{"id":88165,"date":"2026-04-20T08:24:32","date_gmt":"2026-04-20T08:24:32","guid":{"rendered":"https:\/\/www.bloomreach.com\/?post_type=legal&p=88165"},"modified":"2026-04-20T15:38:02","modified_gmt":"2026-04-20T15:38:02","slug":"partner-dpa-19-04-2024","status":"publish","type":"legal","link":"https:\/\/www.bloomreach.com\/en\/legal\/partner-dpa-19-04-2024","title":{"rendered":"PARTNER DATA PROCESSING ADDENDUM"},"content":{"rendered":"\n

PARTNER DATA PROCESSING ADDENDUM<\/strong><\/p>\n\n\n\n

This Partner Data Processing Addendum (\u201cDPA<\/strong>\u201d) is an addendum to and forms part of the Agreement between Bloomreach (“Bloomreach<\/strong>“) and party identified as the Partner in the Agreement (“Partner<\/strong>“) (Bloomreach and Vendor jointly hereinafter referred to also as \u201cParties<\/strong>\u201d and each of them individually as a \u201cParty<\/strong>\u201d). <\/p>\n\n\n\n

This DPA covers the processing of: (1) Personal Data that the Partner uploads, transfers, or otherwise provides to Bloomreach in connection with the Agreement; and (2) Personal Data that Bloomreach (or its customers) uploads, transfers, or otherwise provides to Partner in connection with the Agreement. In the event of any conflict or inconsistency between the terms of the Agreement and this DPA, this DPA will prevail. <\/p>\n\n\n\n

For the avoidance of doubt, the Bloomreach Entity that is the party to the Agreement, shall be the same party entering into this DPA. <\/p>\n\n\n\n

    \n
  1. DEFINITIONS<\/strong><\/li>\n<\/ol>\n\n\n\n

    For the purposes of this DPA, capitalized terms not otherwise defined shall have the meaning given to them in the Agreement. <\/p>\n\n\n\n

    \u201cAgreement<\/strong>\u201d means either (i) the Partner Agreement, together with any applicable Sales Orders; (ii) the Marketplace Partner Agreement; (iii) the Mutual Referral Agreement or (ii) any other written or electronic agreement incorporating this DPA, governing agreement between Bloomreach and Partner (but excluding customer agreements between Partner and Bloomreach that govern Partner\u2019s purchase and use of Bloomreach products and services). <\/p>\n\n\n\n

    Bloomreach<\/strong>” means the Bloomreach Entity that is a party to the Agreement.<\/p>\n\n\n\n

    Bloomreach Entity<\/strong>” means Bloomreach, Inc., Bloomreach B.V. or any other Affiliate of Bloomreach Inc.  <\/p>\n\n\n\n

    \u201cBloomreach Personal Data<\/strong>\u201d means any Personal Data for which Bloomreach acts as a Controller.<\/p>\n\n\n\n

    \u201cCCPA<\/strong>\u201d means the California Consumer Privacy Act, California Civil Code \u00a7\u00a71798.100 et seq., including as modified by the California Privacy Rights Act of 2020 (\u201cCPRA\u201d). <\/p>\n\n\n\n

    \u201cController<\/strong>\u201d means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.<\/p>\n\n\n\n

    \u201cData Breach<\/strong>\u201d means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.      <\/p>\n\n\n\n

    \u201cData Protection Legislation<\/strong>\u201d means, as applicable to a party and its Processing of Personal Data, the data protection laws and regulations of any relevant jurisdiction, including but not limited to: (i) EU\/ UK Data Protection Law, (ii) the CCPA, (iii) any other United States state or federal data protection laws, and (iv) all laws implementing or supplementing the foregoing.<\/p>\n\n\n\n

    \u201cData Privacy Framework<\/strong>\u201d or “DPF<\/strong>” means (as applicable) the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors.<\/p>\n\n\n\n

    \u201cDPF Principles<\/strong>\u201d means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as amended, superseded, or replaced.<\/p>\n\n\n\n

