This Data Processing Addendum (“DPA”), forms part of the AskNicely Terms of Use Agreement (“Terms”) or other written or electronic agreement (together the “Agreement”), entered between AskNicely, and the entity that is a party to the Terms together with its Affiliates which have executed the Terms or made online purchases or signed orders (“Customer”), for the provision of certain services defined in the Terms that requires AskNicely to process certain personal data (defined below) on behalf of Customer. This DPA shall be effective on the date both parties entered the Terms, or for those with Terms pre-dating September 27, 2021, the effective date shall be September 27, 2021. Each of Customer and AskNicely may be referred to herein as a “Party” and together as the “Parties”.
1. DEFINITIONS
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under
common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
(b) “AskNicely”means the contracting party in the order form, which may be any of the following affiliated entities: Ask Nicely LLC, Ask Nicely, Ask Nicely B.V.;
(c) “controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(d) “Data Protection Law” means the (i) California Consumer Privacy Act as amended by the
California Privacy Rights Act (collectively, “CCPA”), Virginia Consumer Data Protection Act
(“VDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CDPA”), Utah ConsumerPrivacy Act (“UCPA”), (collectively, “US Privacy Laws”), (ii) EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), (iii) UK General Data Protection Regulations (“UK GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”) (collectively, “UK Privacy Laws”), and (iv) the Federal Act on Data Protection of Switzerland (Swiss FADP”), including their respective implementing regulations for each of the laws and regulations and any amendments or replacements thereto;
(e) “data subject” means the identified or identifiable person to whom the personal data relates;
(f) “Customer Data” means any information provided by Customer or collected from or on behalf of Customer by AskNicely pursuant to the Agreement;
(g) “personal data” means any information relating to an identified or identifiable natural person;
(h) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed;
(i) “process” or “processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(j) “processor” means the entity which processes personal data on behalf of the controller;
(k) “Services” means all subscription services, professional services, and related support provided pursuant to the Terms and related order forms, authorized instructions, and operational Customer service;
2. DATA PROTECTION AND USE
2.1 Data Protection Commitment. AskNicely and Customer each undertake to process the personal data pursuant to all applicable requirements under the applicable Data Protection Law, including adherence to security measures required pursuant to Article 32 of the GDPR.
2.2 Data Processing Role. The Parties hereby acknowledge that for the purposes of this Agreement, AskNicely is the data processor and Customer is the data controller, unless the data processing is being carried out on behalf of Customer, who is the data processor processing personal data on behalf of the data controller. Customer shall ensure that it has obtained the prior specific or general written authorization of its business Customers or business partners to engage AskNicely to process the personal data. Customer shall be responsible for the accuracy, quality, and legality of personal data and the means of data acquisition.
2.3 Processing Per Instructions. AskNicely agrees to process the personal data only as instructed by Customer for the purposes set forth in Exhibit A, which sets out the subject-matter, nature and purpose of processing undertaken by AskNicely, as well as the duration of processing and the types of personal data and categories of data subjects processed. AskNicely shall not process the personal data other than on Customer’s documented instructions unless processing is required by applicable laws to which AskNicely or their contracted processor is subject, in which case AskNicely shall to the extent permitted by applicable laws inform Customer of that legal requirement before the relevant processing of that personal data. In the event AskNicely cannot processed personal data in accordance with this DPA, AskNicely shall notify the other Party, in which case both parties shall determine whether processing can continue with an appropriate level of protection, or whether processing shall cease in no more than ten (10) days. If it is determined that processing shall cease, personal data shall no longer be processed, and all personal data previously processed, and copies thereof shall either be returned or completely destroyed. In determining whether personal data can be processed in accordance with this DPA, AskNicely shall take into account the national laws of the country in which the personal data is processed, the impact on the rights of individuals in regard to their personal data, and any government access to that personal data and whereby specific notice of the access and processing by that government authority cannot be disclosed.
2.4 Restrictions in Processing. AskNicely shall only process the personal data as instructed by Customer to fulfil its Services as set forth in the Agreement, requested through use of the Services, or applicable written instructions. Personal data shall only be further processed for the purpose of anonymizing for use by AskNicely in improving its Services, aggregate analytics, and research and statistical purposes that are unrelated to an identified individual.
2.5 Confidentiality. AskNicely shall require its employees and contractors authorized to process the personal data to be subject to confidentiality undertakings in relation to the personal data.
2.6 Security. AskNicely shall maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. AskNicely will not materially decrease the overall security of the Services during a subscription term. Security requirements specific to AskNicely’s technology platform are detailed in Exhibit B.
