Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") is an integral part of Fireberry's Terms of Service available at www.fireberry.com/terms-of-service, or any other written or electronic agreement governing the use of Fireberry's Service(s), Sites and Additional Services (as defined in Fireberry's Terms of Service and/or in any applicable agreement) ("Agreement") between Fireberry Customer (collectively referred herein as: "you", "your", "Customer")( as defined in the Agreement), to Fireberry LTD ("us", "we", "Fireberry", "our"). This DPA shall govern all aspects of Personal Data processed by Fireberry, on behalf of the Customer, and shall reflect both parties' agreement of such Personal Data processing, as described herein. In this DPA both parties shall be referred to as "Parties" and individually as "Party".
In any event of conflict between this DPA and any other agreement between you and Fireberry, this DPA shall prevail over the conflicting provisions and solely within the scope of Personal Data processed by Fireberry on behalf of Customer.
When using Fireberry Service(s), Sites and/or Additional Services, Fireberry Customer fully agrees to accept this DPA and Customer shall comply with this DPA to the fullest extent. You hereby assert and confirm that by using Fireberry Service(s), Sites and/or Additional Services, you have the legal authority to bind your employer, or any other legal entity you represent (i.e. Fireberry Customer), to this DPA.
If you cannot or will not comply with this DPA, or if you do not have the legal authority to bind your employer, or any other entity you represent, to this DPA, please do not provide Fireberry with any Personal Data and do not upload, submit, or transmit Personal Data to the Fireberry Service and/or Sites.
In any event of conflict between this DPA and any other agreement between you and Fireberry, this DPA shall prevail over the conflicting provisions and solely within the scope of Personal Data processed by Fireberry on behalf of Customer.
When using Fireberry Service(s), Sites and/or Additional Services, Fireberry Customer fully agrees to accept this DPA and Customer shall comply with this DPA to the fullest extent. You hereby assert and confirm that by using Fireberry Service(s), Sites and/or Additional Services, you have the legal authority to bind your employer, or any other legal entity you represent (i.e. Fireberry Customer), to this DPA.
If you cannot or will not comply with this DPA, or if you do not have the legal authority to bind your employer, or any other entity you represent, to this DPA, please do not provide Fireberry with any Personal Data and do not upload, submit, or transmit Personal Data to the Fireberry Service and/or Sites.
1. Definitions
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"Customer Data" means any images, reports, personal information, data, files, attachments, or any other content transmitted, submitted, or uploaded by Customer and/or by Customer's approved users through the Fireberry Service(s) and/or Sites.
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation).
"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider”, as that term is defined by the CCPA.
"Data Protection Laws and Regulations" means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Israel, Canada Switzerland, the United Kingdom and the United States of America, as applicable to the Processing of Personal Data under the Agreement, including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
"Processing" or "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under control of the subject entity. "Control" for purposes of this definition, means direct or indirect ownership of more that 50% of the voting interests of the subject entity.
"Authorized Affiliate" means any of Customer's Affiliate(s) which is explicitly permitted to use Service pursuant to the Agreement between Customer and Fireberry, but has not singed its own agreement with Fireberry and is not a "Customer" as defied under the Agreement.
"Sub-Processor" means any third-party Processor that Processes Personal Data under the instruction of Fireberry and as a result of using Fireberry Service(s) and/or Sites.
"Europe" means the European Union, the European Economic Arena, United Kingdom, and Switzerland.
"Data Subject" means the identified or identifiable person to whom the Personal Data relates.
"Personal Data" means any information relating, is capable of being associated with, or could reasonably be linked to, or with, an identified or identifiable person, Consumer and/or legal entity where information is being Processed by Fireberry on behalf of Customer, under this DPA and the Agreement between Fireberry and Customer.