    EU\/UK Data Protection Law<\/strong>” means: (i) Regulation 2016\/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data  (the “GDPR<\/strong>“); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR<\/strong>“) and the UK Data Protection Act 2018 (collectively referred to for these purposes as “UK Data Protection Law<\/strong>“); (iii) the EU e-Privacy Directive (Directive 2002\/58\/EC); (iv) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA<\/strong>“); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time.<\/p>\n\n\n\n

    \u201cJoint Customer<\/strong>\u201d means a customer of both Bloomreach and Partner.<\/p>\n\n\n\n

    \u201cJoint Customer Personal Data<\/strong>\u201d means any Personal Data for which a Joint Customer acts as a Controller.<\/p>\n\n\n\n

    \u201cPartner Personal Data<\/strong>\u201d means any Personal Data for which Partner acts as a Controller.<\/p>\n\n\n\n

    \u201cPersonal Data<\/strong>\u201d means any information contained within Bloomreach Personal Data, Partner Personal Data or Joint Customer Personal Data that is protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Legislation. <\/p>\n\n\n\n

    \u201cProcessor<\/strong>\u201d means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.<\/p>\n\n\n\n

    Restricted Transfer<\/strong>” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where UK Data Protection Law applies, a direct or onward transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable).<\/p>\n\n\n\n

    \u201cSub-processor\u201d <\/strong>means any entity which provides processing services to a Processor. <\/p>\n\n\n\n

    “Standard Contractual Clauses”<\/strong> or “SCCs<\/strong>” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021\/914 of 4 June 2021.<\/p>\n\n\n\n

    UK Addendum<\/strong>” means the International Data Transfer Addendum to the SCCs issued by Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as it is revised under Section 18 therein; as may be amended or superseded from time to time.<\/p>\n\n\n\n

    The terms “Process”, “Processing” and “Data Subject” shall have the same meanings given to them under the GDPR, and the terms “Business”, “Service Provider,” “Share,” “Sell” and “Sale” have the same meanings given to them under the CCPA. <\/p>\n\n\n\n

    2. COMPLIANCE WITH LAWS<\/strong><\/p>\n\n\n\n

    2.1. The Parties will comply with their respective obligations under Data Protection Legislation.<\/p>\n\n\n\n

    3. CONTROLLER-TO-CONTROLLER SCENARIOS <\/strong><\/p>\n\n\n\n

    3.1. Role.<\/strong> Bloomreach and Partner may, in connection with the Agreement, each be Controllers of Personal Data and, transfer that Personal Data to the other Party for that other Party to act as a Controller of that Personal Data.<\/p>\n\n\n\n

    3.2. Obligations.<\/strong> Each Party, to the extent that it, along with the other Party, acts as a Controller with respect to Personal Data, will reasonably cooperate with the other Party to enable the exercise of data protection rights as set forth in applicable Data Protection Legislation. The Parties acknowledge and agree that each is acting independently as a Controller with respect to Personal Data and the Parties are not joint controllers as defined under EU\/UK Data Protection Law.<\/p>\n\n\n\n

    4. JOINT PROCESSOR SCENARIOS<\/strong><\/p>\n\n\n\n

    4.1. Role.<\/strong> Bloomreach and Partner may each be Processors of a Joint Customer\u2019s Personal Data and transfer such data to the other Party for processing at the direction of that Joint Customer.<\/p>\n\n\n\n

    4.2. Obligations.<\/strong> Each Party, to the extent that it, along with the other Party, acts as a Processor with respect to Joint Customer Personal Data, will (i) comply with the instructions and restrictions set forth in any applicable agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other Party to enable the exercise of data protection rights as set forth in applicable Data Protection Legislation. The Parties both acknowledge and agree that each Party is acting as a Processor for the Joint Customer and neither Party is engaging the other as a Sub-processor.<\/p>\n\n\n\n

