Data Processing Addendum (DPA)

This Data Processing Agreement (“Agreement”) is entered into between CustomerNode LLC. (“CustomerNode,” “we,” “us,” etc.) and you, the user. This Agreement serves as a supplemental document to the Terms of Use agreement that governs your utilization of our services and website (the “Terms of Use”). By engaging with our Services, as defined in the Terms of Use, you, as the user, hereby acknowledge and explicitly agree to comply with the terms and conditions outlined in this Agreement, in addition to those established in the Terms of Use. This also encompasses adherence to CustomerNode’s Privacy Policy (the “Privacy Policy”), which may undergo amendments from time to time. This Data Processing Addendum is designed to be transparent and easily understandable. We encourage users to contact us if they have any questions or need further clarification on any aspect of this agreement.

This Agreement is specifically concerned with the processing, management, and safeguarding of personal data within the context of the Services provided by CustomerNode. In the event of any discrepancies between the provisions of this Agreement and the Terms of Use, the terms of this Agreement shall take precedence in matters pertaining to the processing of personal data. In all other cases, the Terms of Use shall prevail.

By using the Services and indicating your acceptance of the Terms of Use, and by explicitly consenting to this Agreement, you affirm that you have read, comprehended, and agreed to abide by the terms and conditions set forth herein, in conjunction with those outlined in the Terms of Use. It is important to note that individuals under the age of 18 are not authorized to act as data processors under this Agreement. If you are unable or unwilling to comply with and consent to the terms and conditions of this DPA, or if you lack the authority to bind CustomerNode or any other entity, please refrain from providing Personal Data to us.

WHEREAS

(A) CustomerNode, as stipulated in the Terms of Use, acts as a Data Controller, managing various digital platforms and services.

(B) The Data Controller wishes to engage you, the user, to process certain personal data in accordance with the Services provided and as described in the Terms of Use.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) This Agreement, in conjunction with the Terms of Use, sets forth the terms under which you will process personal data on behalf of CustomerNode.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

  • 1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
  • 1.1.2 “User” means the individual user who interacts with the platform provided by CustomerNode and may provide and process User Data within the platform.
  • 1.1.3 “CustomerNode” means the entity that owns and operates digital platforms and services, acting as the platform provider and Data Controller.
  • 1.1.4 “User Data” means any data provided by the User within the platform for processing and analysis, including personal data.
  • 1.1.5 “Processor” means the User and other tenants of the platform engaged by CustomerNode to process User Data across the content base for analysis and performance improvement, including the training of AI/ML models.
  • 1.1.6 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
  • 1.1.7 “EEA” means the European Economic Area;
  • 1.1.8 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
  • 1.1.9 “GDPR” means EU General Data Protection Regulation 2016/679;
  • 1.1.10 “Data Transfer” means:
    • 1.1.10.1 a transfer of User Data from the User to a Processor; or
    • 1.1.10.2 an onward transfer of User Data from a Processor to a Subprocessor, or between two establishments of a Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
  • 1.1.11 “Services” means the Guided Customer Journey services that CustomerNode provides.
  • 1.1.12 “Subprocessor” means any person appointed by or on behalf of Processor to process User Data on behalf of CustomerNode in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of User Data

2.1 Lawful Basis for Processing

CustomerNode processes personal data based on the explicit consent of users, which is obtained through a clear affirmative action. As part of the account creation process, users are required to physically click a 'Consent' button, explicitly indicating their agreement to our Terms of Service, Privacy Policy, and this Data Processing Addendum. This action signifies that the user’s consent is freely given, specific, informed, and unambiguous, in compliance with Article 6(1)(a) of the GDPR. Users maintain the right to withdraw their consent at any time, which can be done by removing their data or deleting their account. The process for withdrawal of consent is designed to be as straightforward and accessible as providing it. CustomerNode maintains detailed records of user consents, including date, time, and method of consent, ensuring traceability and accountability. These records are retained for as long as the user account is active and for a standard period thereafter, in compliance with applicable data protection laws.

