Global Data Processing Addendum
This Global Data Processing Addendum (this “Addendum”) is incorporated into the Agreement and is effective as of the Agreement or Order Form (defined in the Agreement) signature date (the “Effective Date”) by and between SOCi, Inc. and its affiliates as applicable (“SOCi”) and Customer (as defined in the Agreement). SOCi and Customer are referred to individually as a “Party” and collectively as the “Parties.”
Whereas the Parties entered into one or more agreements in which SOCi agreed to perform Services (as defined below) on behalf of Customer (the “Agreement”), and the Parties wish to amend the Agreements to address requirements imposed by applicable Privacy Laws, the Parties agree as follows:
1. Definitions
1.1 “Covered Personal Information” means personal information or personal data provided by or uploaded by Customer to the SOCi Services, processed by SOCi on behalf of Customer, or otherwise made available to SOCi pursuant to the Agreements. For avoidance of doubt, Covered Personal Information does not include Customer Content, Derivative Content, or SOCi Content (each as defined in the Agreement), which is defined in the Agreement as content that is publicly posted by Customer (or its Users) to Networks (as defined in the Agreement), publisher sites or any other third-party site that Customer may access and publicly publish to via the SOCi Services. Covered Personal Information also does not include User login information, or any Output generated by Customer’s use of the AI Services (as defined in the Agreement).
1.2 “Portable Format” means to the extent technically feasible a structured, commonly used, machine readable, readily usable format that allows the consumer to transmit the Covered Personal Information to another entity or controller without hindrance, as further specified in the Privacy Laws.
1.3 “Privacy Laws” means applicable statutes, regulations or other laws pertaining to privacy or data protection, processing of Personal Information, and/or information security, including, but not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”); the revised Swiss Federal Act on Data Protection (“revFADP”); Brazil Law No. 13,709/2018 (General Law for the Protection of Personal Data or “LGPD”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (“VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (“CPA”), the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (“UCPA”), the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq. (“PDPOM”); the Personal Information Protection Law of the People’s Republic of China (“PIPL”); and any other applicable federal or state laws or regulations regarding information privacy that are in effect or will come into effect during the term of the Agreements.
1.4 “2021 Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).
1.5 “Services” means SOCi’s SaaS social media and marketing platform made available by SOCi to Customer to use as defined in the Agreements.
1.6 “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
1.7 “Third Countries” means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.
1.8 The terms “business,” “business purposes,” “consumer,” “controller,” “data subject,” “personal data,” “personal information,” “process” or “processing,” “processor,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “share,” “subcontractor,” and “supervisory authority” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
1.9 Capitalized terms not otherwise defined shall have the meaning given to them in the Agreements.
2. Terms of Data Processing
2.1 Data Processing Exhibit – The Parties acknowledge and agree that the details of the processing are provided in Exhibit A, attached hereto.
2.2 Data Processing Instructions – SOCi shall process the Covered Personal Information for the duration of the Agreement (unless otherwise agreed in writing) only (a) as necessary to effect SOCi’s obligations under the Agreements; and/or (b) on documented and customary instructions from Customer, unless otherwise required by applicable law.
2.3 Compliance with Obligations – SOCi represents and warrants that SOCi, its employees, agents, subcontractors, and sub-processors (a) understand and shall comply with the Privacy Laws and this Addendum while providing the Services, (b) will provide the level of privacy protection required by the Privacy Laws, and (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the Privacy Laws. Upon the reasonable request of Customer and in accordance with the requirements of the applicable Privacy Laws, SOCi shall make available to Customer information in SOCi’s possession necessary to demonstrate SOCi’s compliance with this subsection and with applicable Privacy Laws in a manner consistent with SOCi’s obligations under the applicable Privacy Laws.
2.4 Audit Rights – Customer shall have the right to take reasonable and appropriate steps to monitor SOCi’s compliance with this Addendum. SOCi shall cooperate with an audit initiated by Customer, provided that such audit will not unreasonably interfere with the normal conduct of SOCi’s business. Upon the reasonable request of Customer, SOCi shall make available to Customer all information in SOCi’s possession necessary to demonstrate SOCi’s compliance with SOCi’s obligations under this Addendum and the Privacy Laws with respect to Covered Personal Information.
2.5 Compliance Remediation; Termination Rights – SOCi agrees to notify Customer promptly if SOCi determines that it can no longer meet its obligations under applicable Privacy Laws. Upon receiving notice from SOCi in accordance with this subsection, Customer may direct SOCi to take steps as reasonable and appropriate to remediate unauthorized use of Covered Personal Information or terminate the Agreements upon thirty (30) days’ notice.