    5. CONTROLLER TO PROCESSOR SCENARIOS<\/strong><\/p>\n\n\n\n

    5.1. Role.<\/strong> Bloomreach and Partner may each be Controllers of Personal Data and transfer that Personal Data to the other Party for that other Party to provide certain services to the other Party as a Processor of that Personal Data. For Processing operations where Bloomreach processes Personal Data on Partner\u2019s behalf and at Partner\u2019s direction, the term \u201cProcessor\u201d refers to Bloomreach, the term \u201cController\u201d refers to Partner, and the term \u201cPersonal Data\u201d refers to Partner Personal Data. For data processing operations where Partner processes Personal Data on Bloomreach\u2019s behalf and at Bloomreach\u2019s direction, the term \u201cProcessor\u201d refers to Partner, the term \u201cController\u201d refers to Bloomreach, and the term \u201cPersonal Data\u201d refers to Bloomreach Personal Data.<\/p>\n\n\n\n

    5.2. Permitted Purpose. <\/strong>In the context of the scenarios described in Section 5.1 above, each Party agrees to process Personal Data only for the purposes set forth in the applicable Agreement and\/or the applicable agreement(s) with the Joint Customer. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Annex 1 to this DPA.<\/p>\n\n\n\n

    5.3. Controller Obligations. <\/strong>The Parties in their capacity as a Controller agree to: <\/p>\n\n\n\n

    5.3.1. Provide instructions to the Processor and determine the purposes and means of the Processor\u2019s processing of Personal Data in accordance with the Agreement; and<\/p>\n\n\n\n

    5.3.2. Comply with its protection, security and other obligations with respect to Personal Data prescribed by applicable Data Protection Legislation for a Controller by: (i) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of the Controller; (ii) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (iii) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Data on its behalf.<\/p>\n\n\n\n

    5.4. Processor Obligations. <\/strong><\/p>\n\n\n\n

    5.4.1. Processing Requirements. The Parties in their capacity as a Processor agree to:<\/p>\n\n\n\n

    5.4.1.1. Process Personal Data (i) only for the purpose of providing, supporting and improving the Processor\u2019s  product and services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from the Controller. The Processor will not use or process Personal Data for any other purpose. The Processor will promptly inform the Controller in writing if it cannot comply with the requirements under Section 5 of this DPA, in which case the Controller may terminate the Agreement, and any applicable Agreement, or take any other reasonable action, including suspending data processing operations;<\/p>\n\n\n\n

    5.4.1.2. Inform the Controller promptly and without undue delay if, in the Processor\u2019s opinion, an instruction from the Controller violates applicable Data Protection Legislation;<\/p>\n\n\n\n

    5.4.1.3. If the Processor is collecting Personal Data from individuals on behalf of the Controller, follow the Controller\u2019s instructions regarding such Personal Data collection;<\/p>\n\n\n\n

    5.4.1.4. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on the Processor\u2019s behalf comply with the terms of the Agreement, and applicable Agreements;<\/p>\n\n\n\n

    5.4.1.5. Represent and warrant that its employees, authorized agents and any Sub-processors are subject to a strict duty of confidentiality, and shall not permit any person to process the personal data who is not under such a duty of confidentiality; and<\/p>\n\n\n\n

    5.4.1.6. If it intends to engage Sub-processors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Sub-processors, (i) provide a list of Sub-processors currently engaged by the Processor to the Controller (such list for Bloomreach is available online at https:\/\/www.bloomreach.com\/en\/legal\/subprocessors), and notify the Controller of the engagement of any new Sub-processors at least 30 days in advance, giving the Controller the opportunity to object; (ii) remain liable to the Controller for the Sub-processors\u2019 acts and omissions with regard to data protection where such Sub-processors act on the Processor\u2019s instructions; and (iii) enter into contractual arrangements with such Sub-processors binding them to provide a substantially similar level of data protection and information security to that provided for herein.<\/p>\n\n\n\n

    5.4.2. Notice to the Controller. The Processor will, without undue delay, inform the Controller if it becomes aware of: <\/p>\n\n\n\n

    5.4.2.1. Any non-compliance by Processor or its employees with Section 5 of this DPA or applicable Data Protection Legislation relating to the protection of Personal Data processed under this DPA;<\/p>\n\n\n\n

