Data Protection Addenum

Last Revised: 
February 6, 2024
Version: 
2.21

This Data Processing Addendum (this "DPA") forms part of the services agreement (the “Agreement”) between Opensense, Inc. and its affiliates ("Opensense") and the entity entering the Agreement as a customer (the “Customer”) of Opensense’s services ("Services"). All capitalized terms not defined or referenced in this DPA shall have the meanings set forth in the Agreement.

1. Definitions. For the purposes of this DPA:

  • 1.1.Personal Information means all Customer data and any authorized user’s data that, alone or in combination with other information, can be used to identify an individual person.
  • 1.2.CCPA” means the California Consumer Privacy Act of 2018, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations;
  • 1.3. Privacy Laws” means all local, state, national and/or foreign law, treaties, and/or regulations, including without limitation the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the processing of Personal Information under the Agreement and any laws which implement any such laws, in each case, to the extent in force, and as updated, amended or replaced from time to time;
  • 1.4. The terms “Business”,Service Provider”, “Third Party”,Consumer”, “Sell”, “Service Provider” and “Business Purposes” shall have the meanings given to them in the CCPA.

2. Purpose.

  • 2.1. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Opensense processes Personal Information falling within the scope of Privacy Laws on behalf of Customer in the course of providing the Opensense services (“Opensense Services”). Schedule1 (Details of the Processing) of this DPA further sets out the duration, the type of Personal Information and the categories of data subjects.
  • 2.2. International Provisions
  • ~2.2.1. Jurisdiction specific terms. If applicable, the parties shall comply with their obligations as set out in Schedule 2 and Schedule 3 of this DPA in addition to the terms of this DPA.
  • ~2.2.2. Cross-border data transfer mechanism. Wherever Personal Information is transferred outside its country of origin, Opensense will ensure such transfers are made in compliance with the requirements of Privacy Laws. Opensense shall comply with and satisfy its obligations set out in Schedule 2 of this DPA when processing Personal Information protected by applicable European Privacy Laws.

3. Compliance with Privacy Laws.

  • Opensense represents and warrants to Customer that its collection, access, use, storage, processing, disposal, and disclosure of Personal Information does and shall at all times comply with all Privacy Laws.

4. Roles and Responsibilities.

  • 4.1. As between Opensense and Customer, Customer is the Business for purposes of the CCPA with respect to the Personal Information that is provided to Opensense for processing under the Agreement and Opensense shall process the Personal Information as a Service Provider on behalf of Customer.
  • 4.2. Customer shall be responsible for:
  • ~4.2.1. Complying with all applicable laws relating to privacy and data protection in respect of its use of the Opensense Services, its processing of the Personal Information, and any processing instructions it issues to Opensense;
  • ~4.2.2. Ensuring it has the right to transfer, or provide access to, the Personal Information to Opensense for processing pursuant to the Agreement and this DPA; and
  • ~4.2.3. Ensuring that it shall not disclose (nor permit any data subject to disclose) any Sensitive Personal Information to Opensense for processing.
  • 4.3. Opensense shall process the Personal Information only for the purposes described in the Agreement and in accordance with the lawful, documented instructions of Customer(including the instructions of any users accessing the Opensense Services on Customer's behalf) as set out in the Agreement, this DPA or otherwise in writing. Opensense shall not:
  • ~4.3.1. sell the Personal Information;
  • ~4.3.2. retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services;
  • ~ 4.3.3. retain, use, or disclose the Personal Information for a commercial purpose other than providing the Services;
  • ~ 4.3.4. retain, use, or disclose the information outside of the direct business relationship between Opensense and the Customer. Opensense certifies that it understands these restrictions and will comply with them.

5. Security.

  • 5.1. Opensense shall implement appropriate technical and organizational measures to protect the Personal Information from any unauthorized access to or use, disclosure, alteration, or destruction of Personal Information that materially compromises the privacy or security of Personal Information (a “Security Incident”).
  • 5.2. Opensense shall ensure that any personnel that it authorizes to process the Personal Information shall be subject to a duty of confidentiality.
  • 5.3. Upon becoming aware of a Security Incident, Opensense shall notify Customer without undue delay but no later than seventy-two(72) hours and shall provide reasonable information and cooperation to Customers so that Customer can fulfill any data breach reporting obligations it may have under applicable laws. Where possible, the notice to Customer shall describe the nature of incident, the number of individuals impacted, the type of records impacted, and any other information that may be relevant, as deemed by Opensense. Following Opensense’s notification to Customer of a Security Incident, the parties shall coordinate with each other to investigate the Security Incident.
  • 5.4. The parties agree sub-processors (“Sub-processors”) may process Personal Information on Opensense's behalf provided that:
  • ~5.4.1. Opensense shall maintain an up to date list of Sub-processors which it shall update with details of any change in Sub-processors at least thirty (30) days prior to any such change and shall notify Customer in advance of such change;
  • ~5.4.2. Opensense imposes on such Sub-processors data protection terms that require it to protect the Personal Information to the standard required by Privacy Laws;
  • ~5.4.3. Opensense remains liable for any breach of this DPA caused by a Sub-processor; and
  • ~5.4.4. All such Sub-processors shall be Service Providers for purposes of the CCPA.
  • 5.5. Customer may object prior to Opensense's appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Opensense, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Opensense Service (without prejudice to any fees incurred by Customer prior to suspension or termination).

