Last updated: July 20, 2023
This Data Processing Agreement ("DPA") supplements the Darwin CX Subscription Service Agreement or other services agreement or equivalent agreement governing Customer's use of the Services, as updated from time to time by and between Darwin CX, LLC ("Darwin") and Customer governing Customer's use of the Services (the "Agreement"). This DPA is an agreement between the entity you represent ("Customer", "you" or "your") and Darwin CX, LLC. ("Darwin,"" "we" or "our"). Capitalized terms not otherwise defined herein shall have such meanings as set forth in the Agreement. In the event that Darwin Processes any Customer Personal Data (each as defined below) in the course of providing the Services to Customer under the Agreement, this DPA shall govern the Processing of such Customer Personal Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Customer Personal Data. Customer and Darwin hereby agree as follows:
By checking the "Accept DPA" box while signing up for, or managing, your Services account, you agree to be legally bound by this DPA. You represent and warrant that the entity or individual making the election to include the Standard Contractual Clauses (the "SCCs") in the DPA has the authority to do so. We reserve the right to modify this DPA for any reason. You should look at this DPA regularly and the "Last Updated" date at the beginning of this DPA. We'll use reasonable efforts to give you notice of these modifications, such as by posting notice of modifications on this web page, through the Services, or via email. By continuing to use the Services after we make these modifications, you agree that you will be subject to the modified DPA with respect to Customer Personal Data uploaded or stored on or after the date of the notice; however, we will not apply the modifications to the DPA retroactively to Customer Personal Data uploaded or stored before the date of the notice unless you affirmatively consent. If you do not agree to the terms of the DPA as modified pursuant to this paragraph, you must discontinue your use of the Services.
Customer (a) acknowledges and agrees that it is the Controller of all Customer Personal Data provided by Customer to Darwin (in the course of Customer's use of the Services or otherwise) or collected by Darwin on Customer's behalf, and (b) hereby appoints Darwin as a Processor of such Customer Personal Data.
The following capitalized terms used in this DPA shall be defined as follows:
(a) "Controller" shall mean (i) a "controller" as that term is defined by the GDPR, (ii) a "business" as that term is defined by the CCPA, and/or (iii) any equivalent term under other Data Privacy Laws.
(b) "Customer Personal Data" means (i) "personal data" as defined in the GDPR, (ii) “personal information” as defined in the CCPA, and/or (iii) any equivalent term as defined in Data Privacy Laws, all as further described in Annex 1 to this DPA, and any other personal data that Darwin Processes on Customer's behalf in connection with Darwin's provision of the Services.
(c) "Data Privacy Laws" means (i) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"), as well as any applicable national implementing legislation; (ii) the California Consumer Privacy Act of 2018 ("CCPA") and the California Privacy Rights Act of 2020 ("CPRA"); and (iii) any other data privacy laws that are presently applicable or may in the future become applicable to Customer and/or Customer Personal Data, each of the foregoing as they may be amended, replaced or superseded from time to time.
(d) "Data Subject" has the meaning given in the GDPR, and shall also include "consumers" as defined by the CCPA as well as other equivalent terms under Data Privacy Laws.
(e) "European Economic Area" or "EEA" means the Member States of the European Union and Switzerland.
(f) "Processing" has the meaning given in the GDPR or the equivalent term under other Data Privacy Laws.
(g) "Processor" shall mean (i) a “processor” as that term is defined by the GDPR, (ii) a "service provider" as that term is defined by the CCPA, and/or (iii) any equivalent term under other Data Privacy Laws.
(h) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data. Laws.
(i) "Subprocessor" means any Processor engaged by Darwin to whom Darwin discloses Customer Personal Data.
(j) "Supervisory Authority" has the meaning given in the GDPR or the equivalent term under other Data Privacy Laws.
Instructions for Data Processing. Darwin will only Process Customer Personal Data in accordance with Customer's written instructions. Except as may be otherwise required by Data Privacy Laws, the Agreement, including all addendums thereto, and this DPA shall be Customer's sole, complete, and final instructions to Darwin in relation to the processing of Customer Personal Data. To the extent applicable Data Privacy Laws permit Customer to provide supplemental processing instructions to Darwin, Darwin reserves the right to make corresponding reasonable adjustments to its fee schedule and/or to charge reasonable administrative fees commensurate with the costs of any new required processing activities.
Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior express written agreement between Darwin and Customer, setting forth additional instructions for such Processing. Without limiting the foregoing, Darwin agrees that it will not "sell" Customer Personal Data within the meaning of applicable Data Privacy Laws, or "share" Customer Personal Data within the meaning of the CPRA. Where required by Data Privacy Laws, Darwin also will not combine Customer Personal Data with other personally identifiable information it receives from or on behalf of others or in its own capacity, except as permitted by such Data Privacy Laws.