    5.4.2.2. Any legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities; or<\/p>\n\n\n\n

    5.4.2.3. Any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller\u2019s prior written authorization.<\/p>\n\n\n\n

    5.4.3. Assistance to Controller. The Processor will provide timely and reasonable assistance to the Controller regarding:<\/p>\n\n\n\n

    5.4.3.1. Responding to any request from an individual to exercise rights under applicable Data Protection Legislation (including its rights of access, correction, objection, erasure and data portability, as applicable) and the Processor agrees to promptly inform the Controller if such a request is received directly;<\/p>\n\n\n\n

    5.4.3.2. The investigation of Personal Data Breaches and the notification to the Supervisory Authority and the Controller data subjects regarding such Personal Data Breaches; and<\/p>\n\n\n\n

    5.4.3.3. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.<\/p>\n\n\n\n

    5.4.4. Security. The Processor will:<\/p>\n\n\n\n

    5.4.4.1. Maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data;<\/p>\n\n\n\n

    5.4.4.2. Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all of the Processor\u2019s personnel with respect to Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;<\/p>\n\n\n\n

    5.4.4.3. Take appropriate steps to confirm that all of the Processor\u2019s personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA; and<\/p>\n\n\n\n

    5.4.4.4. Notify the Controller of any Data Breach by the Processor, its Sub-processors, or any other third parties acting on the Processor\u2019s behalf without undue delay and in any event within 48 hours of becoming aware of a Data Breach.<\/p>\n\n\n\n

    5.4.5. Processing Subject to the CCPA. To the extent the CCPA is applicable, Controller is a Business and the Processor is a Service Provider. The Parties agree that the Processor will Process California Personal Information as a Service Provider strictly for the business purpose specified in the Agreement or as otherwise permitted by the CCPA. Further, the Processor (i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the Parties, unless required by applicable law; and (iii) will not combine the California Personal Information with personal information that collected or received from another source (other than information received from another source in connection with Processor’s obligations under the applicable Agreement and\/or the agreement(s) with the Joint Customer). <\/p>\n\n\n\n

    6. AUDIT<\/strong><\/p>\n\n\n\n

    6.1. Compliance.<\/strong> Each Party shall be able to demonstrate compliance with its respective obligations under this DPA and Data Protection Legislation.  In particular, each Party shall keep appropriate documentation of the Processing activities carried out under its responsibility pursuant to this DPA. Each Party shall deal promptly and adequately with reasonable inquiries from the other Party about the Processing under this DPA.<\/p>\n\n\n\n

    6.2. Supervisory Authority. <\/strong>If a Supervisory Authority requires an audit of the data processing facilities from which the Processor processes Personal Data in order to ascertain or monitor compliance with Data Protection Legislation, the Processor will cooperate with such audit. The Controller will reimburse the Processor for its reasonable expenses incurred to cooperate with the audit, unless such audit reveals the Processor\u2019s noncompliance with this DPA.<\/p>\n\n\n\n

    7. DATA RETENTION AND DELETION<\/strong><\/p>\n\n\n\n

    7.1. Retention.<\/strong> Each Party shall retain the Personal Data for no longer than is necessary to carry out the purpose(s) of Processing set forth in this DPA and do so in accordance with Data Protection Legislation.  Each Party shall implement appropriate technical or organizational measures to ensure compliance with this obligation, including appropriate data retention policies and procedures, and mechanisms to securely delete, erase, destroy, dispose of, or anonymize the Personal Data.<\/p>\n\n\n\n

    7.2. Deletion. <\/strong>The Parties agree that on the termination of the data processing services or upon the Controller\u2019s reasonable request, the Processor shall and shall take reasonable measures to cause any Sub-processors to, at the choice of the Controller, return all the Personal Data and copies of such data to the Controller or securely destroy them and demonstrate to the satisfaction of the Controller that it has taken such measures, unless applicable Data Protection Legislation prevent the Processor from returning or destroying all or part of the Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with applicable laws.<\/p>\n\n\n\n

