Tenon DPA

GDPR, CAN-SPAM 2024
Last Edited: November 7, 2024

Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Agreement ("Agreement") between [Your Company Name] ("Data Controller") and [Customer’s Company Name] ("Data Subject"). This DPA is executed to comply with GDPR, CCPA, and other relevant data protection laws.

1. DEFINITIONS


1.1 Data Controller: Refers to [Your Company Name], which determines the purposes and means of processing Personal Data.


1.2 Data Processor: Refers to Tenon or any Sub-Processors used for processing activities on behalf of the Data Controller. As a service provider, we will not use personal data for any reason outside of providing services to the data controller, [Your Company Name].


1.3 Sub-Processor: Any third-party data processor which processes Personal Data on behalf of the Data Controller for purposes specified in this DPA.


1.4 Personal Data: Any information relating to an identified or identifiable natural person as defined under GDPR.


2. SUBJECT OF THE AGREEMENT


This DPA governs the processing of Personal Data by the Data Processor to deliver B2B/B2C marketing services, web tracking, and data hosting on behalf of the Data Controller. Processing activities include sending emails, SMS communications, web tracking, secure data storage, and compliance with CAN-SPAM for commercial electronic messages.


3. DATA PROCESSING DETAILS

  • Purpose: To enable marketing activities, improve user experience through web tracking, securely host and store data, and ensure CAN-SPAM compliance in email marketing for ServiceNow platform users.
  • Types of Data: Names, contact information (email addresses, phone numbers), IP addresses, browsing behavior, website interaction data, responses to surveys.
  • Categories of Data Subjects: End users of the ServiceNow platform, including both business contacts (B2B) and individual consumers (B2C).


4. OBLIGATIONS OF THE DATA CONTROLLER


4.1 The Data Controller is responsible for determining the legal basis for data collection and processing, obtaining any required consents, and ensuring that data processing aligns with GDPR, CAN-SPAM, and other applicable laws.


4.2 The Data Controller shall provide transparent information to Data Subjects regarding data collection, processing, and retention practices as per GDPR Articles 13 and 14.


5. OBLIGATIONS OF THE DATA PROCESSOR


5.1 Data Processing: The Data Processor shall process Personal Data only according to documented instructions from the Data Controller, including data transfers to Sub-Processors.


5.2 Security Measures: The Data Processor shall take all required security measures as per GDPR Article 32, including implementing encryption, access control, and pseudonymization, as appropriate, and ensuring that Sub-Processors implement similar security measures.


6. USE OF SUB-PROCESSORS 


6.1 The Data Controller authorizes the following Sub-Processors to process Personal Data for specific marketing, hosting, and tracking purposes:

  • BeeFree: For email marketing design and delivery. Receives merge tags of customer attributes that will be used in email sends. Does not receive personal data
  • Sinch: For SMS marketing and notification services. Processes personal data that is used to send and personalize SMS. This could include any personal data that is used for segmentation or personalization of SMS; including but not limited to phone number, first name, and last name.
  • Mailgun: For bulk email delivery. Processes personal data that is used to send and personalize email. This could include any personal data that is used for segmentation or personalization of email; including but not limited to email addresses, first name, and last name.
  • Amazon Web Services (AWS): For secure hosting and storage of Personal Data. Processes personal data that is used to understand web browsing behavior. This would include but is not limited to IP addresses, email addresses, phone numbers, customer ID, first name, and last name.


6.2 Responsibilities of Sub-Processors: All Sub-Processors must enter into agreements with the Data Processor mandating GDPR-compliant processing practices and providing sufficient guarantees of implementing technical and organizational measures to protect Personal Data, including security and access control protocols.


6.3 Notification of Changes: The Data Processor shall update this webpage with any changes concerning the addition or replacement of Sub-Processors.

7. DATA SUBJECT RIGHTS


7.1 The Data Processor shall assist the Data Controller, where possible, in fulfilling obligations to respond to Data Subject requests related to access, rectification, erasure, restriction, or data portability, as per GDPR Articles 15-22.


7.2 The Data Processor shall notify the Data Controller promptly if it receives a Data Subject request directly and assist the Data Controller in responding within the legally mandated time frame.


8. INTERNATIONAL DATA TRANSFERS


8.1 The Data Processor and all Sub-Processors may transfer Personal Data internationally only in compliance with GDPR Chapter V. If Personal Data is transferred outside the EU/EEA, appropriate safeguards, as outlined in the Master Services Agreement and the Acceptable Use Policy, must be implemented.


8.2 AWS International Transfers: As AWS may process data outside the EU, AWS shall ensure compliance through the use of legally recognized transfer mechanisms to protect Personal Data.


9. DATA SECURITY AND CONFIDENTIALITY 


9.1 Technical and Organizational Measures: The Data Processor shall implement robust security measures to protect Personal Data from unauthorized access, processing, loss, or destruction. These measures include encryption, access control, pseudonymization, regular vulnerability assessments, and incident response plans.


9.2 Information Security Program: To ensure the ongoing confidentiality, integrity, availability, and resilience of Personal Data processing systems and services, the Data Processor operates an Information Security Program based on industry standards designed to protect data integrity through a comprehensive, risk-based approach:

  • Access Control: Measures to ensure only authorized personnel access Personal Data, including role-based access restrictions, multi-factor authentication, and periodic access reviews.
  • Data Encryption: Encryption of Personal Data both in transit and at rest, utilizing strong cryptographic protocols to safeguard data from unauthorized access during transfer and storage.
  • Pseudonymization and Anonymization: Implementation of pseudonymization and, where applicable, anonymization techniques to limit the identification of Data Subjects within datasets, as appropriate.


9. DATA SECURITY AND CONFIDENTIALITY

  • Incident Response and Breach Notification: A dedicated incident response team manages all data security incidents. The team has established protocols for detecting, investigating, mitigating, and reporting data breaches. The Data Processor shall notify the Data Controller within 72 hours of any Personal Data Breach, including breach details as outlined in Section 10.1.
  • Vulnerability Management: Regular vulnerability assessments, penetration testing, and timely application of security patches and updates to protect systems from security threats.
  • Training and Awareness: All personnel involved in processing activities receive ongoing training on data protection, privacy principles, and the Information Security Program to maintain high standards of data protection.
  • Documentation and Review: The Information Security Program is documented and reviewed annually or upon any significant change in processing activities or regulatory requirements to ensure its continued effectiveness and compliance with relevant data protection laws.


9.3 Access Control and Confidentiality: The Data Processor shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations and trained on data protection best practices.


10. DATA BREACH NOTIFICATION


10.1 Incident Notification: The Data Processor shall notify the Data Controller without undue delay, and no later than 72 hours, after becoming aware of any Personal Data Breach. This notification shall include sufficient information to support the Data Controller’s obligations under GDPR Article 33.


10.2 Mitigation and Documentation: The Data Processor shall take all necessary steps to mitigate the effects of any breach and document the breach resolution process.


11. DATA RETENTION AND DELETION


11.1 Upon termination or expiration of the Agreement, the Data Processor shall delete or return all Personal Data to the Data Controller unless required by law to retain such data.


11.2 The Data Processor shall comply with the Data Controller's instructions for the deletion or return of Personal Data at any time during the term of the Agreement.