Lawful Basis. Customer hereby represents and warrants to Darwin that it has obtained all necessary consents, or established an alternative lawful basis or bases, for the Processing of Customer Personal Data by Darwin in accordance with the Agreement. Customer will furnish reasonable documentation evidencing the lawful basis or bases for Darwin's Processing as may be reasonably requested by Darwin from time to time.
Special Categories of Customer Personal Data. Customer hereby represents and warrants to Darwin that Customer will not, without Darwin's prior written consent, provide Darwin with any "special categories" data, as defined in GDPR, or any sensitive personal information (or any equivalent term), as defined in any applicable Data Privacy Laws.
TRANSFER OF PERSONAL DATA
Authorized Subprocessors. Customer hereby consents and agrees to Darwin's engagement of Subprocessors to Process Customer Personal Data, including, without limitation, Darwin's engagement of Stripe, Inc. Upon Customer's reasonable written request, Darwin shall provide Customer with a list of any additional Subprocessors currently engaged by Darwin.
Darwin shall notify Customer from time to time of the identity of any new Subprocessors engaged by Darwin following the date hereof. Such notice may be provided by Darwin via email or by providing Customer with a link to a webpage containing updated information regarding Darwin's Subprocessors. If Customer (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Customer Personal Data only, then without prejudice to any right to terminate the Agreement, Customer may request that Darwin move the Customer Personal Data to another Subprocessor and Darwin shall, if possible within a reasonable time following receipt of such request, use reasonable measures to accommodate such request. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either party may terminate the Agreement without additional liability on thirty (30) days written notice. If Customer does not object within thirty (30) days of the date of Darwin's notice, Customer will be deemed to have accepted the new Subprocessor.
Liability of Subprocessors. Darwin will be liable to Customer for the acts and omissions of any Subprocessor with respect to the Processing of Customer Personal Data to the same nature and extent that Darwin is liable to Customer for its own acts and omissions hereunder and under the Agreement.
International Transfers. Where adequate safeguards are required under GDPR with respect to the transfer of Customer Personal Data to Darwin in a third country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the SCCs (Controller to Processor) currently located at https://darwin.cx/scc.html, will serve as the basis for such transfers contemplated under this Section 4.4. If you are electing to include the SCCs in the DPA, please check the “Include EU SCCs” box while signing up for, or managing, your Services account. You represent and warrant that the entity or individual making the election to include the SCCs in the DPA has the authority to do so. In the event of any conflict between the terms of this DPA and the SCCs, the SCCs shall control.
DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
Darwin Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Darwin will implement appropriate technical and organizational measures to ensure a level of security appropriate to such risk, including the measures set out in Annex 2.
Upon Customer's reasonable request, Darwin will disclose information reasonably necessary to demonstrate Darwin's compliance with this DPA.
Security Incident Notification. If Darwin becomes aware of a Security Incident affecting Customer Personal Data, or receives notice of such Security Incident from one of its Subprocessors, Darwin will (a) promptly notify Customer of the Security Incident after becoming aware of such Security Incident, (b) investigate the Security Incident and, upon Customer's reasonable request, provide Customer (and any law enforcement or regulatory official, as may be required) with reasonable assistance as may be required to investigate and mitigate the effects of the Security Incident, and (c) promptly take steps necessary to remedy any non-compliance with this DPA. Except as may otherwise be required by applicable laws, the foregoing obligations described in this Section 5.3 shall constitute Customer's sole remedy, and Darwin's sole liability, in the event of any Security Incident.
Customer Employees and Personnel. Darwin will treat the Customer Personal Data as confidential, and shall ensure that any Darwin employees or other personnel with access to the Customer Personal Data have agreed in writing to protect the confidentiality and security of Customer Personal Data.
5.5 Audits. Darwin will, upon Customer's reasonable advance written request, allow for and contribute to audits, including inspections, of those books and records reasonably necessary and relevant to verify Darwin's compliance with this DPA, conducted by Customer (or a third party on Customer's behalf) provided that (i) Darwin is given a minimum of thirty (30) days advance written notice of such audit, (ii) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (iii) are conducted only during Darwin's normal business hours; and (iv) are conducted in a manner that causes minimal disruption to Darwin's operations and business. Customer agrees that all information, documents, and other materials collected during the course of any audits constitutes Confidential Information (or such equivalent term as used in the Agreement) of Darwin, and may not be used for any purpose other than to verify Darwin's compliance with this DPA.