2.2 Roles of the Parties

The Parties acknowledge and agree to the following roles with regard to the Processing of User Data:

  • 2.2.1 The user (you) may provide and process User Data within the platform provided by CustomerNode.
  • 2.2.2 CustomerNode acts as the platform provider (Data Controller) managing the digital platform and services where User Data is processed for analysis and performance improvement, including the training of AI/ML models.
  • 2.2.3 Tenants of the platform, including the user (you), are Processors of User Data across the content base for the aforementioned purposes. All Parties, including the user (you), consent to this data processing.
  • 2.2.4 Parties may withdraw their User Data by using the system's "Last Edit In, Last Standing approach" and clearing it or by requesting the tenant to remove all User Data. The user (you) can actively view their User Data through a provided dashboard.

2.3 User’s Processing of User Data

When Processing User Data within the platform, the user (you) agrees to:

  • 2.3.1 Process User Data in accordance with the platform's Terms of Use and this Data Processing Agreement.
  • 2.3.2 Use User Data for the purpose of analysis and performance improvement, including the training of AI/ML models, as described in this Agreement.
  • 2.3.3 Comply with all applicable data protection laws and regulations.
  • 2.3.4 Cooperate with CustomerNode in responding to requests from data subjects related to their User Data.

2.4 CustomerNode’s Processing of User Data

CustomerNode, as the platform provider (Data Controller), may Process User Data for the following purposes:

  • 2.4.1 Processing User Data to provide and improve the platform's services, including AI/ML model training.
  • 2.4.2 Complying with data protection laws and regulations in handling User Data.
  • 2.4.3 Cooperating with the user (you) and tenants of the platform in managing and responding to User Data requests.

2.5 Details of the Processing

The specifics of User Data Processing, including the duration, nature, and purpose of the Processing, as well as the types of User Data and categories of data subjects, are further detailed in Annex 1 (Details of the Processing) to this Agreement.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the User Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant User Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CustomerNode shall provide and maintain appropriate technical and organizational security measures to safeguard User Data within the Services. These measures shall ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In cases where Processor needs to remove User Data from the system for external analysis, the Processor shall implement its own security measures to ensure the safe removal of User Data in accordance with the terms of this Agreement. The Processor shall ensure that such security measures are commensurate with the sensitivity of the User Data and the potential risks associated with its removal.

5. Subprocessing

Processor may appoint a Subproccessor to assist in the processing of User Data, provided that:

  1. The Subproccessor is in compliance with all applicable data protection laws and regulations.
  2. The Subproccessor agrees to adhere to the terms and obligations of this Agreement.
  3. Processor makes information about the Subproccessor's appointment available to the User upon request.
  4. Processor remains fully liable for the performance of the Subproccessor's obligations under this Agreement.

CustomerNode, as the platform provider, may act as a Subprocessor for any Processor utilizing the system.

Any appointment of a Subproccessor must not relieve the Processor of its responsibilities and liabilities under this Agreement.

6. Rights of Users

6.1 Users have the right to access, rectify, restrict processing, erase, and port their data, and to object to processing, in accordance with GDPR. Requests for exercising these rights can be made through the platform’s user interface or by contacting our Data Protection Officer. Users who object to the processing of their data are encouraged to refrain from using the Services. However, if a User still wishes to exercise their rights (to the extent available to them under applicable law) of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, its right not to be subject to automated individual decision-making, to opt-out of the sale of Personal Data, or the right not to be discriminated against for exercising any data privacy rights (“User Data Request”), they may do so through these methods.

6.2 Processor shall promptly notify the User if they receive a User Data Request. Taking into account the nature of the Processing, Processor shall assist the User by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of the User's obligation to respond to a User Data Request under Data Protection Laws. In case of any difficulties, Users may also notify CustomerNode for further assistance.