6. Cooperation and Audits.

  • 6.1. Opensense shall provide reasonable assistance to Customer, insofar as this is possible and at Customer's expense, to enable Customer to respond to requests from consumers seeking to exercise their rights the CCPA. In the event such request is made directly to Opensense, Opensense shall promptly inform Customer of the same. Customer authorizes Opensense to respond to requests from data subjects or Consumers seeking to exercise their rights under the CCPA in order to clarify requests.
  • 6.2. If requested and upon reasonable prior written notice from Customer, Opensense shall provide commercially reasonable assistance to Customer in completing any privacy impact assessments and/or data protection impact assessment, and any prior consultations with government authorities that Customer considers necessary to comply with applicable Privacy Laws. Customer shall be responsible for reasonable costs and expenses incurred by Opensense related to any such assistance. Upon Customer request, Opensense shall provide Customer information reasonably necessary to demonstrate compliance with applicable Privacy Laws.
  • 6.3. Upon Customer’s reasonable request, and no more than once per calendar year, Opensense will make available for Customer’s inspection and audit, copies of certifications, records or reports demonstrating Opensense’s compliance with this DPA. Opensense will be assessed against industry security frameworks or standards including, but not limited to, SOC 2 Type II standards. Upon request, Opensense shall provide a summary copy of its most recent certified audit report to Customer, which reports shall be subject to Opensense’s confidentiality terms under the Agreement.

7. Return/Deletion of Data.

  • Opensense retains the Personal Information for up to seven (7) years after the termination of any Agreement for the purposes of future account reactivation. Any confidentiality obligations and use restrictions in the Agreement will continue to apply to such Personal Information for the duration of retention. Notwithstanding the foregoing, upon request by Customer at the termination of the Agreement, Opensense shall delete or return to Customer the Personal Information in Opensense's possession, except to the extent such data may be required to be retained by Opensense under applicable laws.

8. Liability.

  • Each party’s liability to the other taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations on liability set forth in the Agreement. Opensense’s total liability for all claims from the Customer arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement.

9. Miscellaneous.

  • 9.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
  • 9.2. Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement.
  • 9.3. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligations of the parties vis-à-vis each other, if there is a conflict between this DPA and the Agreement, this DPA will control.
  • 9.4. This DPA shall be interpreted, construed and enforced in all respects as is set forth in the Agreement. Each party irrevocably consents and submits to the exclusive jurisdiction of the courts as is set forth in the Agreement, in connection with any action to enforce the provisions of this DPA, to recover damages or other relief for breach or default under this DPA, or otherwise arising under or by reason of this DPA.
  • 9.5. Customer agrees that Opensense may modify this DPA at any time provided. If Opensense makes any material modifications to this DPA, Opensense shall provide Customer with at least ten (10) days notice (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (i) sending an email to the email address of the designated account owner in Customer’s Opensense Services account; or (ii) alerting Customer via the user interface. If Customer reasonably objects to any such change, Customer may terminate the Agreement by giving written notice to Opensense within ten (10) days of notice from Opensense of the change.

SCHEDULE 1: DETAILS OF THE PROCESSING


Data Importer Details

Name: Opensense.inc

Address: 1390 Market St, Ste 200, San Francisco, CA. 94102

Contact person’s name, position, and contact details: Legal/Privacy Dept, ATTN: CIO/DPO, privacy@opensense.com

Role: Data Processor

Data Exporter Details

Name: [per Order Form (“Customer”)]

Address: [per Order Form]

Contact person’s name, position, and contact details: [Per Order Form, unless otherwise specified in OF Notes]

Role: Data Controller

Categories of Data Subjects Employees, existing and prospective business partners or vendors of Customer who are natural persons
Categories of Personal Data

Customer Employee: Public contact information specified in Customer email signature (such as name, address, company, email, title, etc.)

Customer Company: address, main phone, billing contact info (name, email, title, phone, etc.), primary and IT contact info (name, email, title, phone, etc.)

