DATA PROCESSING ADDENDUM
Version: 4.0, Effective date: 1st January 2022
This Data Processing Addendum (“Addendum”) forms integral part of the general terms and conditions – Bloomreach Engagement available at https://bloomreach.com/terms-of-service/general_terms_and_conditions.pdf (“GTC”), agreement on provision of services, cooperation agreement, reseller agreement, non-disclosure agreement, order form or any other agreement referring to this Addendum (GTC or any such other agreement hereinafter referred to also as the “Agreement”) concluded between Bloomreach as defined in the respective Agreement (“Bloomreach”) and you (“Customer”). This Addendum supplements the terms of the Agreement concluded between Bloomreach and Customer; whereas in case of any conflicting terms between Agreement and this Addendum, this Addendum shall prevail unless the Parties explicitly agree in writing on specific derogations from this Addendum in the Agreement.
-
1. DEFINITIONS
For the purposes of this Addendum, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined shall have the meaning given to them in the Agreement or GTC.
“Authorised User” means a person authorised by Customer to have access to Bloomreach’s Services and to provide instructions to and receive communication from Bloomreach, notwithstanding whether via Bloomreach Services interface, via e-mail or otherwise;
“Controller” means a person or entity that determines the purposes and means of the Processing of Personal Data;
“Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data: (i) CCPA and any national data protection laws made under the CCPA, and (ii) EU/ UK Data Protection Law and (iii) any other applicable data privacy legislation of the country of registration of Bloomreach;
“Data Subject” means the identified or identifiable person to whom Personal Data relates;
"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
“Personal Data” means such Customer Data that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation and (ii) is Processed by Bloomreach on behalf of Customer in the course of providing the Services, as more particularly described in Schedule No. 1 to this Addendum;
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; for the avoidance of doubts, the processing of other information than Personal Data (e.g. anonymised data) does not fall under the scope of this Addendum and may be processed within the limitations set out in GTC;
“Processor” or “Sub-processor” means a person or entity that Processes Personal Data on behalf of a Controller or Processor, as applicable;
"Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means (i) where GDPR applies the standard contractual clauses annexed to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”);and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"). ;
“Supervisory Authority” means an independent public authority carrying out control over Processing of Personal Data.
-
2. DATA PROCESSING
-
2.1. Processing of Personal Data. Bloomreach and Customer acknowledge that Customer is the Controller or primary Processor with regard to the Processing of relevant Personal Data. Bloomreach shall Process Personal Data only as a Processor or Sub-processor (as applicable to Customer’s use of the Services).Bloomreach shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this Addendum; (ii) Processing initiated by Authorised Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Bloomreach shall keep a log of the actually performed Processing operations. Where Bloomreach reasonably believes that Customer’s instruction is contrary to: (i) applicable law and regulations; or (ii) the provisions of the Agreement or Addendum, Bloomreach will undertake all reasonable endeavours to inform the Customer and is authorized to defer the performance of the relevant instruction until it has been amended by Customer to the extent required by Bloomreach to satisfy it that such instruction is lawful, or is mutually agreed by both Customer and Bloomreach to be lawful.
-
3. BLOOMREACH’S OBLIGATIONS
-
3.1. Confidentiality of Personal Data. Bloomreach shall treat Personal Data as Confidential Information.
-
3.2. Technical and Organizational Measures. Bloomreach shall maintain and implement reasonable and appropriate technical and organizational measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and in relation to the security of Personal Data and the platforms used to provide the Services as described in the Data Protection Legislation. In implementing such measures Bloomreach shall be entitled to take into account the current standard practice in determining what is reasonable, as well as the proportionality of the cost of putting such measures in place when weighed against the potential harm to relevant Data Subjects that the putting into place of those measures is designed to protect against.
-
3.3. Personnel. Bloomreach shall ensure that its Personnel engaged in the Processing of Personal Data are informed about its obligation and responsibilities hereunder, have received appropriate training, and are informed about the confidential nature of the Personal Data. The “Personnel” means those employees, agents, consultants, subcontractors, or other third parties: (i) who are engaged by Bloomreach so that it may fulfil its obligations to Customer under the Agreement or Addendum, and (ii) who are subject to confidentiality obligations in substantially the same extent as set out in Agreement and Addendum. Bloomreach shall ensure that Personnel’s access to Personal Data is limited to those performing Services in accordance with the Agreement, and the Personnel confidentiality obligations shall survive the termination of the Personnel engagement.
