Data Processing Addendum (Outdated)
1. Definitions
“Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data.
"Agreement" means ManyChat’s Terms of Use, which govern the provision of the Services to Customer, as such terms may be updated by ManyChat from time to time.
"Customer Data" means any Personal Data that ManyChat processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
"Data Breach" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.
"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.
"Data Subject" means an identified or identifiable natural person.
"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"EEA" means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.
"Personal Data" means any information relating to a Data Subject.
"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.
"Services" means any product or service provided by ManyChat to Customer pursuant to the Agreement.
"Sub-processor" means any Data Processor engaged by ManyChat to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
2. Relationship with the Agreement
2.1. The terms used in this Addendum shall have the meanings set forth in this Addendum.
2.2. The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.
2.3. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict so far as the subject matter concerns the processing of Customer Data.
2.4. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.
2.5. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by ManyChat in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce ManyChat’s liability under the Agreement as if it were liability to the Customer under the Agreement.
2.6. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.7. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Processing of Customer Data
3.1. Role of the Parties. As between ManyChat and Customer, Customer is the Data Controller of Customer Data, and ManyChat shall process Customer Data only as a Data Processor acting on behalf of Customer.
3.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to ManyChat; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for ManyChat to process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3. ManyChat Processing of Customer Data. ManyChat shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s instructions.
3.4. Details of Data Processing
-
Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
-
Duration: As between ManyChat and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
-
Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of ManyChat's obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
-
Subject-Matter and nature of the processing: The subject-matter of Processing of Personal Data by ManyChat is the provision of the services to Customer that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and an Order.
-
Data Subjects: Customer’s contacts and other end users including Customer’s employees, contractors, collaborators, suppliers, subcontractors (collectively, "Users"), customers ("Subscribers"), and prospects.
-
Types of Customer Data:
- (i) Customer and Users: identification, publicly available social media profile information, e-mail, IT information (IP addresses, usage data, cookies data, browser data); financial information (credit card details, account details, payment information).
- (ii) Subscribers: identification and publicly available social media profile information (name, date of birth, gender, geographic location), chat history, navigational data (including chatbot usage information), application integration data, and other electronic data submitted, stored, sent, or received by end users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion.
3.5. Acknowledgment. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that ManyChat shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, ManyChat is the Data Controller of such data and accordingly shall process such data in accordance with the ManyChat Privacy Policy and Data Protection Laws.
3.6. Tracking Technologies. Customer acknowledges that in connection with the performance of the Services, ManyChat employs the use of cookies, unique identifiers and similar tracking technologies.
4. Sub-processing
4.1. Authorized Sub-processors. Customer agrees that ManyChat may engage Sub-processors to process Customer Data. The Sub-processors currently engaged by ManyChat are listed in Annex A, and Customer hereby authorizes these specific Sub-processors.
4.2. Sub-processor Obligations. ManyChat shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for the Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause ManyChat to breach any of its obligations under this DPA.
4.3. Sub-processor List. When requested by the Customer, ManyChat shall make available to Customer an up-to-date list of all Sub-processors used for the processing of Customer Data. ManyChat shall notify Customer (for which email shall suffice) if it adds or removes Sub-processors, at least 10 days prior to any such changes.
4.4. Objection. Customer may object in writing to ManyChat’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. If ManyChat is reasonably able to provide the Services to Customer in accordance with the Agreement without using the Sub-processor and decides to do so, then Customer will have no further rights under this clause 4.4 in respect of the proposed use of the Sub-processor. If ManyChat requires use of the Sub-processor in its discretion and, after discussion by the parties of Customer’s concerns in good faith with a view to achieving resolution, is unable to satisfy Customer as to the suitability of the Sub-processor or the documentation and protections in place between ManyChat and the Sub-processor within ninety (90) days from Customer's notification of objections, Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the Agreement or the applicable Services (as Customer may decide) with at least thirty (30) days written notice. If Customer does not provide a timely objection to any new or replacement Sub-processor in accordance with this clause 4.4, Customer will be deemed to have consented to the Sub-processor and waived its right to object.
5. Security
5.1. Adequate Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ManyChat shall, in relation to the Customer Data, implement and maintain throughout the term of this Addendum, the technical and organizational measures set forth in Annex B (the "Security Measures").
5.2. Confidentiality of processing. ManyChat shall ensure that any person who is authorized by ManyChat to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3. Customer Responsibilities. Customer acknowledges and agrees that it has reviewed and assessed the Security Measures and deems them appropriate for the protection of Customer Data. Customer acknowledges that the Security Measures are subject to technical progress and development and that ManyChat may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. Customer agrees that, except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials and protecting the security of Customer Data when in transit from the Service.
6. Data Subject Rights and Requests
ManyChat will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Customer to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to ManyChat, ManyChat will inform Customer and will advise Data Subjects to submit their request to Customer. Customer shall be solely responsible for responding to any Data Subjects’ requests.