"Sensitive Data" means any information that is protected against unwarranted disclosure, including but not limited to Customer's: Social Security Number; passport number; Driver's License number; credit or debit card number; financial information, including bank account numbers and/or passwords; employment information; genetic, biometric, and/or protected health (HIPAA) information; or other private/confidential data, as specifically determined by any applicable legislation/regulation, including, but not limited to, GDPR and Regulation 2016/679, Article 9(1) of the GDPR, or any other similar legislation/regulation.
"Service(s)" means any service(s) provided to Customer by Fireberry, under the Agreement, including, but not limited to, any product, software, mobile application, cloud-based product, and/or any SaaS solution owned and/or developed by Fireberry.
"Customer Data" means any images, reports, personal information, data, files, attachments, or any other content transmitted, submitted, or uploaded by Customer and/or by Customer's approved users through the Fireberry Service(s) and/or Sites.
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation).
"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider”, as that term is defined by the CCPA.
"Data Protection Laws and Regulations" means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Israel, Canada Switzerland, the United Kingdom and the United States of America, as applicable to the Processing of Personal Data under the Agreement, including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
"Processing" or "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under control of the subject entity. "Control" for purposes of this definition, means direct or indirect ownership of more that 50% of the voting interests of the subject entity.
"Authorized Affiliate" means any of Customer's Affiliate(s) which is explicitly permitted to use Service pursuant to the Agreement between Customer and Fireberry, but has not singed its own agreement with Fireberry and is not a "Customer" as defied under the Agreement.
"Sub-Processor" means any third-party Processor that Processes Personal Data under the instruction of Fireberry and as a result of using Fireberry Service(s) and/or Sites.
"Europe" means the European Union, the European Economic Arena, United Kingdom, and Switzerland.
"Data Subject" means the identified or identifiable person to whom the Personal Data relates.
"Personal Data" means any information relating, is capable of being associated with, or could reasonably be linked to, or with, an identified or identifiable person, Consumer and/or legal entity where information is being Processed by Fireberry on behalf of Customer, under this DPA and the Agreement between Fireberry and Customer.
"Sensitive Data" means any information that is protected against unwarranted disclosure, including but not limited to Customer's: Social Security Number; passport number; Driver's License number; credit or debit card number; financial information, including bank account numbers and/or passwords; employment information; genetic, biometric, and/or protected health (HIPAA) information; or other private/confidential data, as specifically determined by any applicable legislation/regulation, including, but not limited to, GDPR and Regulation 2016/679, Article 9(1) of the GDPR, or any other similar legislation/regulation.
"Service(s)" means any service(s) provided to Customer by Fireberry, under the Agreement, including, but not limited to, any product, software, mobile application, cloud-based product, and/or any SaaS solution owned and/or developed by Fireberry.
2. Processing of Personal Data
2.1 Roles of the Parties
Regarding the Processing of Personal Data, in accordance with this DPA and the Agreement, the Parties assert, acknowledge, and confirm that: (A) Customer is the Controller of Personal Data; (B) Fireberry is the Processer of such Personal Data.
2.2 Customer's Processing of Personal Data
Customer shall, in use of Fireberry's Sites and/or Service(s), transmit, upload, submit and/or transfer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer shall establish and maintain proper legal bases to collect, Process and transfer to the Processor any Personal Data. Customer shall obtain any necessary applicable requirements to authorize Processing of Personal Data by the Processor, and for the Processor's Processing activities on Customers' behalf, and Customer shall provide notice to the Data Subjects of the use of Fireberry as Processor.
2.3 Fireberry (Processor's) Processing of Personal Data
Processor shall treat Personal Data as Confidential Information and shall process Personal Data on behalf of Customer, in accordance with the Agreement, primarily for the following purposes: (A) Processing to comply with Customer's reasonable and document instructions, as long as such instructions are in accordance with the Agreement and this DPA; (B) Processing for Customer as part of its provisions of the Service(s); (C) Processing in accordance with the Agreement and this DPA; (D) Processing as required under the laws applicable to Processor and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform Customer of any such legal requirement before Processing, unless such law or regulation prohibits the sharing of this information on important grounds of public interest; (E) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and Regulations.
