicable Data Protection Law.
SCHEDULE 1 to Data Processing Agreement
DETAILS OF PROCESSING
I. Customer Personal Data
A. LIST OF PARTIES
Customer
Contact Details: The e-mail address(es) designated in Customer’s account via its notification preferences.
Signature/Date: Customer is deemed to have signed this Schedule as of the Agreement’s Effective Date.
Role: Controller of Customer Personal Data
Brightmetrics, Inc.
Contact Details: [email protected], P.O. Box 750789, Petaluma, CA 94975, United States, 707-238-4455
Signature/Date: Brightmetrics is deemed to have signed this Schedule as of the Agreement’s Effective Date.
Role: Processor of Customer Personal Data
B. DESCRIPTION OF PROCESSING AND TRANSFER
Brightmetrics provides a call center data analytics computer system (the “System”) which consists of technology hosted on Brightmetrics’ computers and accessed remotely, via the Internet, as well as software hosted on customers’ computers. (Such computers of each party include, without limitation, any computers leased to it or provided by third parties as platform-as-a-service or infrastructure-as-a-service). Brightmetrics may also provide professional services. Pursuant to the Terms of Service (“Agreement”) between Brightmetrics and Customer, the parties have agreed that Brightmetrics will provide the System to Customer, as well as such professional services as the parties may agree, now and pursuant to future Orders or statements of work. Section I of this Schedule describes the processing of Customer Personal Data (as defined in the DPA), and (as applicable) transfer of Customer Personal Data between exporter (Customer) and importer (Brightmetrics), and vice versa.
As defined in the DPA, Administrative User, Agent(s), Caller(s), Guest(s), User(s).
As defined in the DPA, Agent Data, Caller Data (except audio, recording, and/or transcript of a Call only if Customer purchases Transcript Services), On-Line Identifiers, Usage Data, User Data, all subject to Customer’s obligations including without limitation pursuant to DPA Section III(c).
Brightmetrics does not expect to receive sensitive data, as that and similar terms are used in Applicable Data Protection Laws, except for: User log-in credentials (if and where such data are “sensitive” for purposes of Applicable Data Protection Law). For the avoidance of doubt, Customer shall not disclose protected health information (“PHI”) unless and until the parties execute a Business Associate Agreement (“BAA”). Customer may request Brightmetrics’ BAA by contacting [email protected]. For any reason, Brightmetrics may decline to enter into a BAA with Customer or as to a particular Agreement, and if Brightmetrics so declines, Customer shall not disclose any PHI to Brightmetrics.
Brightmetrics does not have access to the content of calls; nor do its sub-Processors, unless Customer purchases Transcript Services. Any sensitive data received will be processed in accordance with the DPA.
Continuous.
Where consistent with the Agreement, DPA and Customer’s Instructions, Brightmetrics may collect, use, store, analyze, otherwise access, and disclose Customer Personal Data. Customer is responsible for information that resides on its systems or those of Customer’s call-center providers. Brightmetrics does not have access to the content of calls; nor do its sub-Processors, unless Customer purchases Transcript Services.
As described in Section B (Description of Processing and Transfer) above, Brightmetrics processes Customer Personal Data to provide the Offerings in accordance with the Agreement and Customer’s Instructions.
Customer Personal Data is retained while needed to provide the Offerings and troubleshoot the System, and where otherwise consistent with Brightmetrics’ rights and obligations pursuant to the Agreement and applicable law. Following expiration or termination of the Agreement, Customer Personal Data is generally deleted (which may include by being De-Identified) within 60 days, unless longer retention is required by law.
Brightmetrics’ current sub-Processors for Customer Personal Data are identified and described at https://brightmetrics.com/sub-processors.
II. Brightmetrics Data
The parties recognize that not all data protection laws apply to all parties or transactions or data, and that some do not apply (or may apply differently) to personal data in commercial, or employment contexts (e.g., with regard to Customer’s Contacts). Customer acknowledges that Customer Personal Data does not include Brightmetrics Data (both as defined in the DPA). Brightmetrics Data includes, for example, Contacts’ names, work e-mail addresses, work telephone numbers/extensions, title/role, company/affiliation. If any Brightmetrics Data is Personal Data subject to Applicable Data Protection Law, as to such data Brightmetrics is the controller. Brightmetrics’ use and disclosure of Brightmetrics Data is described in DPA Section III.f.
SCHEDULE 2 to Data Processing Agreement
SECURITY: TECHNICAL AND ORGANIZATIONAL MEASURES
Customer acknowledges that the degree of security Brightmetrics may provide for transfers of Customer Personal Data from Customer to Brightmetrics will be affected and may be limited by Customer’s systems and protocols. Subject to Customer’s obligations described in DPA Section V(d), Brightmetrics makes available encryption to protect Customer Personal Data in transit and at rest.