2.7 Sub-processors. Customer authorizes AskNicely to engage third-party service providers (“Sub-processors”) to process the personal data of Customer Representatives, Other Business Representatives, and Other Users, to facilitate its Services for all administrative and other business-related activities and shall provide the details of all Sub-processors upon request. AskNicely shall inform Customer in writing, including electronically, at least 30 days in advance of any intended changes that will result in the addition or replacement of a Subprocessor that processes Customer Data under the Agreement thereby giving Customer the opportunity to object to such changes on reasonable grounds prior to the engagement of the concerned Subprocessor(s). In such case Parties will cooperate in good faith to find a mutually acceptable resolution to address such objection. AskNicely agrees to carry out due diligence to confirm its Sub-processors are capable of providing the level of protection required under applicable Data Protection Law, including implementing appropriate technical and organizational measures for processing the personal data and providing protection for the rights of data subjects. If the Subprocessor does not fulfil its data protection obligations under applicable Data Protection Law that relate to its role in processing Customer Data as a Subprocessor, AskNicely shall remain fully liable to Customer as regards the fulfilment of the obligations of the Subprocessor as they relate to Services under this Agreement.
2.8 Data Transfer to Third Countries or International Organizations. Customer authorizes AskNicely to transfer the personal data to a third country or an international organization to process the personal data to facilitate its Services on condition that AskNicely ensures adequate protections are in place as required under applicable Data Protection Law for such transfer. Where processing involves transferring of personal data from the European Economic Area to a third country or international organization, including to the United States, the Standard Contractual Clauses in Exhibit D shall apply. Where processing involves transferring of personal data from the United Kingdom to a third country or international organization, including to the United States, the Standard Contractual Clauses in Exhibit E shall apply. Where processing involves transferring of personal data from the Switzerland to a third country or international organization, including to the United States, the Transfers of Swiss Personal Data in Exhibit F shall apply.
2.9 Rights of Data Subjects. AskNicely agrees to assist Customer to meet its obligations under applicable Data Protection Law for responding to a data subject’s exercise of rights. AskNicely shall promptly notify Customer if it receives a request from a data subject for whom AskNicely processes personal data under this Agreement in respect of the exercise of the rights of such data subject and shall ensure that it does not respond to that request except on Customer’s documented instructions, or as required by applicable Data Protection Law, in which case AskNicely shall to the extent permitted by law inform Customer of that legal requirement before responding to the request.
2.10 Data Breach and Other Compliance Obligations. AskNicely shall inform Customer without undue delay after becoming aware of a personal data breach, and in any event within within 48 hours. AskNicely shall make reasonable efforts to identify the cause of the personal data breach and shall take those steps Customer deems necessary and reasonable to remediate the cause of such personal data breach to the extent the remediation is within AskNicely’s reasonable control. The obligations herein shall not apply to personal data breach caused by Customer or Customer’s users. AskNicely agrees to provide information to assist Customer in meeting its requirements for notification to applicable regulatory bodies and data subjects, as required under applicable Data Protection Law.
2.11 Reasonable Assistance. AskNicely shall provide reasonable assistance to Customer to comply with its obligations under applicable Data Protection Law, including data protection impact assessments and prior consultation with the applicable supervisory authority. AskNicely shall also provide reasonable assistance in providing information to enable Customer to fulfil its obligations and demonstrate its compliance with applicable Data Protection Law and allow for and contribute to audits and inspections, and a right to assistance in the event an audit is required by an applicable supervisory authority.
2.12 Retention of Data. The personal data shall be retained by AskNicely for a reasonable time in accordance with its provision of Services. Upon request, AskNicely shall provide specific information on how its retention policy applies to the personal data processed on behalf of Customer. Upon termination of AskNicely’s Services under this Agreement by either party, and upon request of Customer within thirty days of notice of termination, AskNicely shall at the choice of Customer, delete or return all or any portion of any personal data in its possession or control, and delete existing copies, with deletion occurring as part of AskNicely’s standard deletion cycle. The personal data will only be further retained as allowed under applicable Data Protection Law or required under regulatory provisions mandating record retention.
3. LIMITED LIABILITY
3.1 Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to Section 8.3 “Limitation of Liability” of the Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Terms and all DPAs together.
3.2 NO LIABILITY FOR CONSEQUENTIAL DAMAGES. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL COMPANY BE LIABLE TO CLIENT OR TO ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, CONSEQUENTIAL OR COMPENSATORY LOSSES, DAMAGES, CLAIMS OR CAUSES OF ACTION, INCLUDING, BUT NOT LIMITED TO, THOSE ARISING FROM LOSS OF BUSINESS OR PROFITS OR ANY OTHER ECONOMIC LOSS, EVEN IF COMPANY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
4. GENERAL
4.1 Precedence. The provisions of this DPA are supplemental to the provisions of the Terms. In the event of inconsistencies between the provisions of this DPA and the provisions of the Terms, the provisions of this DPA shall prevail with respect to the subject matter of this DPA. Where and to the extent that Standard Contractual Clauses in Exhibit D or Exhibit E apply, if there is any conflict between this DPA and Standard Contractual Clauses, Standard Contractual Clauses will prevail.