-
3.4. Notifications. Bloomreach shall notify the Customer:
-
3.4.1. as soon as commercially reasonable in writing of any communication received from an individual relating to (i) an individual’s rights to access, modify, correct, delete or block his or her Personal Data; (ii) an individual’s right to rectify, restrict or erase his or her Personal Data, to data portability, object to the Processing and not to be subject to automated decision-making; and (iii) any complaint about Customer’s Processing of Personal Data;
-
3.4.2. as soon as commercially reasonable in writing to the extent not prohibited by law, of any subpoena or other judicial or administrative order, or proceeding seeking access to, or disclosure of Personal Data;
-
3.4.3. as soon as commercially reasonable in writing to the extent not prohibited by law, of any complaint, notice or other communication that relates to Customer’s compliance with data protection and privacy law and the Processing of Personal Data. Bloomreach shall provide the Customer with commercially reasonable cooperation and assistance (at Customer’s expense) in relation to such complaint, notice or communication; and
-
3.4.4. without undue delay after becoming aware of a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, in accordance with applicable law (“Security Breach”). Bloomreach shall make reasonable efforts to identify the cause of such Security Breach and take those steps as necessary and reasonable, and which are acceptable to Customer, in order to rectify the cause of such Security Breach to the extent rectification is within Bloomreach’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer.
-
3.5. No acknowledgement. The Customer agrees that Bloomreach’s obligation to notify the Security Breach is not and will not be construed as an acknowledgment by Bloomreach of any fault or liability of Bloomreach with respect to such Security Breach.
-
3.6. Data Returns and Deletion. Subject to limitations set out in applicable laws, Bloomreach shall return to Customer all persistent PersonalData (if not already deleted in accordance with applicable law) following standardised procedures and within commercially reasonable deadlines.
-
3.7. Bloomreach Compliance. Bloomreach shall comply with the Data Protection Legislation applicable to its own operations and provision of the Services under the Agreement and its obligations under this Addendum.
-
3.8. Audit. The Customer shall have the right to conduct an audit to verify Bloomreach's compliance with its obligations laid down in Art. 28 GDPR/UK GDPR (if applicable) and in this Addendum. Bloomreach shall allow the Customer to carry out the audit under the following conditions:
-
(i) the Customer asks Bloomreach to carry out the audit via a written notice at least 30 (thirty) days in advance;
-
(ii) the Customer will specify the agenda for such audit in the notification under (i);
-
(iii) the audit shall not take place more than once a year;
-
(iv) all associated costs and expenses shall be borne by the Customer and reimbursed to Bloomreach on demand; and
-
(v) the audit shall last no longer than the equivalent of 1 working day (8 hours) of the Bloomreach representative.
In case the Customer requests the audit via third independent party – external licensed auditor, Bloomreach may object to an external licensed auditor appointed by the Customer to conduct the audit if the auditor is, in Bloomreach’s reasonable opinion, not suitably qualified or independent, a competitor of Bloomreach, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor. In case the Customer requires more than one audit within one calendar year, the Customer shall obtain prior written permission of Bloomreach and shall bear the cost associated with such audits and reimburse Bloomreach all reasonably incurred costs of such audits. On the request of the Customer, Bloomreach will provide the Customer with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Customer.
-
3.9. Bloomreach BigQuery. This Clause 3.9 applies only if the Customer uses Bloomreach BigQuery. The Customer hereby instructs Bloomreach to repeatedly export Customer’s data including Personal Data from Bloomreach's storage to Bloomreach BigQuery (import) and provide users of Customer with access to Bloomreach BigQuery. The Customer hereby acknowledges and agrees that (i) Bloomreach uses Google LLC's Affiliate established in the EU (“Google”) as a sub-processor for the purpose of the provision of Bloomreach BigQuery services; (ii) Google provides its services on the basis of the terms available at https://cloud.google.com/product-terms/ (“Terms”), and (iii) Customer has read and agreed to the Terms. Customer agrees that the Bloomreach's representative specified in the Agreement (or other Bloomreach's representative as may be notified by Bloomreach in advance) is responsible for Bloomreach BigQuery and is eligible to provide new users of Customer with view-only access to Bloomreach BigQuery. The Agreement shall specify the contact person from the Customer’s side that shall handle all communication with regards to Bloomreach BigQuery.