2.4 Processor's Right to Terminate the Service(s) Under the Agreement
Processor may terminate the Service(s) if Customer's instruction, regarding Personal Data Processing, infringe applicable Data Protections Laws and Regulations. To the extent that Processor cannot comply with Customer's instruction, Processor shall inform Customer about the issue preventing Processor from complying with Customer's instruction and in this event, Processor may: (A) terminate the Service(s) under the Agreement, or (B) temporarily cease all Processing of the affected Personal Data and/or suspend Customer's access to the Service(s) until Customer and Processor find a mutual resolution.
2.5 Details of Processing
The Processor Processes Personal Data to perform Service(s) pursuant to the Agreement. The duration of the Processing, the types of Personal Data processed, the nature and purpose of the Processing, and categories of Data Subjects that are Processed under this DPA are further specified in Schedule 1 (Description of Processing) of this DPA.
2.6 Sensitive Data
The Parties acknowledge and agree that the Service(s) are not intended for the Processing of Sensitive Data. If Customer wishes to use Processor's Service(s) to Process Sensitive Data, it must obtain the Processor's explicit prior written consent and enter into any additional agreement(s), as may be required by Fireberry.
2.7 Processor Obligations
Processor shall not have any rights and/or benefits regarding Personal Information Processed on Customer's behalf and Processor may use and disclose Personal Information solely for the purposes for which such Personal Information was provided, as stipulated in the Agreement and this DPA.
3. Rights of Data Subjects
Fireberry (Processor) shall, to the extent legally permitted by any applicable Data Protection Laws and Regulations, promptly notify Customer of any dispute, complaint or request we have received from a Data Subject, such as: (A) Data Subject's right of access; (B) Data Subject's right to restriction of Processing; (C) Data Subject's right to rectification; (D) Data Subject's right to erasure; (E) Data Subject's right to objection to the Processing; (F) Data Subject's right to data portability; (G) Data Subject's right not to be subject to an automated individual decision making; (H) Data Subject's right to "opt-out" of the sale of Personal Information (herein collectively or separately referred to as "Data Subject Request"). Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to a Data Subject's dispute, complaint or request under any applicable Data Protection Laws and Regulations. In addition, to the extent Customer, in use of our Service(s), does not have the ability to address a Data Subject's Request, Processor shall, upon Customer's request, make all reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Processor is legally permitted to do so, and the response to such Data Subject Request is required under any appliable Data Protection Laws and Regulations. Customer shall be responsible for any costs arising from Processor's provision of such assistance.
4. Confidentiality
Processor shall restrict its employees engaged in the Processing of Personal Data to only those employees necessary to successfully provide Fireberry Service(s). Processor will ensure that any employee who is engaging in the Processing of Personal Data will execute a written agreement requiring them to maintain all such information in strict confidence and use said information only to facilitate the performance of the employees' services for Fireberry, in connection with the Processing of Personal Data, our Service(s) and this DPA.
5. Sub-Processors
5.1 Appointment of Sub-Processors
Customer acknowledges and agrees that: (A) Processor's Affiliates may be engaged as Sub-Processors; (B) Processor and Processor's Affiliates respectively may engage third-party Sub-Processors in connection with the provisions of our Service(s). Processor or Processor's Affiliate(s) will enter into a written agreement with each Sub-Processor containing, in substance, data protection obligations in line with those in the Agreement between Processor and Customer to the extent appliable to the nature of the Service(s) provided by the Sub-Processor.
5.2 List of Current Sub-Processors and Notification of New Sub-Processors
Processor shall make a list of current Sub-Processors used by Processor to process Personal Data which shall be available to the Customer at www.fireberry.com/sub-processors . Such list shall include the identities of those Sub-Processors and the entity's country ("Current Sub-Processor List"). By using our Service(s), Customer hereby acknowledges and agrees to our Current Sub-Processors List, as well as to the Sub-Processors' locations and processing activities as it pertains Customer's Personal Data. Customer may subscribe to notifications of any changes to our Current Sub-Processor List, which Customer may subscribe to through a mechanism within the List.