    8. DATA TRANSFERS<\/strong><\/p>\n\n\n\n

    8.1. Compliance. <\/strong>Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Legislation. The Parties shall promptly notify each other of any inability to comply with the provisions of this Section 8.<\/p>\n\n\n\n

    8.2. Restricted Transfers.<\/strong> For Restricted Transfers:<\/p>\n\n\n\n

    8.2.1. If a Party is self-certified to the DPF, it will utilize the DPF to lawfully receive Personal Data in the United States and ensure that it provides at least the same level of protection to such Personal Data as is required by the DPF Principles and will inform the other Party if it is unable to comply with these requirements.<\/p>\n\n\n\n

    8.2.2. If EU\/UK Data Protection Laws require that appropriate safeguards are put in place (for example, if the DPF does not cover the Restricted Transfer and\/or the DPF is invalidated), such transfer shall be governed by the SCCs which shall be incorporated by reference into and form an integral part of this DPA as follows:<\/p>\n\n\n\n

    8.2.2.1. with respect to Partner Personal Data, the \u201cdata exporter\u201d shall be Partner and the \u201cdata importer\u201d shall be Bloomreach (acting on behalf of itself and its Affiliates); <\/p>\n\n\n\n

    8.2.2.2. with respect to Bloomreach Personal Data the \u201cdata exporter\u201d shall be Bloomreach (acting on behalf of itself and its Affiliates) and the \u201cdata importer\u201d shall be Partner;<\/p>\n\n\n\n

    8.2.2.3. the Module One terms shall apply where both Parties are Controllers and the Module Two terms shall apply where the Party receiving Personal Data under the SCCs is acting as a Processor on behalf of the other Party as a Controller;<\/p>\n\n\n\n

    8.2.2.4. in Clause 7 (Docking Clause), the optional docking clause will apply;<\/p>\n\n\n\n

    8.2.2.5. in Clause 9 (Use of Sub-processors), Option 2 of Module Two shall apply and the Processor shall obtain authorization for Subprocessors in accordance with Section 5.4.1.6 of this DPA;<\/p>\n\n\n\n

    8.2.2.6. in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;<\/p>\n\n\n\n

    8.2.2.7. in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands;<\/p>\n\n\n\n

    8.2.2.8. Annex I shall be deemed completed with the information set out in Annex 1 to this DPA; and<\/p>\n\n\n\n

    8.2.2.9. Annex II shall be deemed completed with the information set out in Annex 2 to this DPA.<\/p>\n\n\n\n

    8.2.3. In relation to transfers of Personal Data protected by the UK Data Protection Law, the SCCs: (i) shall apply as completed in accordance with Section 8.2.2 above; and (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be populated with relevant information set out in Annex 1 of this DPA, which shall deemed executed by the Parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.<\/p>\n\n\n\n

    8.2.4. In relation to transfers of Personal Data protected by the Swiss DPA, the SCCs will also apply in accordance with Section 8.2.2. above, with the following modifications:<\/p>\n\n\n\n

    8.2.4.1. references to “Regulation (EU) 2016\/679” shall be interpreted as references to the Swiss DPA;<\/p>\n\n\n\n

    8.2.4.2. references to specific Articles of “Regulation (EU) 2016\/679” shall be replaced with the equivalent article or section of the Swiss DPA;<\/p>\n\n\n\n

    8.2.4.3. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”;<\/p>\n\n\n\n

    8.2.4.4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);<\/p>\n\n\n\n

    8.2.4.5. Clause 13(a) and Part C of Annex 1 are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;<\/p>\n\n\n\n

    8.2.4.6. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;<\/p>\n\n\n\n

    8.2.4.7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and<\/p>\n\n\n\n

    8.2.4.8. Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.<\/p>\n\n\n\n

    8.2.5. In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent of such conflict. <\/p>\n\n\n\n

    9. DIRECT MARKETING<\/strong><\/p>\n\n\n\n

    9.1. To the extent that a Party intends to Process the Personal Data for direct marketing, that Party shall do the following:<\/p>\n\n\n\n

    9.1.1. Ensure that the appropriate types of any necessary consents have been obtained from the relevant Data Subjects or otherwise establish a lawful basis to allow the Personal Data to be used for direct marketing in compliance with Data Protection Legislation;<\/p>\n\n\n\n

    9.1.2. Implement effective procedures and communications to allow a Data Subject to exercise the right to opt out from or object to direct marketing; and<\/p>\n\n\n\n

    9.1.3. implement effective procedures to enable the Party to notify relevant third parties of any Data Subject\u2019s choice to opt-out of or object to such marketing.<\/p>\n\n\n\n

    10. INDEMNIFICATION; LIABILITY<\/strong><\/p>\n\n\n\n

    10.1. Indemnification.<\/strong> Notwithstanding anything contrary set forth in the Agreement, a Party (\u201cIndemnifying Party\u201d) shall indemnify the other Party (\u201cIndemnified Party\u201d) against any claims by a third party that arise from a Data Breach caused by the Indemnifying Party\u2019s breach of its obligations under this DPA subject to the limitation of liability set forth in the Agreement (including any agreed aggregate financial cap).<\/p>\n\n\n\n

    10.2. Liability.<\/strong> To the maximum extent permitted by law, each party and its Affiliates\u2019 aggregate liability to the other party arising out of or in relation to this DPA (including the Standard Contractual Clauses), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth under the applicable Agreement. For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party\u2019s breach of the Standard Contractual Clauses, where applicable.<\/p>\n\n\n\n

    11. MISCELLANEOUS<\/strong><\/p>\n\n\n\n

    11.1. Third Party Beneficiaries. <\/strong>Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third party beneficiaries to the Agreement and this DPA. Without prejudice to the foregoing, the Agreement and the terms of this DPA apply only to the Parties and do not confer any rights to any third-party Data Subjects.<\/p>\n\n\n\n

    11.2. Governing Law and Jurisdiction. <\/strong>This DPA shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.  <\/p>\n\n\n\n

    11.3. Term.<\/strong> This DPA shall remain in effect as long as either party carries out Personal Data processing operations on the Personal Data uploaded or otherwise provided by the other party pursuant to and in accordance with the Agreement (the \u201cProcessing Term<\/strong>\u201d).<\/p>\n\n\n\n

    Annex 1
    <\/strong>Description of Processing<\/strong><\/p>\n\n\n\n

    List of Parties<\/strong><\/p>\n\n\n\n

    Bloomreach
    Name: The entity identified as \u201cBloomreach\u201d in the Agreement
    Address: \u200cBloomreach address specified in the Agreement.
    Contact Person’s Name, position and contact details:  The contact details specified in the Agreement.
    Role: Controller or processor (as applicable)<\/p>\n\n\n\n

    Partner
    Name: The entity identified as the “Partner” in the Agreement
    Address: The address for the Partner as specified in the Agreement.
    Contact Person’s Name, position and contact details: The contact details for the Partner as specified in the Agreement.
    Role: Controller or processor (as applicable)<\/p>\n\n\n\n

    Description of Processing<\/strong><\/p>\n\n\n\n

    Categories of Data Subjects
    Depending on the nature and scope of the Agreement, the Data Subjects may include: <\/p>\n\n\n\n

    – Employees, personnel, and\/or staff
    – Customers, clients, and\/or end users
    – Vendors, suppliers, and\/or third-party service providers
    – Prospective customers and\/or clients (prospects)
    – Event or webinar audience members, attendees, registrants, and\/or participants<\/p>\n\n\n\n

    Categories of Personal Data
    The categories of Personal Data may include:<\/p>\n\n\n\n

    – Name: First name and last name
    – Business contact information: email, telephone or mobile number, office\/mailing\/billing address\/location
    – Professional information: Employer (company) name; Job title, role, position, and\/or function
    – Other Identifiers: System username; user ID; password; IP address
    – Account Data: tracking data with respect to a specific product, tracking and other data contained in the contact forms; information about the preferences of contacting and limited location data (city); IP address; name, surname; gender; email address; login, information; time zone setting; operating system and platform; information about visits including the URL, the search terms, information about what the users viewed or searched on the website, page response times; download errors, length of visits to certain pages, page interaction information, (such as scrolling, clicks, and mouse-overs) and the methods used to browse away from the page; activities of users browsing web pages.<\/p>\n\n\n\n

    Frequency of the processing
    The personal data is transferred continuously. <\/p>\n\n\n\n

    Nature and purpose of processing
    Nature: The nature of the Processing is the performance of the Services pursuant to the Agreement.
    Purpose: The transfer is intended to enable the relationship of the Parties contemplated by the Agreement. The relationship involves, among other things, account creation, administration, and management; business activities necessary to operate the partnership program and manage the partner relationship, including communications; advertising, promotional, marketing, and\/or sales related activities; contract or customer relationship management; execution of contracts, completion of business transactions, and performance of contractual obligations; compliance with applicable legal obligations, cooperating with legal and regulatory authorities, and exercising or defending legal claims; internal auditing, research, and development; activities related to product and service quality, enhancement, and improvement; and other relevant legitimate interests and business purposes of the Parties.<\/p>\n\n\n\n

    Duration of processing
    The Processing Term.<\/p>\n\n\n\n

    Period for which Personal Data will be retained, or if that is not possible, the criteria used to determine that period
    The Personal Data transferred between the Parties may only be retained for the period of time permitted under the Agreement. The Parties agree that each Party will, to the extent that it, along with the other Party, acts as a Controller with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in Data Protection Legislation.<\/p>\n\n\n\n

    Subject matter, nature and duration of the processing
    The subject matter, nature and duration of the processing is as described in the Agreement, including this DPA.<\/p>\n\n\n\n

    Supervisory Authority<\/strong><\/p>\n\n\n\n

    The competent supervisory authority will be determined in accordance with the GDPR, where applicable.<\/p>\n\n\n\n

    Annex 2
    <\/strong>Technical and Organizational Measures<\/strong><\/p>\n\n\n\n

    The technical and organizational measures implemented by Bloomreach (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons are as follows:   <\/p>\n\n\n\n

    Annex 1 (A) List of Parties: <\/strong><\/p>\n\n\n\n

    Security Measures \u2013 Bloomreach<\/td><\/tr>
    As of the Effective Date of the Agreement, Bloomreach maintains the technical and organizational security measures as described in this Annex 2 to the DPA. This Annex 2 is hereby incorporated into this DPA and shall form an inseparable part of hereof.  Capitalized terms not otherwise defined shall have the meaning given to them in the DPA or Agreement.
    For more details regarding our security measures, please refer to our SOC 2 (Type 2) Report (see sec. F below). <\/td><\/tr>
    A. Access Control<\/td><\/tr>
    Physical Access Control.  Bloomreach takes measures to prevent unauthorized persons from entering the premises in which data processing systems are stored and with which personal data are processed.<\/td><\/tr>
    Technical Access Control. Bloomreach takes technical measures to prevent data processing systems from being used by unauthorized persons. These include authentication when accessing computers \/ systems using a user ID and password, as well as setting up firewalls.<\/td><\/tr>
    Personnel Access Control. Bloomreach ensures that only authorized personnel can access contents and that personal data cannot be copied, changed or deleted without authorization during processing and use and after saving. When granting access rights to Bloomreach personnel, Bloomreach follows the principle of least privilege to ensure that Personal Data is accessed only by personnel that need the access. <\/td><\/tr>
    Penetration testing. In order to prevent any unauthorized attacks to our platform, Bloomreach maintains contractual relationships with penetration testing service providers. Through regular penetration testing Bloomreach can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them.<\/td><\/tr>
    B. Organizational Measures<\/td><\/tr>
    DPO. Bloomreach has a designated Data Protection Officer (DPO), Chief Information Security Officer (CISO) and a team of Security Engineers, as well legal professionals, to monitor and ensure compliance with GDPR and local laws. <\/td><\/tr>
    Personnel training.  Bloomreach organizes regular and obligatory whole company Security and GDPR trainings, as well as OWASP trainings to prevent Web Application Security Risks. During the onboarding process, the personnel are required to execute non-disclosure agreements.  During the course of engagement with Bloomreach, all personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective Personal Data protection. <\/td><\/tr>
    Remote Working Policy. Bloomreach personnel must act in compliance with further measures such as the Remote working policy (Endpoint Security Management, mandatory VPN, etc.), device secure setup and security awareness, strong passwords policy, two factor authentication process, etc. <\/td><\/tr>
    C. Technical Measures<\/td><\/tr>
    Transfer Control. Bloomreach prevents personal data from being read, copied, changed or deleted in an unauthorized way during electronic transmission, transport or storage on data media. This includes secure electronic transmission, VPN, firewalls, encryption, logging measures. <\/td><\/tr>
    Input control. Bloomreach ensures that it can be subsequently checked whether and by whom personal data have been entered, changed or deleted. This includes logging, user identification.<\/td><\/tr>
    Availability control. Bloomreach ensures that personal data is protected against accidental destruction or loss. This includes the usual fire protection measures and overvoltage protection, backup concept, virus protection, clean coding.<\/td><\/tr>
    Separation control. Bloomreach ensures that personal data collected for different purposes is processed separately. This includes separate customer accounts, separate databases, encryption methods.<\/td><\/tr>
    Data Encryption. There are several layers of encryption of data. Data is encrypted in transit. <\/td><\/tr>
    TLS. Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking.<\/td><\/tr>
    Additional Technical Measures. Firewalls, logging, malware protection, security scans and other control mechanisms are in place to provide further technical security. <\/td><\/tr>
    D. Security Development practices <\/td><\/tr>
    Bloomreach has the further following practices in place to ensure the security of the application:  Clean coding and least privilege access granting for Bloomreach IT developers. Monitoring traffic \u2013 Internal network traffic is regularly checked for any suspicious behaviour. Vulnerability Management and penetration tests \u2013 Bloomreach conducts regular web scans and scans for potential threats. Incident Management \u2013 Bloomreach has a well-defined incident management process for security events, including reporting, prioritization based on urgency, escalation and mitigation. Business Continuity \u2013 Bloomreach regularly reviews all business-critical functions.  Quality assurance \u2013 Bloomreach tests all new features before implementing them to the application.<\/td><\/tr>
    E. Further measures to protect Data<\/td><\/tr>
    Infrastructure. Bloomreach relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Legislation. <\/td><\/tr>
    Control of Processors. Bloomreach ensures that personal data processed by Processors are processed in accordance with the instructions of Bloomreach and its customers. This includes control rights and data processing contracts according to the GDPR.<\/td><\/tr>
    External Audit. Bloomreach is subject to external annual audit by an independent third-party licensed auditor to test, evaluate and confirm that the security measures are up-to-date, effective and functional. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    F. Certification<\/td><\/tr>
    Bloomreach currently maintains the following certifications:  GDPR 3101<\/a> ISO 9001:2015<\/a> ISO 27001:2013<\/a> ISO 27017:2015<\/a> ISO 27018:2019<\/a> ISO 22301:2019<\/a> More information available at:  https:\/\/www.bloomreach.com\/en\/legal\/security<\/a><\/td><\/tr>
    Bloomreach also holds a SOC 2 (Type II) Report. This contains specifics pertaining to security measures and can be provided under a non-disclosure agreement.      <\/td><\/tr>
    Bloomreach reserves the right to replace any security measures with an equivalent or enhanced alternative at any time during the Term of the Agreement that ensure equal data security and measures in compliance with state of the art security standards applicable in the field.  <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    <\/p>\n","protected":false},"parent":0,"menu_order":0,"template":"","class_list":["post-88165","legal","type-legal","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/legal\/88165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/legal"}],"about":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/types\/legal"}],"version-history":[{"count":2,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/legal\/88165\/revisions"}],"predecessor-version":[{"id":88217,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/legal\/88165\/revisions\/88217"}],"wp:attachment":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/media?parent=88165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}