7. Personal Data Breach

7.1 Processor maintains security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify CustomerNode without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Data Processed on behalf of CustomerNode, including User Data transmitted, stored, or otherwise Processed by Processor or its Subprocessors of which Processor becomes aware (a “Data Incident”). Processor shall make reasonable efforts to identify the cause of such Data Incident and take those steps as Processor deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by CustomerNode or CustomerNode's users. CustomerNode will not make, disclose, release, or publish any finding, admission of liability, communication, notice, press release, or report concerning any Data Incident which directly or indirectly identifies Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Processor’s prior written approval, unless, and solely to the extent that, CustomerNode is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by law, CustomerNode shall provide Processor with reasonable prior written notice to provide Processor with the opportunity to object to such disclosure and in any case CustomerNode will limit the disclosure to the minimum scope required. In the event of a Data Incident, Processor and User shall promptly report the incident to [email protected]. CustomerNode provides access and edit logging for User Data within the Services. Processor shall regularly review these logs and check for any abnormal signs or activities that may indicate a Data Incident.

7.2 In the event of a personal data breach, CustomerNode shall notify the relevant supervisory authority no later than 72 hours after becoming aware of it, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, CustomerNode shall also communicate the breach to the affected data subjects without undue delay.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to CustomerNode with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which CustomerNode reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of User Data by, and taking into account the nature of the Processing and information available to, the Processor and its Subprocessors.

9. Deletion or Return of User Data

9.1 Subject to this section 9, after the User has made reasonable attempts to remove the data themselves, Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of User Data (the “Cessation Date”), delete and procure the deletion of all copies of that User Data, in accordance with the rights of Users as defined in section 6.

10. Audit Rights

10.1 Demonstration of Compliance: Upon request, CustomerNode commits to making reasonable efforts to demonstrate compliance with the terms of this Agreement and applicable Data Protection Laws to the User. This may include providing relevant documentation, summaries of audit reports, or other evidence of compliance

10.2 Third-Party Auditor: The User has the right to appoint an independent, qualified third-party auditor to conduct audits for the purpose of ensuring CustomerNode's compliance with this Agreement and Data Protection Laws. The scope, timing, and duration of such audits will be mutually agreed upon between CustomerNode and the User, subject to reasonable requirements and constraints to maintain business operations and data security.

10.3 Limitations on Audit Rights: Information and audit rights of the User, as stipulated in section 10.1 and 10.2, will arise only to the extent that this Agreement does not already provide the User with information and audit rights that meet the relevant requirements of Data Protection Law. CustomerNode reserves the right to limit or deny audit requests if they are deemed excessive, unduly disruptive to business operations, or if they compromise the security or privacy of the data of other users or third parties.

10.4 Confidentiality of Audit: All audits conducted under this section shall be subject to confidentiality obligations. The User or its appointed third-party auditor will not disclose any confidential information obtained during the audit process without the prior written consent of CustomerNode.

10.5 Costs of Audit: Unless otherwise agreed, the User shall bear the costs associated with any audits carried out under this section, including any costs incurred by CustomerNode in facilitating the audit.

11. Data Transfer

11.1 Application: This Clause applies when User Data is transferred from within the European Economic Area (EEA) to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the European Union.

11.2 Transfer Mechanism: To ensure the protection of User Data transferred outside the EEA, the Parties shall rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other suitable transfer mechanisms as permitted under the GDPR.

11.3 Binding Nature of SCCs: The SCCs form a part of this Agreement and bind both parties to ensure the protection of User Data in compliance with the GDPR and other relevant Data Protection Laws.

11.4 Obligations of the Parties:

  • CustomerNode (Data Exporter): Shall ensure that User Data is transferred in compliance with the GDPR and the terms of this Agreement.
  • User (Data Importer): Shall process the User Data only for the specific purposes set out in this Agreement, adhering strictly to the instructions of CustomerNode.