Sensitive Data N/A
Frequency of the Processing Continuous for the duration of the Agreement
Nature of the Processing Processing necessary to provide email signature management, marketing, and other Services pursuant to the Agreement
Purpose(s) of the Processing Opensense will solely process personal data as necessary to provide the email signature management, marketing, and other Services pursuant the Agreement
Period for Which the Personal Data Will Be Retained As per the terms of section 7 of this DPA
For Transfer to Sub-Processors, Please Specify the Subject Matter, Nature, and Duration of the Processing The subject matter, nature and duration of the processing shall be as specified in the Agreement

SCHEDULE2: EU AND UK JURISDICTION SPECIFIC TERMS

If the UK Data Protection Laws apply, this Schedule 2 will apply in addition to the terms of the DPA.

1. Scope and Purpose.

To the extent that Opensense processes Personal Information protected by UK Data Protection Law, then the terms set out in this Schedule 2 to the DPA will apply in addition to the terms of the DPA.

2. Definitions.

In this Schedule 2 to the DPA:

  • 2.1. “Controller”, “Data Subject”, “Processing” and“ Processor” have the meaning given to them in the GDPR.
  • 2.2. “European Data Protection Law” means data protection laws applicable in the Europe, including (i) General Data Protection Regulation (EU) 2016/679 (“GDPR”),and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), (ii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR");and (iii) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
  • 2.3.EU Personal Data” means any Personal Data processed by Opensense in connection with the Services, including its affiliates and the processing of which is subject to European Data Protection Law.
  • 2.4. ‘UK Data Protection Law' includes the UK GDPR (as s defined in section 3 of the Data Protection Act 2018) and the Data Protection Act 2018.
  • 2.5.SCCs” means the EU Commission’s Standard Contractual Clauses (as annexed to EU Commission Decision 2021/914/EU of 4 June 2021).
  • 2.6.  Updated references and deletions:
  • ~2.6.1. “Regulation (EU)2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of theCouncil of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GeneralData Protection Regulation)” and “that Regulation” are all replaced by “UK DataProtection Laws”.
  • ~2.6.2. References to specific Article(s) of “Regulation (EU)2016/679” are replaced with the equivalent Article or Section of UK DataProtection Laws; References to Regulation (EU)2018/1725 are removed.
  • ~2.6.3. References to the “European Union”,“Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”.
  • ~2.6.4. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
  • ~2.6.5. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified above where UK Data Protection Laws apply to the processing when making that transfer.”;
  • ~2.6.6. Other references to the “Clauses”means this Schedule, incorporating the Addendum EU SCCs.

3. Parties Rights and Obligations.

Opensense will process Personal Information in accordance with the requirements applicable under UK Data Protection Laws:

  • 3.1. It must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.
  • 3.2. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  • 3.4. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  • 3.5. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), this Schedule overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override this Schedule.
  • 3.6.  Where this Schedule incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Schedule impacts those Addendum EU SCCs and which are amended to the extent necessary so that together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide appropriate safeguards for those data transfers.
  • 3.7. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

4. Cross-border data transfer mechanism.

Opensense shall not transfer any EU Personal Data to any country or recipient not recognized as providing an adequate level of protection for EU Personal Data (within the meaning of applicable European Data Protection Law) unless Opensense first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Law or UK Data Protection Law.

  • 4.1. EU transfer. If EU Personal Data is being transferred to a recipient outside of the European Economic Area or Switzerland, then such transfer will only take place if (i) the recipient is recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR); or (ii) the transfer is covered by the SCCs, which shall be entered into and incorporated into this DPA by this reference and completed as follows:
  • ~4.1.1. Module 2 (Controller to Processor) will apply where Opensense is a Data Controller and Customer is a Data Processor;
  • ~4.1.2. Clause 7, the optional docking clause will not apply;
  • ~4.1.3. Clause 9, option 2 will apply as per the terms set out in Schedule 5 (Sub-processors) of this DPA;
  • ~4.1.4. Clause 11, the optional language will not apply;
  • ~4.1.5. Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Agreement.
  • ~4.1.6. Clause 17, option 1 will apply, will be governed by Irish law;
  • ~4.1.7. Clause 18(b) disputes shall be (1) governed by the laws ofEngland and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland orNorthern Ireland have been expressly selected by the Parties.
  • ~4.1.8. Annex 1 of the EU SCCs shall be deemed completed with the information set out in this DPA;
  • ~4.1.9. Annex 2 of the EU SCCs shall be deemed completed with the information set out in Schedule 4 to this DPA.

Opensense shall comply with its requirements under the SCCs. Nothing in this section 4(a) is intended to conflict with either party’s rights and responsibilities under the SCCs and, in the event of any such conflict, the SCCs shall prevail.