(a) Data in transit: Customer is urged to provide data sources which support encryption in transit. Where Customer’s data sources support encryption in transit, Customer Personal Data will be protected by Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) encryption over HTTPS connections, and unencrypted HTTP connection attempts are redirected to use HTTPS. Strong cryptography is used by Brightmetrics and the use of cryptographic mechanisms known to be weak are avoided. Regular vulnerability assessments are conducted to detect potential weaknesses or misconfiguration of encrypted communications.
(b) Data at rest is protected using 256-bit Advanced Encryption Standard (“AES”) encryption in a Federal Information Processing Standard (“FIPS”) 140-2 compliant environment. (FIPS 140-2, a United States government standard from the National Institute of Standards and Technology (“NIST”), is an internationally recognized cryptographic standard).
Where Brightmetrics De-Identifies data, it removes information that identifies or could reasonably be used to identify a natural person, a household, a Guest, or Customer.
In addition to measures described elsewhere in this Schedule 2:
Brightmetrics’ Information Security policy defines security-specific roles and responsibilities, and details components of the Information Security Program. This includes alignment with global best practices, continuous improvement, risk assessment, security awareness training, gap analysis through assessments and audits, business continuity and disaster recovery planning, incident management and communication, change management, and vulnerability management.
Brightmetrics’ Network Security policy describes minimum acceptable security configurations for remote access, and security controls including encryption, authentication methods, network protocols, physical security, and logging. Network security controls are regularly reviewed and configured for zero-trust wherever possible through use of firewalls, access control lists, and network isolation.
Brightmetrics’ Information Classification policy organizes categories of information according to the risk of loss or harm from disclosure, for example, “public,” “internal,” and “confidential” classifications. Confidential Information (including Customer Personal Data) receives the highest level of safeguards. Safeguards like De-Identification and encryption are employed, as appropriate, to mitigate risks.
Brightmetrics’ Data Disposal policy describes proper disposal procedures for Confidential Information in cloud data storage repositories, as well as on computer hard drives or other forms of electronic media.
Brightmetrics’ Vendor Management policy actively manages risks around third parties (e.g., sub-Processors) and their access including to Customer Personal Data, including contract requirements, risk assessment, oversight and monitoring, and termination of access.
Brightmetrics requires its staff to comply with security controls as a condition of continued employment, including without limitation secure device configuration, automatic software updates, encryption, password usage in compliance with Brightmetrics’ policies, screen locks, and physical security measures. Brightmetrics staff are required to take annual information security training.
Brightmetrics’ Incident Management policy provides guidelines for managing Security Incidents that threaten the confidentiality, integrity, or availability of Brightmetrics’ information assets (including Customer Personal Data. The policy describes roles and responsibilities, handling procedures, severity classification, and post-mortem activities.
Brightmetrics’ Business Continuity and Disaster Recovery policy strives to ensure Brightmetrics can quickly recover from natural and human-made disasters while continuing to support customers and other stakeholders. This policy includes a Business Continuity Plan (“BCP”), Disaster Recovery Plan (“DRP”).
Brightmetrics uses a formal risk assessment methodology to identify, evaluate, and mitigate information security risks. This methodology includes identifying strategic objectives, identifying and analyzing risks likely to affect those objectives, mitigation planning, and periodic management review of a risk register which tracks identified risks and mitigation progress.
Brightmetrics regularly performs internal and external vulnerability scans, assessments, and penetration tests against its networks and applications. Its Business Continuity and Disaster Recovery policy provides for periodic exercising or testing of its BCP and DRP.
Brightmetrics actively establishes direction and requirements for its staff’s access to Customer Personal Data; requires Brightmetrics staff to have unique access credentials and use strong passwords (consistent with NIST S.P. 800-63B Digital Identity Guidelines); exercises least-privilege access levels as much as possible; and trains its staff about the responsibility their access level provides.
Customer is responsible for identifying to Brightmetrics who are to be Customer’s Users (including Guests), and Customer is to create and disable such Users within the Brightmetrics System. Customer’s Users are responsible for selecting and protecting their log-in credentials. Brightmetrics encrypts User’s passwords.
See above.
See above.
Physical access to Brightmetrics’ offices is controlled and recorded using an electronic access control system. Access credentials are unique for each individual, and visitors must be escorted. Brightmetrics’ System data are stored in data centers, security for which Brightmetrics’ third party provider is responsible pursuant to its agreement with Brightmetrics. Brightmetrics expects such data centers to control access and maintain physical security.
Brightmetrics’ System is configured to log events such as administrative activities, logon attempts, and data deletion. Logging configuration is audited periodically and reviewed annually.