4.2 Severability. The parties agree that, if any section or sub-section of this DPA is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this DPA.
4.3 Duration. The DPA shall apply for the duration of the provision of Services under the Terms. For the duration of the provision of Services under the Terms, this DPA cannot be terminated unless the parties have executed an agreement governing the processing of personal data in connection with the provision of the Services under the Terms.
4.4 Governing Law; Venue. Except as otherwise provided herein, this DPA will be governed by and construed in accordance with the laws of the state of Oregon, without regard to its conflict of laws rules. Any legal action or proceeding arising under this Agreement DPA brought by Customer will be brought exclusively in the federal or state courts located in Multnomah County, Oregon and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.
This Exhibit A details the scope of the processing of personal data under this Agreement.
Duration of the Processing: AskNicely will process the personal data for the duration of the Agreement, unless otherwise instructed by Customer in writing.
Subject-Matter of the Processing: The subject matter of the processing is fulfilling of the Services under the Agreement, customer feedback surveys, data analytics and reporting through the AskNicely technology platform, technological support services, and related administrative, sales and marketing activities relevant to the business relationship.
Nature and Purpose of the Processing: The nature and purpose of the processing is to fulfill the Agreement and perform services on behalf of the Customer to measure customer experience by gathering customer feedback and providing valuable data for business use to improve workforce performance and drive market growth. Other data processing through de-identified, aggregate analysis is for the purpose of improving the AskNicely technology platform and website and for research and statistical purposes.
Categories of Data Subjects: Each category listed includes current, past and prospective data subjects.
Categories of Data
Special Categories of Data: The parties do not anticipate sharing, and agree to delete upon discovery during their course of performance of the Agreement, personal data that concern any of the following special categories of data: information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life or any other similar categories of data provided special protections under applicable data protection laws and regulations.
Processing Operations: The personal data will be subject to the basic processing activities listed below:
This Exhibit B details the technical and organizational security measures implemented by AskNicely that shall apply to the processing of personal data under this Agreement.
AskNicely shall implement and maintain appropriate technical an organizational measures designed to protect personal data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that AskNicely may transmit, store or otherwise process. AskNicely and each AskNicely Affiliate shall, at a minimum, comply the security standards published under the AskNicely Security Policy, which can be accessed at: https://www.asknicely.com/security
Technical and Organizational Security Measures Implemented by AskNicely
Technical and Organizational Security Measures applicable to Amazon Web Services
Technical and Organizational Measures applicable to Amazon Web Services are available at: https://aws.amazon.com/security/?nc=sn&loc=0 (last accessed April 16, 2021), and include:
This Exhibit C details the list of subprocessors engaged to process personal data under this Agreement, including for processing of personal data under Exhibit D, Exhibit E, and Exhibit F.
In the event a subprocessor is engaged to process personal data under this Agreement, the details of the subprocessor shall be added to this Exhibit C.
The following subprocessors are authorized by the data Controller to process personal data under this agreement:
1. Incorporation and References
The provisions of the EU Standard Contractual Clauses pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en and as amended or replaced from time shall be incorporated into this DPA by reference and shall apply to Personal Data of residents of the European Economic Area (“EEA”) as referenced in this Section 1:
a. On the basis of the Standard Contractual Clauses pursuant to European Commission accessible at https://www.asknicely.com/eu-standard-contractual-clauses
b. List of parties required under Annex I as set out in Section 2 of this Exhibit D;
c. Description of transfer required under Annex I as set out in Exhibit A to this Agreement;
d. Operative clauses to the EU Standard Contractual Clauses as detailed in Section 3 of this Exhibit D;
e. Competent supervisory authority required under Annex I as set out in Section 4 of this Exhibit D;
f. Technical and organizational measures required under Annex II as set out in Exhibit B to this Agreement; and
g. List of sub-processors authorized for use required under Annex III as set out in Exhibit C to this Agreement.
1.1 The provisions of the EU Standard Contractual Clauses shall be incorporated into this DPA by reference.
1.2 Pursuant to the terms of the Agreement, the Parties agree to process personal data of residents of the European Economic Union in compliance with the terms of the EU Standard Contractual Clauses as referenced in this Section 1.