-
4. CUSTOMER’S PROCESSING
-
4.1. Customer’s Processing of Personal Data. The Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer warrants that its instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations and that it shall not make any instruction or order which directs Bloomreach to take any action or course of action which is unlawful or otherwise not in compliance with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
-
4.2. Customer’s Compliance. In addition to Customer’s obligations stated in the Agreement, Customer is responsible for its own processing of Personal Data including (i) integrity, security, maintenance and appropriate protection of Personal Data that are under Customer’s control , and (ii) ensuring its compliance with any applicable privacy, data protection and security law and regulation relative to: (a) Processing of the Personal Data processed by the Customer; (b) its use of the Services; and (c) any and all data Processing registration or notification requirements to which Customer is subject under the applicable law.
-
4.3. Notifications. Customer agrees to make any required notifications to, and obtain required consents and rights from, individuals in relation to Bloomreach’s provision of any Services to Customer. Where Bloomreach receives a communication described at Clauses 3.4.1 or 3.4.3 herein and notifies Customer of such communication, it is Customer’s responsibility to respond to and take all other appropriate action with regard to the communication. Customer agrees to immediately notify Bloomreach of any unauthorized use of Services or Customer’s account or of any other breach of security involving the Services.
-
4.4. Technical and organizational measures. Customer is solely responsible for implementing and maintaining security measures and other technical and organizational measures appropriate to the nature and volume of Personal Data that Customer stores or otherwise Processes using the Services. Customer is also responsible for the use of the Services by any of its employees, any person Customer authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Customer.
-
5. COOPERATION
-
5.1. Customer and Bloomreach cooperation. Customer and Bloomreach agree to cooperate in a commercially reasonable fashion as reasonably required to protect the Personal Data under applicable laws, Articles 35 and 36 of the GDPR/UK GDPR to carry out a data protection impact assessment related to Customer’s use of the Services (if applicable), to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Bloomreach. The Customer must cooperate with Bloomreach’s reasonable investigation of Services outages, security problems, and any suspected Security Breach. The Customer shall provide reasonable assistance to Bloomreach in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks in relation to this Clause 5.1, to the extent required under the Data Protection Legislation.
-
5.2. Bloomreach’s assistance with Customer’s Compliance requirements. During the term of Agreement, the Customer may request that Bloomreach assists Customer’s efforts to comply with Customer’s obligations under Data Protection Legislation provided (i) such requested assistance is relevant to Services that support the Processing of Personal Data, (ii) such requested assistance is commercially reasonable and proportionate to the objective of the exercise with which Bloomreach is requested to assist, and (iii) if Bloomreach agrees to so assist, that all of its associated costs and expenses (including the cost of its staff’s time) shall be borne by the Customer and reimbursed to Bloomreach on request.
-
6. SUB-PROCESSING
-
6.1. In relation to third parties or sub-contracting the Processing of Personal Data, Bloomreach may only authorise a third party (Sub-processor) to Process the Personal Data with the prior consent of the Customer and provided that provisions relating to data processing and data protection in the Sub-processor’s contract with respect to the Personal Data is on terms which are substantially the same as those set out in this Addendum. For the purpose hereof the following Sub-processors are approved by the Customer by signing this Addendum: (i) Sub-processors listed in Schedule No. 2 hereof, (ii) Bloomreach’s Affiliates and (iii) any Sub-processor authorised by Customer via its Authorised User by authorizing an integration with Bloomreach Services via Account or otherwise. Bloomreach may during the Term involve new Sub-processors in Processing, provided that such Sub-processors only access and use Personal Data to the extent required to perform obligations subcontracted to.