Brightmetrics’ Change Management policy guides a change management process to mitigate risks including information corruption or destruction, adverse impact to users, performance degradation, or unavailability. Baseline configurations are maintained for information systems and their components, and any changes must be reviewed and approved.
See above, for example Brightmetrics’ Information Security and Network Security policies.
See above.
The amount and type of data Brightmetrics collects depends on the products or services customers choose and how customers use them. If a customer chooses to share Customer Personal Data with Brightmetrics (including so Brightmetrics can better customize accounts and services), Brightmetrics will process it in accordance with the DPA.
Customer is responsible for the content in the data sources from which the On-Premise Components collect data, and transmit data to Brightmetrics.
With respect to requests from data subjects/consumers, Customer is advised, in DPA Section VII(c) (Data Subject/Consumer Requests), to not transmit or otherwise provide access to Brightmetrics any Customer Personal Data other than the minimum amount necessary to assist Customer with such requests.
See above.
As set forth in Section 6.8 (Data Accuracy) of the Agreement, Customer is responsible for the accuracy of data Users upload to the System.
See above.
See above, for example Brightmetrics’ Vendor Management and staff policies.
See above, for example Brightmetrics’ Data Disposal policy.
As described in Section VII of the DPA, Customer shall use any tools Brightmetrics’ System makes available for Customer’s importing of and deleting Customer Personal Data; if Customer cannot reasonably do so on its own, if requested by Customer Brightmetrics will delete (which may include by De-Identifying) or return Customer Personal Data to Customer.
For sub-Processors processing Customer Personal Data, Brightmetrics considers sub-Processors’ security and privacy practices relevant to their access to Customer Personal Data and the scope of services they are engaged to provide, and subjects sub-Processors to written agreements with appropriate security, confidentiality, and privacy terms governing Customer Personal Data.
SCHEDULE 3 to Data Processing Agreement
Transfers from the EEA/Switzerland
Standard Contractual Clauses
I. Introduction/Scope
For this Schedule 3 to, in addition to the DPA, apply to your Agreement with Brightmetrics, you (“Customer”) must transfer Customer Personal Data that is subject to the GDPR or Swiss Data Protection Laws (as applicable) pursuant to the Agreement.
II. Transfer Mechanism
As appropriate safeguards for transfer by a data exporter to a data importer of Customer Personal Data of data subjects of the EEA and/or Switzerland (as applicable) that is subject to the GDPR or Swiss Data Protection laws (as applicable) (“Transfer”), the “SCCs,” linked here, are incorporated herein by reference. (“SCCs” means European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (GDPR)). The parties agree as follows:
(a) Customer acts as data controller and Brightmetrics as data processor as to Customer Personal Data;
(b) Modules Two (controller to processor) and Four (processor to controller) of the SCCs apply, with the Operative Provisions identified below.
III. Operative Provisions
Nothing in the Agreement, including the DPA, is intended to modify or contradict any SCCs, or prejudice the fundamental rights or freedoms of data subjects under Applicable Data Protection Laws of the EEA or Switzerland (as applicable).
A. EEA
Clause 7 (Docking): This optional clause is inapplicable to this Agreement.
Clause 9(a) (Use of sub-processors): Option Two (general sub-processor authorization) applies, Annex III is therefore inapplicable; the time period is 30 days.
Clause 11 (Redress): The optional additional redress option is inapplicable to this Agreement.
Clause 17 (Choice of law): Option One applies. For Module Two, the Clauses shall be governed by the law of the Republic of Ireland; for Module Four the Clauses shall be governed by the laws of the United States, or if its laws do not allow for third-party beneficiary rights then the laws of the Republic of Ireland.
Clause 18(b) (Choice of forum and jurisdiction): Any dispute arising from the Clauses shall be resolved by the courts of the country designated in Clause 17.
B. Switzerland
Where Swiss Data Protection Laws apply (except as to Transfers of Personal Data from data subjects subject exclusively to Swiss Data Protection Laws), references in the Clauses to GDPR or Member State law, or obligations determined by a Member State in which the data exporter or data subject is established, shall have the meaning of the equivalent references in Swiss Data Protection Laws; the Swiss Federal Data Protection Information Commissioner shall act as competent supervisory authority; for data subjects habitually resident in Switzerland, the courts of Switzerland are an alternative jurisdiction; the Clauses apply to data relating to an identified or identifiable legal entity (not just natural persons) only until Swiss Data Protection Laws no longer apply to a legal entity.
IV. Brightmetrics Data
Customer acknowledges that Customer Personal Data does not include Brightmetrics Data (both as defined in the DPA). Brightmetrics Data includes, for example, Contacts’ names, work e-mail addresses, work telephone numbers/extensions, title/role, company/affiliation. If any Brightmetrics Data is Personal Data subject to the data protection laws of the EEA or Switzerland, as to such data Brightmetrics is the controller, and the parties agree to Module 1 (controller to controller) and the Operative Provisions set forth in Section III, above.