7. Data Breach
7.1. Notification of Data Breach. ManyChat shall, to the extent permitted by law, notify Customer without undue delay upon ManyChat or any Sub-processor becoming aware of a Data Breach affecting Customer Data and will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Data Breach under the Data Protection Laws.
7.2. Assistance to Customer. ManyChat shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach.
8. Data Transfers
8.1. Customer acknowledges and accepts that the provision of the Services under the Agreement may require the processing of Customer Data by sub-processors in countries outside the EEA.
8.2. If, in the performance of this DPA and/or the Agreement, ManyChat transfers any Customer Data to, or permits processing of Customer Data by, a Sub-processor located outside of the EEA and not in an Adequate Country, then, in advance of any such transfer, ManyChat shall ensure that the transfer is compliant with the EU Data Protection Laws.
9. Return or Deletion of Data
9.1. If you are a resident of the EEA, upon termination or expiration of the Agreement, ManyChat shall (at Customer's election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent ManyChat is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data ManyChat shall securely isolate and protect from any further processing, except to the extent required by applicable law.
10. General
10.1. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
10.2. This DPA shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Agreement, and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under this DPA.
10.3. This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. Each party represents and warrants to the other that the performance of such party’s obligations hereunder have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
Annex A
List of Sub-Processors
These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; and provide incident tracking, response, diagnosis and resolution services.
- Amazon Web Services, Inc.
- Facebook, Inc.
- TrackJS LLC
- Rollbar, Inc.
- Stripe, Inc
Annex B
Security Measures
Personnel.
ManyChat’s personnel (employees and contractors) will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.
Technical and Organization Measures.
ManyChat has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
Organization of Information Security.
Confidentiality. ManyChat’s personnel with access to customer data are subject to confidentiality obligations.
Risk Management. ManyChat conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. ManyChat implements measures, as needed, to address vulnerabilities discovered in a timely manner.
Storage. ManyChat’s database and data processing servers are hosted in a data center located in the EU and operated by a third party vendor. ManyChat maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.
Software Development and Acquisition: For the software developed by ManyChat, ManyChat follows secure coding standards and procedures set out in its standard operating procedures.
Change Management: ManyChat implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for ManyChat’s software, information systems or network architecture. These change management procedures include appropriate segregation of duties.
Third Party Provider Management: In selecting third party providers who may gain access to, store, transmit or use customer data, ManyChat conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
Human Resources Security. ManyChat informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.
Physical and Environmental Security.
- Physical Access to Facilities. ManyChat limits access to facilities where information systems that process customer data are located to identified authorized individuals who require such access for the performance of their job function. ManyChat terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.
- Protection from Disruptions. ManyChat uses commercially-reasonable systems and measures to protect against loss of data due to power supply failure or line interference.
Communications and Operations Management.
- Security Documents. ManyChat maintains security documents describing its security measures and the relevant procedures.
- Data Recovery Procedures. (i) On an ongoing basis, ManyChat maintains multiple copies of customer data from which it can be recovered. (ii) ManyChat stores copies of customer data and a data recovery procedures in a different place from where the primary computer equipment processing the customer data is located. (iii) ManyChat has procedures in place governing access to copies of customer data. (iv) ManyChat has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.
- Encryption; Mobile Media. ManyChat uses HTTPS encryption on all data connections. ManyChat restricts access to customer data in media leaving its facilities. ManyChat further has a destruction policy for hardware in the data center that stores customer data.
- Event Logging. ManyChat logs the use of data-processing systems. Logs are maintained for at least 10 days.
Access Control.
- Records of Access Rights. ManyChat maintains a record of security privileges of individuals having access to customer data.
- Access Authorization. (i) ManyChat maintains and updates a record of personnel authorized to access systems that contain customer data. (ii) ManyChat deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services
- Least Privilege. (i) Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function. (ii) ManyChat restricts access to customer data to only those individuals who require such access to perform their job function.
- Integrity and Confidentiality. (i) ManyChat instructs its personnel to disable administrative sessions when leaving the ManyChat’s premises or when computers are unattended. (ii) ManyChat stores passwords in a way that makes them unintelligible while they are in force.
- Authentication. (i) ManyChat uses commercially reasonable practices to identify and authenticate users who attempt to access information systems. (ii) ManyChat ensures that de-activated or expired identifiers are not granted to other individuals. (iii) ManyChat maintains commercially reasonable procedures to deactivate login credentials that have been corrupted or inadvertently disclosed or pursuant to a number of failed login attempts.
- Network Design. ManyChat has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.
Network Security. ManyChat’s information systems have security controls designed to detect and mitigate attacks by using logs and alerting.
Information Security Incident Management.
- Record of Breaches. ManyChat maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and the procedure for recovering data.
- Record of Disclosure. ManyChat tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time, unless prohibited by law.