2.6 Changes to Privacy Laws – To the extent this Addendum requires a Party to comply with the Privacy Laws, compliance will be in accordance the Privacy Laws as in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under the Privacy Laws, it shall not apply until it is so required. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the applicable Privacy Laws.
2.7 Obligations at Termination – When the Agreements expire, SOCi will discontinue processing and destroy Covered Personal Information without undue delay unless otherwise instructed by Customer.
2.8 Impact Assessments – If applicable, SOCi shall, upon the reasonable request of Customer, provide Customer with such assistance and information as is reasonably necessary to enable Customer to carry out privacy impact assessments, data protection impact assessments, and required consultations with supervisory authorities under applicable Privacy Laws.
3. Limitations on Processing of Covered Personal Information
3.1 Data Restrictions – SOCi will not: (a) sell or share Covered Personal Information, (b) retain, use, or disclose Covered Personal Information for any purpose other than the limited purposes specified in the Agreements and Exhibit A hereto, such as providing the Services to Customer; or (c) unless permitted by applicable Privacy Laws (i) retain, use, or disclose Covered Personal Information outside the direct business relationship with Customer; or (ii) retain, use, or disclose Covered Personal Information for any commercial purpose not specified in the Agreements or Exhibit A hereto.
3.2 Subcontractors; Sub-processors – SOCi shall engage subcontractors or sub-processors that process Covered Personal Information only with Customer’s general written authorization. SOCi’s sub-processors and subcontractors currently listed in Appendix A (as of the date this DPA is executed) are deemed pre-approved. SOCi shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors as described in Appendix A below. Further, SOCi shall ensure that SOCi’s subcontractors or sub-processors who collect, process, store, or transmit Covered Personal Information on SOCi’s behalf agree in writing to the same restrictions and requirements that apply to SOCi in this Addendum and the Agreements with respect to Covered Personal Information, as well as to comply with applicable Privacy Laws.
3.3 Right to Object – Customer may object in writing to SOCi’s appointment of a new subcontractor or sub-processor on reasonable grounds relating to data protection by notifying SOCi in writing within 30 calendar days of receipt of notice in accordance with Section 3.2. In the event Customer objects, SOCi will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Covered Personal Information by the objected-to new subcontractor or sub processor without unreasonably burdening Customer. If SOCi is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable ordering or purchasing documents with respect only to those Services which cannot be provided by SOCi without the use of the objected-to new subcontractor or sub-processor by providing written notice to SOCi. SOCi will refund Customer any prepaid fees covering the remainder of the term of such ordering or purchasing documents following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
4. Consumer and Data Subject Requests
4.1 Taking into account the nature of processing and the information available to SOCi, SOCi shall assist Customer by taking appropriate technical and organizational measures, insofar as this is reasonably practicable, for the fulfillment of Customer’s obligations under Privacy Laws to respond to consumers’ requests to exercise their rights.
4.2 Referral of Direct Requests – SOCi, to the extent SOCi is able to identify that the request is from a consumer whose Covered Personal Information was submitted to the Services by Customer, agrees promptly to refer to Customer applicable consumer requests submitted directly to SOCi related to Covered Personal Information.
4.3 For the purposes of this section, the term “consumer” shall include the term “data subject” as each is defined in the applicable Privacy Laws.
5. Security Controls
5.1 Duty of Confidentiality – SOCi, its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Covered Personal Information.
5.2 Security Measures – SOCi shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Covered Personal Information to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Measures”). Such Security Measures shall meet or exceed applicable industry standards and any obligations set forth in the Agreements or applicable law.
5.3 Access Controls – SOCi shall implement appropriate access controls restricting access to Covered Personal Information to only such employees, agents, subcontractors, and sub-processors as need to know the information in order to perform their obligations in furtherance of the Agreements.
5.4 Security Incident – SOCi will inform Customer without undue delay upon SOCi’s having become aware of any confirmed unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Covered Personal Information (to include, without limitation, any personal data breach as defined by applicable law). SOCi will provide Customer with any information and cooperation reasonably requested by Customer regarding such Security Incident. SOCi shall not provide notice of such Security Incident without the prior written consent of Customer unless required by applicable law.
5.5 Encryption – SOCi will ensure that Covered Personal Information in SOCi’s control is sufficiently protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.