-
6.2. Objection Right for New Sub-processors. The Customer may object to Bloomreach’s use of a new Sub-processor by notifying Bloomreach promptly in writing within ten (10) business days after receipt of Bloomreach’s notice and specifying the deficiencies. In the event Customer objects to a new Sub-processor, Bloomreach will effort to add additional safeguards (covering the specified deficiencies) or change the Sub-processor (vis-à-vis the Sub-processor); should Bloomreach be unable to do so, Bloomreach will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Bloomreach is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate only those Services which cannot be provided by Bloomreach without the use of the objected-to new Sub-processor by providing written notice to Bloomreach. Bloomreach will refund Customer any prepaid fees covering the remainder of the term of Agreement following the effective date of termination with respect to such terminated Services, which shall represent the sole and exclusive remedy of the Customer in connection with introduction of new Sub-processor. Customer agrees and consents that Bloomreach may give those Sub-processors (including but not limited to Bloomreach’s Affiliates) access to the Services strictly for Bloomreach’s legitimate business purposes.
-
6.3. Liability. Bloomreach shall be liable for the acts and omissions of its Sub-processors to the same extent Bloomreach would be liable if performing the services of each Sub-processor directly under the terms of this Addendum except as otherwise set forth in the Agreement.
-
7. DATA TRANSFER
Data Transfer. The Parties agree that Personal Data may be transferred from the European Union/European Economic Area to a third country, only if one of the following conditions applies: (a) there is an applicable decision of the European Commission that states that the third country ensures an adequate level of protection; or b) the transfer is done in accordance with Clause 7.2 ; or (c) the derogations for specific situation under Art. 49 of the GDPR/UK GDPR apply.
-
7.1. Application of Standard contractual clauses. The Parties agree that when and to the extent the transfer of Personal Data from Customer to Bloomreach is a Restricted Transfer and EU/UK Data Protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the EU SCCs, which shall be incorporated by reference into and form an integral part of this Addendum as follows:
-
7.2. In relation to transfers of Personal Data protected by GDPR the EU SCCs will apply with following modifications:
-
a) Where Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where Customer is a Processor acting on behalf of third party Controllers, Module 3 (Processor to Processor Clauses) will apply;
-
b) in Clause 7 (Docking Clause), the optional docking clause will apply;
-
c) in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for objecting against sub-processor changes shall be as set out in Clause 6.2. of this Addendum;
-
d) in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
-
e) in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Dutch law;
-
f) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands;
-
g) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule No. 1 to this Agreement; (vii) Annex II of the New EU SCCs shall be deemed completed with the information set out in Schedule No. 3 to this Addendum.
-
7.3. In relation to transfers of Personal Data protected by UK GDPR, the EU SCCs will also apply in accordance with paragraphs (a) and (b) above, with the following modifications:
-
a) references to "Regulation (EU) 2016/679" shall be interpreted as references to UK GDPR;
-
b) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK GDPR);
-
c) references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" and "UK law";
-
d) the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK from the possibility of suing for their rights in their place of habitual residence (i.e., the UK);
-
e) Clause 13(a) and Part C of Annex I are not used, and the "competent supervisory authority" is the United Kingdom Information Commissioner;
-
f) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales";
-
g) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales; and
-
h) with respect to transfers to which UK GDPR apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts";
unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer Personal Data in compliance with the UK GDPR. In such a case, the UK SCCs shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Schedules No. 1, 2 and 3 (as applicable).
-
8. COMMUNICATION
-
8.1. Customer agrees that any Authorised User of Customer may be contacted and shall be entitled to receive any communication in relation to this Addendum.
-
9. CCPA
-
9.1. In this Clause 9:
-
9.1.1. “CCPA” means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this Addendum; and
-
9.1.2. “Customer Personal Information” means “personal information” (i) which is contained in customer’s data; and (ii) is Processed by Bloomreach on behalf of Customer in the course of providing the Services, as more particularly described in Schedule No. 1 to this Addendum and as defined in the CCPA.
-
9.1.3. “Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
-
9.2. Bloomreach acknowledges that it acts as a Service Provider in respect of any Customer Personal Information processed by it hereunder.