2. Parties to the EU Standard Contractual Clauses
2.1 Module One shall not apply to this Agreement.
2.2 For the purposes of Module Two the data controller shall be the Customer and the data processor shall be Ask Nicely Holdings Inc., together with its Affiliates (“AskNicely” or “Service Provider”), with offices at 2175 NW Raleigh St., Suite 110, Portland, Oregon 97210 United States of America. The Legal Compliance Officer for AskNicely is Sharon Babkes with contact email available at sharon@asknice.ly.
2.3 In the event Module Three applies to this Agreement, the processor shall be Ask Nicely Holdings Inc., together with its Affiliates (“AskNicely” or “Service Provider”), with offices at 2175 NW Raleigh St., Suite 110, Portland, Oregon 97210 United States of America, and any sub-processor authorized for use as detailed in Exhibit C to this Agreement. The Legal Compliance Officer for AskNicely is Sharon Babkes with contact email available at sharon@asknice.ly.
2.4 For the purposes of Module Four the data processor shall be Ask Nicely Holdings Inc., together with its Affiliates (“AskNicely” or “Service Provider”), with offices at 2175 NW Raleigh St., Suite 110, Portland, Oregon 97210 United States of America, and the data controller shall be the Customer. The Legal Compliance Officer for AskNicely is Sharon Babkes with contact email available at sharon@asknice.ly.
3. Operative Clauses to the EU Standard Contractual Clauses
3.1 The relevant provisions contained in the EU Standard Contractual Clauses are incorporated by reference.
3.2 The personal data transferred concern the categories of data subjects are set out in Exhibit A of the DPA.
3.3 The personal data transferred concern the categories of data are set out in Exhibit A of the DPA.
3.4 If included in processing, the details of special categories are set out in Exhibit A of the DPA.
3.5 In relation to processing operations, the personal data transferred will be subject to the basic processing activities set out in Exhibit A of the DPA.
3.6 In Clause 7, the & "Docking Clause (Optional)", shall be deemed not incorporated.
3.7 In Clause 9, the Parties choose Option 1, Specific Prior Authorisation, with a time period of 30 days.
3.8 The optional wording in Clause 11 shall be deemed not incorporated,
3.9 In Clause 17 and Clause 18, the governing law and forum, respectively, shall be the Netherlands.
3.10 The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are set out in Exhibit B of the DPA.
3.11 The list of data importer’s authorized sub-processors in accordance with Clause 9(a) is set out in Exhibit C to this DPA.
3.12 The effective date of the EU Standard Contractual Clauses is the date the Customer agreed to the Agreement.
4. Competent Supervisory Authority
In accordance with Clause 13, the applicable competent supervisory authority shall be determined by reference to the following order:
a) The supervisory authority of the Member State where Customer’s EU headquarters is located;
b) The supervisory authority of the Member State where Customer’s EU representative is located;
c) The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred is located; or
d) Dutch Data Protection Authority in the Netherlands.
1. Incorporation and References
1.1 The UK Transfer Addendum is incorporated into this DPA by reference and applies to the Processing of Personal Data of residents of the United Kingdom.
1.2 The UK Transfer Addendum is an addendum to the approved EU Standard Contractual Clauses and is issued by the UK’s Information Commissioner’s Office, Version B1.0, in force as of 21 March 2022
(available at: https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf).
1.3 The operative clauses are as detailed in Exhibit D.
1.4 The Start Date shall be the date last signed.
2. Parties
Data Exporter: Customer
Legal Name: As signed in the Order Form
Address: As listed in the Order Form
Registration Number: As listed in the Order Form if applicable
Contact Name: As listed in the Order Form
Contact Title: As listed in the Order Form
Contact Email: As listed in the Order Form
Data Importer: AskNicely
Legal Name: AskNicely entity signed in the Order Form
Address: As listed in the Order Form
Registration Number: As listed in the Order Form if applicable
Contact Name: As listed in the Order Form
Contact Title: As listed in the Order Form
Contact Email: As listed in the Order Form
3. Additional Information
3.1 The information required in Table 1 is populated by the information set out in Exhibit D of this DPA.
3.2 The information required in Table 2 is populated by the form of the EU Standard Contractual Clauses set out in Exhibit D of this DPA.
3.3 The information required in Table 3 is populated by the information set out in Exhibit A Scope of Processing, Exhibit B Data Security Requirements and Exhibit D List of Subprocessors of this DPA.
3.4 For purposes of Table 4, Customer can end this UK Transfer Addendum as set out in Section 19 of the UK Transfer Addendum.
3.5 All other standard terms set out in the UK Transfer Addendum shall apply.
For personal data of data subjects located in Switzerland, the EU Standard Contractual Clauses (as revised in Exhibit D of this DPA) are implemented as follows: