Global Data Processing Addendum
This Global Data Processing Addendum (this “Addendum”) is incorporated into the Agreement and is effective as of the Agreement or Order Form (defined in the Agreement) signature date (the “Effective Date”) by and between SOCi, Inc. and its affiliates as applicable (“SOCi”) and Customer (as defined in the Agreement). SOCi and Customer are referred to individually as a “Party” and collectively as the “Parties.”
Whereas the Parties entered into one or more agreements in which SOCi agreed to perform Services (as defined below) on behalf of Customer (the “Agreement”), and the Parties wish to amend the Agreements to address requirements imposed by applicable Privacy Laws, the Parties agree as follows:
1. Definitions
2. Terms of Data Processing
3. Limitations on Processing of Covered Personal Information
4. Consumer and Data Subject Requests
5. Security Controls
6. Inquiries
7. Cross-Border Data Transfers
8. Miscellaneous
DETAILS OF DATA PROCESSING
A. PARTIES
Role of Data Exporter | For purposes of the Agreements and this Addendum, Customer is the sole Party that determines the purposes and means of processing Covered Personal Information as the “business” or “controller.” To the extent of any cross-border data transfers described in Exhibit B, Customer is the data exporter. |
Address | To be provided by Customer |
Contact Person’s Name, Position, and Contact Details | To be provided by Customer |
Name of Data Importer | SOCi, Inc |
Role of Date Importer | For purposes of the Agreements and this Addendum, SOCi processes Covered Personal Information on behalf of Customer as a “processor” or “service provider.” To the extent of any cross-border data transfers described in Exhibit B, SOCi is the data importer. |
Address | Mailing/Notices: 8605 Santa Monica Blvd PMB 47149 West Hollywood, California 90069-4109 Headquarters: 350 10th Avenue, Suite 101 San Diego, CA 92101 |
Contact Person’s Name, Position, and Contact Details | Inquiries should be addressed to SOCi’s legal and privacy team via email at: [email protected] |
B. PROCESSING TERMS
Duration of the processing | SOCi agrees to process Covered Personal Information solely as instructed in the Agreements and this Addendum for the duration of the provision of the Services to Customer, and the longer of such additional period as: (i) is specified in any provisions of the Agreements regarding data retention; and (ii) is required for compliance with law. |
Nature of the processing | Such processing as is necessary to enable the SOCi to comply with its obligations and exercise its rights under the Agreements, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
Purpose of the processing | SOCi agrees to process Covered Personal Information for limited and specified purposes described in the Agreements, this Addendum, or as otherwise directed by authorized personnel or Users of Customer in writing (email acceptable). CPRA Mandatory Disclosure: The specific business purposes are (select): ☐ Auditing: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. ☒ Security & Integrity: Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes. ☒ Repair Functionality: Debugging to identify and repair errors that impair existing intended functionality. ☒ Short-term, transient use: Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. ☒ Performing services on behalf of Client: Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. ☐ Advertising & Marketing: Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers. ☐ Internal Research: Undertaking internal research for technological development and demonstration. ☒ Quality & Safety: Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. |
Type of personal data processed | The Covered Personal Information concerns the following categories of data: Names, email addresses, addresses, IP addresses, usernames, logins, online identifiers, and images, and any other information of end users on 3rd party social media network sites that engage with Customer Users and (as those terms are defined in the Agreement) may provide via public or private message; names, email, phone numbers, and login information of Customer Users of the Services. |
Types of sensitive personal data/information processed | The Covered Personal Information concerns the following sensitive personal data/information: Dependent on Customer’s use of the Services, but generally no sensitive personal data/information should be collected in connection with Customer’s use of the Services. |
Categories of data subjects | Customers, Users and Customers’ end users or consumers, or on social media networks and publisher sites |
Obligations and rights of the Parties | As set out in the Agreement. |
CROSS-BORDER DATA TRANSFERS
A. DESCRIPTION OF CROSS-BORDER DATA TRANSFERS (IF APPLICABLE)
Categories of data subjects whose personal data is transferred | Customers, Users and Customers’ end consumers or on social media networks, publisher sites, and survey respondents (if purchased) sent to or completed by Customers’ end consumers. |
Categories of personal data transferred | Dependent upon Customer’s use of the Services, categories of personal data may include: Names, email addresses, addresses, IP addresses, usernames, logins, online identifiers, and images, and any other information of end users on 3rd party social media network sites that engage with Customer Users and (as those terms are defined in the Agreement) may provide via public or private message; names, email, or phone numbers. |
Types of sensitive (or special categories of) data transferred and applicable restrictions or safeguards | Dependent on Customer’s use of the Services, but generally no sensitive data should be collected in connection with Customer’s use of the Services. SOCi does not intentionally process sensitive data or special categories of data, in connection with Customer’s use of the Services. Customer should not upload sensitive data or special categories of data to the Services. |