-
9.3. Unless prescribed by applicable law or expressly agreed between the Parties, Bloomreach shall not:
-
9.3.1. sell Customer Personal Information;
-
9.3.2. retain, use, or disclose Customer Personal Information for any purpose other than the specific purpose of performing the Services in accordance with the Agreement;
-
9.3.3. retain, use, or disclose Customer Personal Information for a commercial purpose other than specified in the Agreement; or
-
9.3.4. retain, use, or disclose the Customer Personal Information outside of the direct business relationship between Bloomreach and Customer.
-
9.4. Bloomreach certifies that it understands and will comply with the responsibilities and restrictions imposed by this Addendum, the CCPA and other applicable data protection and privacy laws and regulations.
-
10. SPECIAL CLAUSES FOR US MARKET
-
10.1. This Clause 10 applies only if the contracting Party to the Agreement is Bloomreach with its registered seat in the United States of America.
-
10.2. COPPA. Protecting the privacy of children is especially important. The Children’s Online Privacy and Protection Act (“COPPA”) requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children in the United States of America who are under 13. Bloomreach respects the role of parents or guardians in the monitoring of their children’s online activities. Accordingly, Bloomreach limits its collection of personal information from children to no more than is reasonably necessary to participate in the Services and to improve it going forward. Bloomreach does not collect any Personal Data from children other than as set out in the Agreement. Bloomreach reserves the right to refuse to Process data supplied by Customer that is in violation of this Clause 10.2.
-
10.3. Third Party Use of Personal Data. Unless otherwise agreed all Personal Data provided to Bloomreach by Customer is Confidential Information and Bloomreach will not use any data for any other purposes than to exercise its rights and perform its obligations in connection with conducting of the Services. Customer acknowledges that in order to properly carry out the Services in accordance with Clause 3.5. GTC, information given to Bloomreach by Customer will be made available to third parties in order to enable the performance of the Services. Customer acknowledges that such third parties are not representatives of Bloomreach and Bloomreach is not responsible for the acts and omissions of those third parties. Bloomreach requires third parties to which any Customer Personal Data is made available to apply the same level of privacy protection as set forth in this Addendum and as required by applicable laws.
-
11. FINAL PROVISIONS
-
11.1. Third Party Beneficiaries. Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third party beneficiaries to the Agreement and this Addendum. Notwithstanding the foregoing, the Agreement and the terms of this Addendum apply only to the parties and do not confer any rights to any Customer’s affiliate, Customer’s end user or any third-party Data Subjects.
-
11.2. Governing Law. Nothing in this Addendum amends the Governing Law section of the Agreement, which shall, for the avoidance of doubt, govern all claims brought under the Agreement and this Addendum.
-
11.3. Limitation of Liability. Customer’s remedies, including those of its Affiliates, and Bloomreach’s liability, arising out of or in relation to this Addendum (including Standard Contractual Clauses) will be subject to those limitations of liability and disclaimers as set forth under the Agreement or if there are no limitations of liability stipulated in the Agreement, the Parties agree and declare that the total damage which may arise out of the breach of this Addendum (including Standard Contractual Clauses) shall not exceed ten thousand (10,000) Euro. For the avoidance of doubt, nothing in this Addendum is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.
-
11.4. Term. Following the termination of the Agreement, this Addendum will continue to be in effect until Bloomreach ceases to process Personal Data on behalf of the Customer.
-
11.5. Termination. Bloomreach may terminate this Addendum if Bloomreach offers alternative mechanisms to Customer that comply with the obligations of the applicable data privacy laws.
-
11.6. Counterparts. This Addendum may be signed in multiple counterparts, which taken together will be considered one original.