5.6 Security Program – SOCi shall implement a comprehensive written security program that includes industry-standard administrative, technical, and physical safeguards designed to ensure the confidentiality, security, and integrity of Covered Personal Information (“Security Program”). Upon Customer’s reasonable request, SOCi will provide Customer with documentation that demonstrates its compliance with this Section.
6. Inquiries
6.1 Notification of Regulatory Inquiry – In the event that SOCi receives any regulatory inquiry or correspondence regarding Covered Personal Information in which SOCi or Customer is named (an “Inquiry”), SOCi shall, to the extent not prohibited by applicable law or any regulatory authority:
(a) Promptly notify Customer of such Inquiry;
(b) Provide Customer with all copies of documents and correspondence relating to the Inquiry without unduly delay after receipt or delivery of such documents or correspondence;
(c) Not disclose any confidential information of Customer or any affiliated party to the applicable authority without Customer’s prior written consent.
6.2 Response to Inquiry – SOCi shall take all other measures necessary to respond to or otherwise address the Inquiry adequately and in a timely manner.
7. Cross-Border Data Transfers
7.1 Transfer Mechanisms – As applicable to Customer’s use of the Services, with regard to any transfers of Covered Personal Information from the European Economic Area, the United Kingdom, or Switzerland to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws) (“Data Transfers”), and except as provided in Sections 7.2 and 7.3 below, the Data Transfers will be conducted pursuant to the EU-U.S. Data Protection Framework (“DPF”) for Personal Data transferred from the European Economic Area, the UK Extension to the EU-U.S. DPF for Personal Data transferred from the United Kingdom (ansd Gibraltar), and the Swiss-U.S. Data Privacy Framework for Personal Data transferred from Switzerland, unless the Parties agree to enter into the 2021 Standard Contractual Clauses in support of such transfer.
7.2 Transfers from the UK – Where the Parties have agreed to the enter into the 2021 Standard Contractual Clauses as an alternative mechanism to the DPF for Data Transfers from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the UK Addendum:
(a) Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with details provided in Exhibit A.
(b) Table 2 (Selected SCCs, Modules, and Selected Clauses):
(i) The Addendum EU SCCs shall be the Approved EU SCCs.
(ii) Module Two (controller-to-processor) will apply.
(iii) In Clause 7, the Parties do not permit docking.
(iv) In Clause 9(a), the Parties select Option 2 and a time period of 30 days.
(v) In Clause 11, the Parties do not select the independent dispute resolution option.
(c) Table 3 (Appendix Information): The list of parties and the description of the transfers are provided in Exhibit A, Part A and Exhibit B, Part A. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Exhibit B, Part B.
(d) Table 4 (Ending this Addendum when the Approved Addendum Changes): The Parties agree that Exporter may end the Addendum as set out in Section 19 of the UK Addendum.
(e) Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.
7.3 Transfers from the EEA – Where the Parties have agreed to the enter into the 2021 Standard Contractual Clauses as an alternative mechanism to the DPF for Data Transfers from the European Economic Area and from Switzerland, or for Data Transfers for which the DPF is not available, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:
(a) Identity of the Parties: The data exporter is Customer, and the data importer is SOCi. Module Two (controller-to-processor) will apply to transfers involving Covered Personal Information.
(b) Conflicts: In the event of any conflict or inconsistency between this Addendum and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
(c) Appendices: Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Exhibit A, Part A and Exhibit B, attached hereto.
(d) Transfer Impact Assessments: Upon Customer’s request, SOCi will make available to Customer its documented assessment of its processing of Covered Personal Information hereunder for the purpose of Clause 14.
(e) Specific Provisions: The following specific provisions apply to the 2021 Standard Contractual Clauses:
(i) In Clause 7, the Parties do not permit docking.
(ii) In Clause 9(a), the Parties select Option 2 and a time period of 30 days.
(iii) In Clause 11, the Parties do not select the independent dispute resolution option.
(iv) In Clause 17 (Option 2), the Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, or if the date exporter is not established in an EU Member State, they shall be governed by the laws of the Republic of Ireland.
(v) In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland.
(f) For data transfers governed by Switzerland’s revFADP, the 2021 Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under revFADP until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the 2021 Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in revFADP.
7.4 Transfers from Brazil – The Parties agree to amend this Addendum and adopt such mechanism for restricted transfers as is required by Brazil’s data protection domestic authority and provided that such mechanism is compatible with this Addendum.
8. Miscellaneous
8.1 Severability – If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
8.2 Survival – All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
8.3 General – Except as expressly set forth herein, the terms of the Agreements shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreements and the terms of this Addendum, the terms of this Addendum shall control. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.