  • 4.2. UK transfer. If Personal Data is being transferred to a recipient outside of the United Kingdom, and to the extent such Personal Data is subject to applicable UK Data Protection Laws, this Schedule and Addendum EU SCCs operate for data transfers made, to the extent that UK Data Protection Laws apply to the processing when making that data transfer, and  provide Appropriate Safeguards for those data transfers:
  • ~4.2.1. Appendix I and II shall be deemed completed with the relevant information set out in Schedule 1 and 2 to this DPA;
  • ~4.2.2. The optional illustrative indemnification clause will not apply;
  • ~4.2.3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

To the extent that the Parties are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to this Schedule 2, Addendum EU SCCs, and other terms in this DPA will apply as noted.

SCHEDULE 3: CCPA/CPRA SPECIFIC TERMS

If the CCPA applies, this Schedule 3 will apply in addition to the terms of the DPA.

1. Scope and purpose.

This Schedule 3 to the DPA applies solely to the processing of Personal Information (as defined under CCPA and CPRA) that Opensense processes in the course of providing the Services under the Agreement (referred to hereafter as “California Personal Information”). The parties acknowledge and agree that Opensense is only a service provider for the purposes of the CCPA.

2. Definitions.

In this Schedule 3, capitalized terms shall have the same meaning as defined in the CCPA, unless otherwise noted. Both Parties acknowledge and agree that Customer is a Business and Opensense is the Service Provider for the purposes of the CCPA. Additionally, for the purposes of interpreting this DPA with respect to California Personal Information, the term 'Controller' is replaced with Business and Processor is replaced with Service Provider wherever those terms appear.

3. Processing restrictions.

  • 3.1. California Personal Information and is processed and retained according to categories of data listed Schedule 1 and retained as specified in this DPA.
  • 3.2. Opensense shall not: (i) sell California Personal Information; (ii) retain, use, or disclose California Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use, or disclose California Personal Information outside of the direct business relationship with Customer.
  • 3.3. Opensense certifies, represents, and warrants that it understands the rules, restrictions, requirements, and definitions of the CCPA and as set forth in this DPA. Opensense shall notify Customer if it determines that it cannot meet its obligations under the CCPA.
  • 3.4. Opensense shall not collect, retain, use, share or disclose any California Personal Information except as necessary to perform the Services solely pursuant to the Agreement.
  • 3.5. Opensense further agrees to take industry-standard steps to maintain the confidentiality of and protect California Personal Information. Opensense shall comply with all applicable laws, regulations and rules including, but not limited to, privacy protections under the CCPA, in its performance under the Agreement.
  • 3.6. Opensense shall implement appropriate technical and organizational measures to ensure compliance with its obligation to respond to rights requests as described in the CPRA. All requests to correct, remove, or update Personal Information must be made by the Customer to privacy@opensense.com.
  • 3.7. The Parties agree that Customer does not sell California Personal Information to Opensense because, as a Service Provider, Opensense may only use California Personal Information for the purposes of providing the Services to Customer.

SCHEDULE 4: SECURITY MEASURES

Industry-standard security practices meeting or exceeding standards noted in this DPA including Section 5, on Opensense Website (https://opensense.com/security), and as set forth in its SOC 2 Type II attestation for security ,security, availability, and process integrity measures, including submission of an annual compliance report (and supporting summary materials when reasonably requested) under NDA.

SCHEDULE 5: SUB-PROCESSORS

Name Address Description of processing
OVH 11160-C1 South Lakes Dr, #811, Reston, VA 20191 (USA) Dedicated Hardware Provider, Bare Metal Servers
Amazon Web Services (AWS) 410 Terry Avenue North, Seattle, WA 98109 (USA) Cloud Services Provider, Infrastructure, DNS, & Backup
Google Cloud Platform (GCP) 1600 Amphitheatre Pkwy, Mountain View, CA 94043 (USA) Cloud Services Provider, Infrastructure
INAP 250 Williams Street NW, Ste 1300, Atlanta, GA 30303 (USA) Dedicated Hardware Provider, Bare Metal Servers
HiVelocity 8010 Woodland Center Blvd, Ste 700, Tampa, FL 33614 (USA) Dedicated Hardware Provider, Bare Metal Servers
PhoenixNAP 3402 E University Dr, Phoenix, AZ 85034 (USA) Dedicated Hardware Provider, Bare Metal Servers
HubSpot 25 First Street, 2nd Floor, Cambridge, MA 02141 (USA) Sales & Account Management
Maxio (formerly SaaS Optics) 4010 Echodale Ave, Baltimore Maryland, 21206 (USA) Billing & Invoice Management
Stripe 354 Oyster Point Blvd, South San Francisco, CA 94080 (USA) Automated payments, payment profile & data
GuideCX 3451 Triumph Blvd Suite 400, Lehi, UT 84043 (USA) Customer Onboarding
Client Success 770 E Main St #151, Lehi, UT 84043 (USA) Customer account management

Previous Versions

Data Processing Addendum 2.0