Frequency of the transfer | Continuous during the Agreement term |
Purpose of the data transfer and further processing | Provision of the Services as set forth in the Agreements. |
Sub-processor transfers | Transfers to sub-processors, as described in Appendix A hereto and maintained and updated on SOCi’s website at www.meetsoci.com/subprocessors, will occur where necessary for the provision of the Services in accordance with the Agreements and this Addendum solely for the term of the Agreements. |
Competent Supervisory Authority | EEA data subjects: Republic of Ireland UK data subjects: United Kingdom Switzerland data subjects: Swiss Federal Data Protection and Information Commissioner |
B. TECHNICAL & ORGANIZATIONAL MEASURES
Data Importer will, at a minimum, implement the following types of security measures:
SOCi has implemented technical and administrative safeguards to protect Personal Data or Personal Information (as defined under applicable Privacy Laws), where applicable to the SOCi Platform and Subscription Services, against security incidents, which include the following security measures (all capitalized terms used herein are defined in Customer’s Agreement or as defined under applicable Privacy Laws):
- Information security policy: SOCi has implemented a written information security policy that mandates the use of appropriate technical and organizational security measures in SOCi’s organization to protect Personal Data or Personal Information (as defined under applicable privacy laws) against unauthorized and unlawful processing and against accidental loss, damage or destruction as well as appropriate measures in the event of an actual or suspected data or security breach.
- Security Function: SOCi has designated a security committee tasked with responsibility for development, implementation, and maintenance of the SOCi’s information security practice. SOCi employs a VP of Information Security to oversee the information security function, and a Virtual Security Team (VST) to actively manage security issues.
- Physical security: SOCi’s Servers hosting Customer Data are secured in Amazon Data Centers and Google Cloud. Refer to https://aws.amazon.com/compliance/data-center/controls/ and/or https://cloud.google.com/security/compliance for details.
- Logical security: SOCi supports and recommends customers’ use of Single-Sign-On. To the extent that customers use customized login for its SOCi instance, SOCi saves a secure hash of the password, not the password itself.
- Network security: SOCi relies on Amazon Web Services and Google Cloud network protection features to protect Personal Data and to safeguard from threats. SOCi also conducts independent pen tests and periodic assessment of security setup. SOCi has implemented appropriate network security controls both in internal network and cloud network systems.
- Encryption: SOCi encrypts data at rest, uses HTTPS by default for all internet traffic and uses secure protocols to connect to Social Media service providers and other third-party systems. All encryption utilizes industry standard encryption techniques.
- Access controls: SOCi has implemented role-based access controls that restrict access to Personal Data it processes to duly authorized employees and contractors who require access only to the extent necessary for the performance of their duties. SOCi has appointed a system administrator with overall responsibility for granting, changing or voiding data access privileges to its data processing systems. Access is controlled by multiple technical systems, and administrative access is logged.
- Usernames and Passwords: Access to Personal Data is controlled through access privileges (described above), usernames and confidential passwords. No two Users may share or use the same username. Users will be required to change their passwords on a regular basis. All User passwords have a minimum character requirement.
- Back-up: SOCi has taken and will continue to take regular, at least weekly, back-ups of the Personal Data that it processes on behalf of the data exporter. Data back-ups are stored securely in different availability zones and will be available for data restoration in the event of catastrophic system failure and non-catastrophic system failure or user error.
- Disaster Recovery and Business Continuity: SOCi has implemented appropriate disaster recovery and business continuity plans that ensure the availability, security, integrity and (where necessary) restoration of the Personal Data on the occurrence of a business interruption event. Business continuity and incident response processes are tested at least annually.
- Audit: SOCi will audit its compliance with the agreement between SOCi and Customer and its information security policy at least once per annum or in the event of a material change. Any remedial measures identified as necessary following an audit will be remediated in the order of severity. SOCi has multiple independent audits performed each year. A copy of SOCi’s current audit reports will be provided upon request.
- Secure Disposal: SOCi has implemented policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed.
SUB-PROCESSORS
Customer authorizes SOCi to engage the following Sub-processors:
SOCi uses certain sub-processors (“Sub-processors”) to assist in providing limited services on its behalf.
SOCi’s Sub-processors provide infrastructure, data storage, system logging services, and other tools that facilitate the delivery of the Services including customer support and email communications. These Sub-processors may be provided access to Covered Personal Information; however, only to the extend necessary to support the Services.
As part of SOCi’s commitment to keep Covered Personal Information secure, SOCi evaluates Sub-processors’ privacy and security practices prior to engaging them. SOCi also requires Sub-processors to enter into data processing agreements that protect Covered Personal Information and incorporates data protection obligations consistent with applicable Privacy Laws.