DETAILS OF DATA PROCESSING
A. PARTIES
| Role of Data Exporter | For purposes of the Agreements and this Addendum, Customer is the sole Party that determines the purposes and means of processing Covered Personal Information as the “business” or “controller.” To the extent of any cross-border data transfers described in Exhibit B, Customer is the data exporter. |
| Address | To be provided by Customer |
| Contact Person’s Name, Position, and Contact Details | To be provided by Customer |
| Name of Data Importer | SOCi, Inc |
| Role of Date Importer | For purposes of the Agreements and this Addendum, SOCi processes Covered Personal Information on behalf of Customer as a “processor” or “service provider.” To the extent of any cross-border data transfers described in Exhibit B, SOCi is the data importer. |
| Address | Mailing/Notices: 8605 Santa Monica Blvd PMB 47149 West Hollywood, California 90069-4109 Headquarters: 350 10th Avenue, Suite 101 San Diego, CA 92101 |
| Contact Person’s Name, Position, and Contact Details | Inquiries should be addressed to SOCi’s legal and privacy team via email at: [email protected] |
B. PROCESSING TERMS
| Duration of the processing | SOCi agrees to process Covered Personal Information solely as instructed in the Agreements and this Addendum for the duration of the provision of the Services to Customer, and the longer of such additional period as: (i) is specified in any provisions of the Agreements regarding data retention; and (ii) is required for compliance with law. |
| Nature of the processing | Such processing as is necessary to enable the SOCi to comply with its obligations and exercise its rights under the Agreements, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
| Purpose of the processing | SOCi agrees to process Covered Personal Information for limited and specified purposes described in the Agreements, this Addendum, or as otherwise directed by authorized personnel or Users of Customer in writing (email acceptable). CPRA Mandatory Disclosure: The specific business purposes are (select): ☐ Auditing: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. ☒ Security & Integrity: Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes. ☒ Repair Functionality: Debugging to identify and repair errors that impair existing intended functionality. ☒ Short-term, transient use: Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. ☒ Performing services on behalf of Client: Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. ☐ Advertising & Marketing: Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers. ☐ Internal Research: Undertaking internal research for technological development and demonstration. ☒ Quality & Safety: Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. |
| Type of personal data processed | The Covered Personal Information concerns the following categories of data: Names, email addresses, addresses, IP addresses, usernames, logins, online identifiers, and images, and any other information of end users on 3rd party social media network sites that engage with Customer Users and (as those terms are defined in the Agreement) may provide via public or private message; names, email, phone numbers, and login information of Customer Users of the Services. |
| Types of sensitive personal data/information processed | The Covered Personal Information concerns the following sensitive personal data/information: Dependent on Customer’s use of the Services, but generally no sensitive personal data/information should be collected in connection with Customer’s use of the Services. |
| Categories of data subjects | Customers, Users and Customers’ end users or consumers, or on social media networks and publisher sites |
| Obligations and rights of the Parties | As set out in the Agreement. |
CROSS-BORDER DATA TRANSFERS
A. DESCRIPTION OF CROSS-BORDER DATA TRANSFERS (IF APPLICABLE)
| Categories of data subjects whose personal data is transferred | Customers, Users and Customers’ end consumers or on social media networks, publisher sites, and survey respondents (if purchased) sent to or completed by Customers’ end consumers. |
| Categories of personal data transferred | Dependent upon Customer’s use of the Services, categories of personal data may include: Names, email addresses, addresses, IP addresses, usernames, logins, online identifiers, and images, and any other information of end users on 3rd party social media network sites that engage with Customer Users and (as those terms are defined in the Agreement) may provide via public or private message; names, email, or phone numbers. |
| Types of sensitive (or special categories of) data transferred and applicable restrictions or safeguards | Dependent on Customer’s use of the Services, but generally no sensitive data should be collected in connection with Customer’s use of the Services. SOCi does not intentionally process sensitive data or special categories of data, in connection with Customer’s use of the Services. Customer should not upload sensitive data or special categories of data to the Services. |
| Frequency of the transfer | Continuous during the Agreement term |
| Purpose of the data transfer and further processing | Provision of the Services as set forth in the Agreements. |
| Sub-processor transfers | Transfers to sub-processors, as described in Appendix A hereto and maintained and updated on SOCi’s website at www.meetsoci.com/subprocessors, will occur where necessary for the provision of the Services in accordance with the Agreements and this Addendum solely for the term of the Agreements. |
| Competent Supervisory Authority | EEA data subjects: Republic of Ireland UK data subjects: United Kingdom Switzerland data subjects: Swiss Federal Data Protection and Information Commissioner |
B. TECHNICAL & ORGANIZATIONAL MEASURES
Data Importer will, at a minimum, implement the following types of security measures:
SOCi has implemented technical and administrative safeguards to protect Personal Data or Personal Information (as defined under applicable Privacy Laws), where applicable to the SOCi Platform and Subscription Services, against security incidents, which include the following security measures (all capitalized terms used herein are defined in Customer’s Agreement or as defined under applicable Privacy Laws):
- Information security policy: SOCi has implemented a written information security policy that mandates the use of appropriate technical and organizational security measures in SOCi’s organization to protect Personal Data or Personal Information (as defined under applicable privacy laws) against unauthorized and unlawful processing and against accidental loss, damage or destruction as well as appropriate measures in the event of an actual or suspected data or security breach.