Schedule No. 1 Description of the Processing
Schedule No. 1 (A) List of Parties:
Data Exporter |
Data Importer |
Name: Customer |
Name: The entity identified as Bloomreach or Exponea in the Agreement. |
Address: The address for the Customer associated with its Bloomreach account or as otherwise specified in the Sales Order or Agreement. |
Address: Bloomreach or Exponea’s address specified in the Agreement. |
Contact Person's Name, position and contact details: The contact details associated with the Customer's Bloomreach account, or as otherwise specified in the Order Form or Agreement. |
Contact Person's Name, position and contact details: The contact details specified in the Agreement.] |
Activities relevant to the processing: See Schedule No. 1(B) below |
Activities relevant to the processing: See Schedule No. 1(B) below |
Role: Controller or Processor (as applicable) |
Role: Processor/Sub-processor (as applicable) |
Role for the purpose of transfer under Clause 7 of the Addendum: Data Exporter |
Role for the purpose of transfer under Clause 7 of the Addendum: Data Importer |
Signature and Date: Subject to Clause 7 of the Addendum, by using the Services to transfer Personal Data to Bloomreach located in a non-adequate country, the data exporter will be deemed to have signed this Schedule 1. |
Signature and Date: Subject to Clause 7 of the Addendum, by transferring Personal Data to a non-adequate country on Customer's instruction, the data importer will be deemed to have signed this Schedule 1. |
Schedule No. 1 (B) Description of Processing
Categories of data subjects whose Personal Data is processed: |
Depending on the nature and scope of the Services purchased by the Customer, the Data Subjects may include: ● Visitor – any visitor to a website covered by the Services. ● End Customers – any existing or future end-customer or prospect of Customer that visits a website covered by the Services or whose personal data is otherwise uploaded by Customer to the Services. ● Customer’s Users – any of Customer's employees or other personnel, suppliers and other third parties who are authorized under the Agreement to use the Services. |
Categories of Personal Data processed: |
Depending on the nature and scope of the Services, the Personal Data may include:
● Visitors: browsing and purchasing activity (including pages and/or products purchases, links clicked, searched performed, product category and order details). IP addresses, unique device level identifiers (such as an IDFA or Android Advertising ID), cookies data, online navigation data (including access date and times), location data, browser data language and any other Personal Data Customer configures the Services to collect. ● End Customers: tracking data with respect to a specific product, tracking and other data contained in the contact forms; information about the preferences of contacting and Customer’s services and limited location data (city); IP address; name, surname; gender; email address; login, information; time zone setting; operating system and platform; information about visits including the URL, the search terms, information about what the Customer viewed or searched on the Customer’s website, page response times; download errors, length of visits to certain pages, page interaction information, (such as scrolling, clicks, and mouse-overs) and the methods used to browse away from the page, and activities of users browsing web pages.
|
Special categories of data: |
Bloomreach does not require any special categories of data in order to provide the Services and does not intentionally collect or process any special categories of such data in connection with the provision of the Services.
|
Frequency of processing: |
Continuous basis depending on the use of the Services. |
Nature of processing: |
The nature of the Processing is the performance of the Services pursuant to the Agreement. |
Duration of the processing: |
The Term. |
Purpose(s) of the data processing: |
(i) Processing to provide, maintain, support [and improve Services provided to Customer in accordance with the Agreement and applicable Order Form; (ii) Processing initiated by Customer’s Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this Addendum). |
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
|
Customer determines the duration of the Processing in accordance with the terms of this Addendum. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: |
As above. |
Schedule No. 1 (C): Competent supervisory authority
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, shall be: (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to UK Data, the competent supervisory authority is the Information Commissioners Office (the "ICO").