ACCESS REQUESTS AND DATA SUBJECT RIGHTS
Government Disclosure. Darwin will promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
Data Subject Rights. Customer shall ensure that the Data Subjects can avail themselves of their rights under applicable Data Privacy Laws, with the reasonable assistance of Darwin as required by such Data Privacy Laws and as described in this Section 6.2. Where applicable, and taking into account the nature of the Processing, Darwin will use reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests by Data Subjects to exercise their rights under applicable Data Privacy Laws. Where permitted by applicable Data Privacy Laws, as to requests by Data Subjects made directly to Darwin relating to Customer Personal Data in Darwin's possession, Darwin will notify Customer (email sufficing) and may inform the Data Subject that the request cannot be acted upon because the request has been sent to a Processor.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
To the extent required under applicable Data Privacy Laws, upon Customer's reasonable request, Darwin will provide Customer with reasonably relevant information to enable Customer to carry out data protection impact assessments, transfer assessments, or prior consultations with any Supervisory Authority, in each case solely in relation to Darwin's Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Darwin; provided, however, that where Customer requests assistance of any type that (i) is unnecessary, (ii) is not required of a Processor under applicable Data Privacy Laws, or (iii) is highly burdensome or costly, Darwin may charge a reasonable administrative fee as a condition to providing such assistance.
Deletion of data. Except as otherwise set forth in the Agreement, and subject to Section 8.2 below, Darwin will, at Customer's direction within ninety (90) days of the date of termination of the Agreement:
delete and use all reasonable efforts to delete and/or procure the deletion of Customer Personal Data Processed by Darwin or any of its Subprocessors; or return a copy of Customer Personal Data by secure file transfer in Darwin's then-current format.
8.2 Darwin and its Subprocessors may retain Customer Personal Data to the extent required by any applicable laws. Any retained Customer Personal Data shall continue to be subject to this DPA.
Each party shall indemnify and hold harmless the other party and its affiliates, employees, and agents, for all costs, damages, or losses incurred in connection with claims, demands, or proceedings by a Data Subject or any other third party, and/or any associated financial penalties imposed by supervisory or regulatory authorities, arising from any breach by the indemnifying party of its obligations under Section 3 of this DPA. The indemnifying party shall not enter into any settlement without the indemnified party's express prior written consent that (1) assigns, imparts or imputes fault or responsibility to the indemnified party or its affiliates, (2) includes a consent to an injunction or similar relief or otherwise imposes any obligation binding upon the indemnified party or its affiliates, or (3) provides for relief other than monetary damages that the indemnifying party solely bears. The indemnification obligations set forth in this Section 9 shall be the parties' sole and exclusive indemnification obligations relating to or arising from any breaches of this DPA.
DETAILS OF THE PROCESSING
Customer is the data controller.
Darwin is the data processor.
The Customer Personal Data being processed concerns the following categories of data subjects:
Customer's prospective employees
Customer's subscribers and/or customers
Categories of data
The Customer Personal Data being processed concerns the following categories of data:
Personally Identifiable Information (name, address, phone number, email address, credit card information)
The Customer Personal Data will be subject to the following basic processing activities: transmitting, collecting, and storing data as necessary in order to provide the Services to the Customer, and any other activities related to the provision of the Services or specified in the Agreement.
TECHNICAL AND ORGANIZATION SECURITY MEASURES
Darwin maintains internal policies and procedures, and/or ensures that Darwin's Subprocessors do so, which are designed to:
secure any Customer Personal Data against accidental or unlawful loss, access or disclosure;
identify reasonably foreseeable and internal risks to security and unauthorized access to the Customer Personal Data;
(c) minimize security risks, including through risk assessment and regular testing.
Darwin will conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against security standards in Darwin's industry, and will use reasonable efforts to ensure that its Subprocessors do so as well.
Darwin will periodically evaluate the security of its systems to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews, and will use reasonable efforts to ensure that its Subprocessors do so as well.
Security layers will be employed to protect against unauthorized access to systems and Customer Personal Data. These will include the principle of least privilege and the use of strong passwords in accordance with Darwin's information security policy.
Availability and back-up of Customer Personal Data
Backup copies of Customer Personal Data are created on a periodic basis to minimize risk and ensure the continued operation of the Services in the event of a man made or natural disaster. Backup copies will be encrypted both in transit and at rest. Backup copies will be treated as equally confidential and require equivalent security measures as applied to live Customer Personal Data.
Disposal of IT equipment
For Darwin hardware, all computer equipment will be gathered from employees upon termination from Darwin. Computer equipment will be wiped clean of data and re-purposed or destroyed such that data on the device is rendered unrecoverable.
Encryption will be employed that meets or exceeds current industry standards in Darwin's industry.
Anti-virus and intrusion detection software will be employed on appropriate devices and maintained with current updates to ensure current industry standards in Darwin's industry are employed against security threats.
Darwin's physical office location will be secured and alarmed. The threat to the office location is minimized by the practices Darwin utilizes to host all software and infrastructure with leading vendors, as opposed to on-site. Infrastructure and software providers will be selected based on their functional capabilities as well as their organization security practices.
Staff training and awareness
Staff training will be conducted periodically, at least annually, to ensure staff remains up to date on security best practices. Training will be tracked and documented per Darwin policy.