- Security Function: SOCi has designated a security committee tasked with responsibility for development, implementation, and maintenance of the SOCi’s information security practice. SOCi employs a VP of Information Security to oversee the information security function, and a Virtual Security Team (VST) to actively manage security issues.
- Physical security: SOCi’s Servers hosting Customer Data are secured in Amazon Data Centers and Google Cloud. Refer to https://aws.amazon.com/compliance/data-center/controls/ and/or https://cloud.google.com/security/compliance for details.
- Logical security: SOCi supports and recommends customers’ use of Single-Sign-On. To the extent that customers use customized login for its SOCi instance, SOCi saves a secure hash of the password, not the password itself.
- Network security: SOCi relies on Amazon Web Services and Google Cloud network protection features to protect Personal Data and to safeguard from threats. SOCi also conducts independent pen tests and periodic assessment of security setup. SOCi has implemented appropriate network security controls both in internal network and cloud network systems.
- Encryption: SOCi encrypts data at rest, uses HTTPS by default for all internet traffic and uses secure protocols to connect to Social Media service providers and other third-party systems. All encryption utilizes industry standard encryption techniques.
- Access controls: SOCi has implemented role-based access controls that restrict access to Personal Data it processes to duly authorized employees and contractors who require access only to the extent necessary for the performance of their duties. SOCi has appointed a system administrator with overall responsibility for granting, changing or voiding data access privileges to its data processing systems. Access is controlled by multiple technical systems, and administrative access is logged.
- Usernames and Passwords: Access to Personal Data is controlled through access privileges (described above), usernames and confidential passwords. No two Users may share or use the same username. Users will be required to change their passwords on a regular basis. All User passwords have a minimum character requirement.
- Back-up: SOCi has taken and will continue to take regular, at least weekly, back-ups of the Personal Data that it processes on behalf of the data exporter. Data back-ups are stored securely in different availability zones and will be available for data restoration in the event of catastrophic system failure and non-catastrophic system failure or user error.
- Disaster Recovery and Business Continuity: SOCi has implemented appropriate disaster recovery and business continuity plans that ensure the availability, security, integrity and (where necessary) restoration of the Personal Data on the occurrence of a business interruption event. Business continuity and incident response processes are tested at least annually.
- Audit: SOCi will audit its compliance with the agreement between SOCi and Customer and its information security policy at least once per annum or in the event of a material change. Any remedial measures identified as necessary following an audit will be remediated in the order of severity. SOCi has multiple independent audits performed each year. A copy of SOCi’s current audit reports will be provided upon request.
- Secure Disposal: SOCi has implemented policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed.
SUB-PROCESSORS
Customer authorizes SOCi to engage the following Sub-processors:
SOCi uses certain sub-processors (“Sub-processors”) to assist in providing limited services on its behalf.
SOCi’s Sub-processors provide infrastructure, data storage, system logging services, and other tools that facilitate the delivery of the Services including customer support and email communications. These Sub-processors may be provided access to Covered Personal Information; however, only to the extend necessary to support the Services.
As part of SOCi’s commitment to keep Covered Personal Information secure, SOCi evaluates Sub-processors’ privacy and security practices prior to engaging them. SOCi also requires Sub-processors to enter into data processing agreements that protect Covered Personal Information and incorporates data protection obligations consistent with applicable Privacy Laws.