Schedule No. 2 Approved Sub-processors
The list of approved sub-processors of Bloomreach is available at
https://exponea.com/terms-of-service/list_of_sub-processors.pdf
Schedule No. 3 Technical and organizational measures
As of the Effective Date of the Agreement, Bloomreach maintains the technical and organisational security measures as described in this Schedule No. 3 to the Data Processing Addendum. This Schedule No. 3 is hereby incorporated into this Addendum and shall form an inseparable part of hereof. Capitalized terms not otherwise defined shall have the meaning given to them in the Addendum, Agreement or GTC. For more details regarding our security measures, please refer to our SOC 2 (Type 1) Report (see sec. F below). |
A) Access Control |
Physical Access Control. Bloomreach takes measures to prevent unauthorized persons from entering the premises in which data processing systems are stored and with which personal data are processed. |
Technical Access Control. Bloomreach takes technical measures to prevent data processing systems from being used by unauthorized persons. These include authentication when accessing computers / systems using a user ID and password, as well as setting up firewalls. |
Personnel Access Control. Bloomreach ensures that only authorized Personnel can access contents and that personal data cannot be copied, changed or deleted without authorization during processing and use and after saving. When granting access rights to Bloomreach Personnel working on the Customer’s project, Bloomreach follows the principle of least privilege to ensure that Personal Data are accessed only by Personnel that need the access in order to provide the Services as ordered by the Customer. |
Penetration testing. In order to prevent any unauthorised attacks to our platform, Bloomreach maintains contractual relationships with penetration testing service providers. Through regular penetration testing Bloomreach can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them. |
B) Organisational Measures |
DPO. Bloomreach has a designated Data Protection Officer (DPO), Chief Information Security Officer (CISO) and a team of Security Engineers, as well legal professionals, to monitor and ensure compliance with GDPR/UK GDPR and local laws. |
Personnel training. Bloomreach organizes regular and obligatory whole company Security and GDPR/UK GDPR trainings, as well as OWASP trainings to prevent Web Application Security Risks. During the onboarding process, the Personnel are required to executed Non-disclosure agreements. During the course of engagement with Bloomreach, all Personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective Personal Data protection. |
Remote Working Policy. Bloomreach Personnel must act in compliance with further measures such as the Remote working policy (Endpoint Security Management, mandatory VPN, etc.), device secure setup and security awareness, strong passwords policy, two factor authentication process, etc. |
C) Technical Measures |
Transfer Control. Bloomreach prevents personal data from being read, copied, changed or deleted in an unauthorized way during electronic transmission, transport or storage on data media. This includes secure electronic transmission, VPN, firewalls, encryption, logging measures. |
Input control. Bloomreach ensures that it can be subsequently checked whether and by whom personal data have been entered, changed or deleted. This includes logging, user identification. |
Availability control. Bloomreach ensures that personal data are protected against accidental destruction or loss. This includes the usual fire protection measures and overvoltage protection, backup concept, virus protection, clean coding. |
Separation control. Bloomreach ensures that personal data collected for different purposes are be processed separately. This includes separate customer accounts, separate databases, encryption methods. |
Data Encryption. There are several layers of encryption of data. Data is encrypted both at rest and in transit. Further details of encryption are available at https://exponea.com/focus/tech-and-security/ and may depend on Customer’s instance. |
TLS. Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking. |
Additional Technical Measures. Firewalls, logging, malware protection, security scans and other control mechanisms are in place to provide further technical security. |
Additional security features are further dependent on Customer’s instance, details available at: https://exponea.com/focus/tech-and-security/. |
D) Security Development practices |
Bloomreach has the further following practices in place to ensure the security of the application: ● Clean coding and least privilege access granting for Bloomreach IT developers. ● Monitoring traffic – Internal network traffic is regularly checked for any suspicious behaviour. ● Vulnerability Management and penetration tests – Bloomreach conducts regular web scans and scans for potential threats. ● Incident Management – Bloomreach has a well-defined incident management process for security events, including reporting, prioritization based on urgency, escalation and mitigation. ● Business Continuity – Bloomreach regularly reviews all business-critical functions. ● Quality assurance – Bloomreach tests all new features before implementing them to the application. |
E) Further measures to protect Personal Data |
Infrastructure. Bloomreach relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Legislation. |
Control of Processors. Bloomreach ensures that personal data processed by Processors are processed in accordance with the instructions of Bloomreach and its customers. This includes control rights and data processing contracts according to the GDPR/UK GDPR. |
External Audit. Bloomreach is subject to external annual audit by an independent third-party licensed auditor to test, evaluate and confirm that the security measures are up-to-date, effective and functional. |
Bloomreach reserves the right to replace any security measures with an equivalent or enhanced alternative at any time during the Term of the Agreement that ensure equal data security and measures in compliance with state of the art security standards applicable in the field. Bloomreach regularly updates its security measures, the latest updates are available at: https://exponea.com/legal/security-commitment/. |