11.5 Data Subjects' Rights: The Data Importer agrees to respect the rights of Data Subjects as per the GDPR, including the rights to access, rectification, erasure, and data portability.

11.6 Liability and Redress: The Parties acknowledge that the Data Importer is liable for any breaches of the SCCs, and Data Subjects shall have the right to seek legal redress for such breaches as per the GDPR.

11.7 Law and Jurisdiction: The SCCs and any disputes arising from them shall be governed by the law of the Member State in which CustomerNode is established, and the competent courts of such Member State shall have exclusive jurisdiction.

11.8 Review and Amendment: The Parties agree to review the effectiveness of the SCCs periodically and amend them as necessary to ensure ongoing compliance with the GDPR and other relevant data protection laws.

11.9 Termination: In case of any conflict between the provisions of this Clause and other parts of this Agreement, the provisions of this Clause shall prevail. This Clause shall remain in effect for as long as User Data is being transferred outside the EEA under this Agreement.

12. General Terms

12.1 Confidentiality

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.

12.2 Regular Review and Updates

This DPA shall be reviewed and updated regularly to ensure ongoing compliance with current data protection laws and best practices. Amendments to this DPA will be communicated to users in a timely and transparent manner.

12.3 Notices

All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

13. Governing Law and Exclusive Jurisdiction

This Agreement and your use of the Site are governed by the laws of Delaware, without regard to its choice of law provisions. You hereby consent to the exclusive jurisdiction of the competent courts of Delaware, United States of America.

14. Contact Us

If you have questions or concerns about this DPA or your personal information's handling, please contact us at [email protected]. Our team will communicate your inquiry to our Data Protection Officer (DPO), Michael Cantow. We are committed to promptly addressing your concerns.

Effective Date: 6/23/2023

Last Updated: 11/20/2023

Annex 1 - Details of Processing

1. Configurable Nature of Data Collection:

  • Flexibility in Data Collection: CustomerNode's platform is designed to allow Processors to configure the types of User Data collected. This flexibility enables the collection of diverse data types, tailored to the specific needs and objectives of each Processor.
  • User Acknowledgment: Users acknowledge that the range of data collected can vary based on the Processor’s configuration. This may include standard data types, such as contact details and user interactions, as well as other categories of data defined by the Processor.

2. Lawfulness and Transparency of Data Collection:

  • Consent Mechanisms: The collection of User Data, regardless of type, is grounded in explicit user consent. Users consent to this data collection by actively engaging with the platform, including through clear affirmative actions like clicking a ‘Consent’ button.
  • Transparency: CustomerNode ensures transparency in data collection. The platform provides clear information to users about the types of data that may be collected based on Processor configuration.
  • User Control: Users are informed of their rights to access, rectify, restrict, or delete their data at any time, providing them with control over their personal data.

3. Compliance with GDPR and Privacy Regulations:

  • Adherence to GDPR: All data collection and processing activities adhere strictly to the General Data Protection Regulation (GDPR) and other relevant privacy regulations.
  • Security Measures: Robust technical and organizational measures are implemented to ensure the security and confidentiality of the processed data, safeguarding it against unauthorized access and data breaches.
  • Data Protection Impact Assessments (DPIAs): Where necessary, DPIAs are conducted to assess and mitigate risks associated with the processing of various types of User Data.

4. Specifics of Data Processing:

  • Nature and Purpose of Processing: The processing activities are primarily for providing service functionality, customer support, data analysis, training AI/ML models, and improving services.
  • Duration of Processing: User Data is processed for the duration of the user’s service agreement with CustomerNode, in line with data retention policies.
  • Types of Personal Data: This includes, but is not limited to, contact details, user interactions, historical edits, views of content, and any additional data types defined by the Processor.
  • Categories of Data Subjects: Data subjects may include employees of customers, clients of customers, and other individuals interacting with the platform.
First-Party AI

One moment please — Your AI agent is working