In the event SOCi removes or adds new Sub-processors, SOCi will post updates at https://www.meetsoci.com/subprocessors at least thirty (30) days prior to adding or removing a Sub-processor. For questions about SOCi’s Sub-processors, please reach out to [email protected]. Customer may subscribe to receive regular updates as to SOCi’s Sub-processors at https://www.meetsoci.com/signup-subprocessors.
| Sub-processor | Purposes of sub-processing | Geographical Location | Subprocessor security website links |
|---|---|---|---|
| Amazon Web Services, Inc | AWS Hosting of SOCi Platform | USA | https://aws.amazon.com/s3/security/ https://aws.amazon.com/security/ https://aws.amazon.com/compliance/data-center/controls/ |
| Amazon Web Services, Inc | Content delivery network (CDN) used by SOCi to optimize content delivery. | Based on Customer’s User Locations | https://aws.amazon.com/s3/security/ https://aws.amazon.com/security/ https://aws.amazon.com/compliance/data-center/controls/ |
| Google Cloud Services | GC Hosting of SOCi Platform and Ignite/B1 Platforms | USA | https://cloud.google.com/security |
| Google Cloud Services | Content delivery network (CDN) used by SOCi to optimize content delivery. |
Based on Customer’s User/Locations | https://cloud.google.com/security |
| Microsoft Corporation | Microsoft Hosting of Ignite/B! Platforms | USA | https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all |
| Salesforce | Internal Customer Relationship Management Platform | USA | https://security.salesforce.com/ |
| Twilio, Inc (dba Sendgrid) | Cloud Service Provider – In-App Email Delivery | USA | https://sendgrid.com/policies/security/ |
| Bandwidth | SMS Messaging API for SOCi’s Survey Product | USA | https://www.bandwidth.com/security/ |
| Pendo.io | Email Marketing | USA | https://security.salesforce.com/ |
| Zendesk | Trouble Ticket System and Solution Articles Guide | USA | https://support.zendesk.com/hc/en-us/articles/360036130213-Zendesk-s-secure-by-design-cloud-solution |
| Gainsight | Internal Customer Relationship Management Platform | USA | https://www.gainsight.com/security/ |
| Atlassian/Jira | Internal Project Management Platform | USA EU |
https://www.atlassian.com/trust/compliance/resources/gdpr https://www.atlassian.com/trust/security |
| Cloudflare, Inc. | Content delivery network used by SOCi to optimize content delivery. | Global Based on Customer’s user/location countries |
https://www.cloudflare.com/trust-hub/compliance-resources/ |
| New Relic, Inc. | Application performance monitoring, infrastructure and network monitoring, and error capturing. SOCi may provide End User or dashboard Customer metadata, such as user identifiers, to New Relic for support and application troubleshooting and to improve performance of the SOCi Services. | USA | https://docs.newrelic.com/docs/security/overview/ |
| Elasticsearch Inc. | Elastic Cloud SaaS product used for data storage and querying. Managed Elastic Search hosting. Support services, including performance of diagnostic measures and troubleshooting | USA EU |
https://www.elastic.co/security-and-compliance |
SOCi is a U.S.-based company with engineering and customer success teams. We primarily store Customer information in the United States. To facilitate our global operations, SOCi may transfer such information to, and access it from, other countries (showing in the table below) for the purposes described in this Addendum and/or the Agreement. Whenever SOCi transfers Customer Covered Personal Information originating in the EEA, the UK, or Switzerland with a Sub-Processor or subcontractor outside the EEA, the UK, or Switzerland, SOCi implements appropriate safeguards, consistent with the applicable Privacy Laws of the territory from which the Covered Personal Information is exported. For example, where transfers are made from the EEA, SOCi relies on the EU standard contractual clauses, including supplementary measures as necessary.
| Countries | Recipient | Compliance mechanism* |
|---|---|---|
| United States | SOCi | Standard Contractual Clauses |
| Canada, Australia, Brazil, Mexico, Argentina, Poland, Turkey, Pakistan, Ukraine, Ghana, Lebanon, Nigeria, India, Jordan, Gambia, North Macedonia, Egypt, Kenya EU Countries include: Estonia, Finland, France, Spain, Poland, Croatia, Czech Republic, Lithuania. |
SOCi Engineering, Developer Support (hired via Deel, Inc) | Standard Contractual Clauses |
| Philippines | SOCi Customer Success team (hired via KMC Solutions) |
Cookie Settings
Terms of Service
Privacy Notice
Information Security
Accessibility Statement
Contact
Your Privacy Choices
Download our Mobile App
This site uses chatbots to record your interactions on our site for our consent recordkeeping and provide customer support. Our technology provider may also collect and aggregate this data on our site for their purposes. See our Privacy Notice to learn more about our privacy practices.