ANNEX I to SCHEDULE 3 of Data Processing Agreement
A. LIST OF PARTIES
Module Two (controller to processor):
Data Exporter: Customer
Contact Details: The e-mail address(es) designated in Customer’s account via its notification preferences.
Signature/Date: By executing the Terms of Service (“Agreement”), Customer is deemed to have signed this Schedule as of the Agreement’s Effective Date.
Role: Controller of Customer Personal Data
Data Importer: Brightmetrics, Inc.
Contact Details: [email protected], P.O. Box 750789, Petaluma, CA 94975, United States, 707-238-4455
Signature/Date: Brightmetrics is deemed to have signed this Schedule as of the Agreement’s Effective Date.
Role: Processor of Customer Personal Data
Module Four (processor to controller):
For any Transfers of Customer Personal Data subject to Module Four (processor to controller), Brightmetrics serves as exporter and Customer as importer.
B. DESCRIPTION OF TRANSFER
The parties agree that the nature and purposes of the processing of Customer Personal Data (defined in the DPA), including its Transfer, are as set forth in Section I of DPA Schedule 1. If any Brightmetrics Data is Personal Data subject to the data protection laws of the EEA or Switzerland, as to such data Brightmetrics is the controller, as described in Section II of DPA Schedule 1, and Module One applies to Transfers.
Lawful bases of processing: Performance of contract; legitimate interests (not overridden by interests or fundamental rights and freedoms of a data subject); consent; as applicable.
Lawful basis of transfer (appropriate safeguards pursuant to Art. 46 GDPR): Standard Contractual Clauses (described in DPA Schedule 1).
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
For Transfers pursuant to Module Two:
The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, shall act as competent supervisory authority.
ANNEX II to SCHEDULE 3 of Data Processing Agreement
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The parties agree that security measures appropriate given the nature and purposes of processing, including Transfer, are as set forth in Schedule 2 of the DPA, and the SCCs.
SCHEDULE 4 to Data Processing Agreement
Transfers from United Kingdom
UK Addendum to EU SCCs
I. Introduction/Scope
For this Schedule 4 to, in addition to the DPA, apply to your Agreement with Brightmetrics, you (Customer) must transfer Customer Personal Data that is subject to “UK Data Protection Laws” (UK General Data Protection Regulation, amended by the Data Protection Act 2018) pursuant to the Agreement.
II. Transfer Mechanism
As appropriate safeguards for the transfer by a data exporter to a data importer of Customer Personal Data of data subjects that is governed by UK Data Protection Laws (“Transfers”), the parties agree as follows:
(a) Customer acts as data controller and Brightmetrics as data processor as to Customer Personal Data;
(b) The “UK Addendum” to the “SCCs” applies, as set forth here. (“SCCs” means the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (GDPR); “UK Addendum” means the UK Information Commissioner’s International Data Transfer Addendum version B1.0 in force 21 March 2022).
(c) Modules Two (controller to processor) and Four (processor to controller) of the SCCs apply.
III. Operative Provisions
The Operative Provisions described in Section III(a) of Schedule 3 are incorporated herein by reference (as modified by the UK Addendum).
IV. Brightmetrics Data
Customer Personal Data does not include Brightmetrics Data (both as defined in the DPA). Brightmetrics Data includes, for example, Contacts’ names, work e-mail addresses, work telephone numbers/extensions, title/role, company/affiliation. If any Brightmetrics Data is Personal Data subject to UK Data Protection Laws, as to such data Brightmetrics is the controller, and the parties agree the UK Addendum (including the Operative Provisions) shall be deemed modified accordingly, to include Module 1 (controller to controller).
SCHEDULE 5 to Data Processing Agreement
United States – State Laws
This Schedule 5 supplements, without limiting the generality of, the Agreement and the DPA, including Schedules 1 and 2:
5. Brightmetrics recognizes that laws regarding personal data are rapidly evolving. If you believe terms in addition to those addressed in the Agreement, DPA, and above are required under federal or State law of the United States applicable to you and the Agreement, please contact [email protected].
1 In assessing the appropriate level of security, and the transfer to Brightmetrics and its sub-Processors, the parties have taken due account of the state of the art; the costs of implementation; the nature of the Personal Data (including whether the transfer and further processing involves sensitive data (as defined for purposes of the GDPR) and that it is not expected to involve children); the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects; have considered encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner; and their obligations under the SCCs. The parties recognize the U.S. Federal Government’s September 2020 White Paper (Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II) which included: “Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do.”