In the event SOCi removes or adds new Sub-processors, SOCi will post updates at https://www.meetsoci.com/subprocessors at least thirty (30) days prior to adding or removing a Sub-processor. For questions about SOCi’s Sub-processors, please reach out to [email protected]. Customer may subscribe to receive regular updates as to SOCi’s Sub-processors at https://www.meetsoci.com/signup-subprocessors.
Sub-processor | Purposes of sub-processing | Geographical Location | Subprocessor security website links |
---|---|---|---|
Amazon Web Services, Inc | AWS Hosting of SOCi Platform | USA | https://aws.amazon.com/s3/security/ https://aws.amazon.com/security/ https://aws.amazon.com/compliance/data-center/controls/ |
Amazon Web Services, Inc | Content delivery network (CDN) used by SOCi to optimize content delivery. | Based on Customer’s User Locations | https://aws.amazon.com/s3/security/ https://aws.amazon.com/security/ https://aws.amazon.com/compliance/data-center/controls/ |
Google Cloud Services | GC Hosting of SOCi Platform and Ignite/B1 Platforms | USA | https://cloud.google.com/security |
Google Cloud Services | Content delivery network (CDN) used by SOCi to optimize content delivery. |
Based on Customer’s User/Locations | https://cloud.google.com/security |
Microsoft Corporation | Microsoft Hosting of Ignite/B! Platforms | USA | https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all |
Salesforce | Internal Customer Relationship Management Platform | USA | https://security.salesforce.com/ |
Twilio, Inc (dba Sendgrid) | Cloud Service Provider – In-App Email Delivery | USA | https://sendgrid.com/policies/security/ |
Bandwidth | SMS Messaging API for SOCi’s Survey Product | USA | https://www.bandwidth.com/security/ |
Pendo.io | Email Marketing | USA | https://security.salesforce.com/ |
Zendesk | Trouble Ticket System and Solution Articles Guide | USA | https://support.zendesk.com/hc/en-us/articles/360036130213-Zendesk-s-secure-by-design-cloud-solution |
Gainsight | Internal Customer Relationship Management Platform | USA | https://www.gainsight.com/security/ |
Atlassian/Jira | Internal Project Management Platform | USA EU |
https://www.atlassian.com/trust/compliance/resources/gdpr https://www.atlassian.com/trust/security |
Cloudflare, Inc. | Content delivery network used by SOCi to optimize content delivery. | Global Based on Customer’s user/location countries |
https://www.cloudflare.com/trust-hub/compliance-resources/ |
New Relic, Inc. | Application performance monitoring, infrastructure and network monitoring, and error capturing. SOCi may provide End User or dashboard Customer metadata, such as user identifiers, to New Relic for support and application troubleshooting and to improve performance of the SOCi Services. | USA | https://docs.newrelic.com/docs/security/overview/ |
Elasticsearch Inc. | Elastic Cloud SaaS product used for data storage and querying. Managed Elastic Search hosting. Support services, including performance of diagnostic measures and troubleshooting | USA EU |
https://www.elastic.co/security-and-compliance |
SOCi is a U.S.-based company with engineering and customer success teams. We primarily store Customer information in the United States. To facilitate our global operations, SOCi may transfer such information to, and access it from, other countries (showing in the table below) for the purposes described in this Addendum and/or the Agreement. Whenever SOCi transfers Customer Covered Personal Information originating in the EEA, the UK, or Switzerland with a Sub-Processor or subcontractor outside the EEA, the UK, or Switzerland, SOCi implements appropriate safeguards, consistent with the applicable Privacy Laws of the territory from which the Covered Personal Information is exported. For example, where transfers are made from the EEA, SOCi relies on the EU standard contractual clauses, including supplementary measures as necessary.
Countries | Recipient | Compliance mechanism* |
---|---|---|
United States | SOCi | Standard Contractual Clauses |
Canada, Australia, Brazil, Mexico, Argentina, Poland, Turkey, Pakistan, Ukraine, Ghana, Lebanon, Nigeria, India, Jordan, Gambia, North Macedonia, Egypt, Kenya EU Countries include: Estonia, Finland, France, Spain, Poland, Croatia, Czech Republic, Lithuania. |
SOCi Engineering, Developer Support (hired via Deel, Inc) | Standard Contractual Clauses |
Philippines | SOCi Customer Success team (hired via KMC Solutions) |
Cookie Settings Terms of Service Privacy Notice Information Security Accessibility Statement Contact Your Privacy Choices
This site uses chatbots to record your interactions on our site for our consent recordkeeping and provide customer support. Our technology provider may also collect and aggregate this data on our site for their purposes. See our Privacy Notice to learn more about our privacy practices.