5.3 Objection Right to an Existing Sub-Processor
Customer may reasonably object to Processor's use of an existing Sub-Processor by providing an objection in writing to support@fireberry.com within 7 business days following Customer's first use of Processor's Service(s). In the event Customer reasonably objects to an existing Sub-Processor, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect to those elements of the Service(s), that cannot be provided by the Processor without the use of the objected to Sub-Processor, by providing written notice to Processor. Such notice of termination notice shall be deemed valid, provided that all outstanding amounts due under the Agreement are duly paid to Processor. In such event, Customer shall have no further claims against Processor for any past use of approved Sub-Processors and Customer shall not be entitled to receive any refund(s) of any kind.
5.4 Objection Right to New Sub-Processors
Customer may object to Processor's use of a new Sub-Processor by notifying Processor promptly in writing at support@fireberry.com within (7) days of receipt of Processor's notice, in accordance with the mechanism set out in sections 5.2-5.3 herein. If Customer objects to a new Sub-Processor, as delineated in the preceding sentence, Processor shall use reasonable efforts to make available to Customer a change in the Service(s), or recommend a commercially reasonable change to Customer's configuration or use of the Service(s), to avoid Processing of Personal Data by the objected-to new Sub-Processor, without unreasonably burdening Customer. If Processor is unable to make available such change within (60) days, Customer may, as a sole remedy, terminate the Agreement and this DPA with respect to those Service(s) that cannot be provided by Processor without the use of the objected-to new Sub-Processor, by providing written notice to the Processor. Be aware that any outstanding amount owed under the Agreement before the termination date, with respect to such Processing at issue, shall be duly paid to Processor, and Customer shall have no claims against Processor in such event.
5.5 Sub-Processor Agreements
Processor or Processor's Affiliate(s) engaged in Processing Customer Data, on behalf of Processor, shall enter into a written agreement with each Sub-Processor, which shall contain appropriate safeguards to protect Customer Data. Where a Sub-Processor fails to fulfil its data protection obligations concerning Processing Customer Data, unless otherwise stated in the Agreement, Processor shall remain responsible for the performance of the Sub-Processor's obligations under the Agreement with Processor.
6. Security
We may retain your Personal Data for the necessary period consistent with the purpose for which we first collected and processed your Personal Data, and/or when we have a legal and/or contractual obligation to do so. If we are not required to retain your Personal Data based on a legal and/or contractual obligation, Fireberry will decide the appropriate period to retain your Personal Data based primarily upon the following parameters: (A) Data sensitivity; (B) Data importance; (C) potential risk of harm if the Data is disclosed to an unauthorized third party; (D) size of the Data.
At the end of the retention period, Fireberry will delete your Personal Data and if we are unable to delete all or part of your Personal Data for technical reasons, or for any other reason, we shall employ all necessary security measures to prevent use of your Personal Data.
At the end of the retention period, Fireberry will delete your Personal Data and if we are unable to delete all or part of your Personal Data for technical reasons, or for any other reason, we shall employ all necessary security measures to prevent use of your Personal Data.
6.1 Controls for the Protection of Customer Data
Processor shall maintain industry-standard technical and organizational measures for protection of Customer Data (including protection against unauthorized or unlawful Processing of Customer Data) and against accidental or unlawful destruction, alteration, loss or damage, unauthorized disclosure of, or access to, Customer Data), as well as maintain confidentiality and integrity of Customer Data, as set forth in the Security page. Processor shall monitor compliance with this DPA and, at Processor's discretion, reasonably assist Customer in ensuring compliance with obligations pursuant to applicable articles of the GDPR or any applicable Law or regulation ("Compliance Process"). Be aware that unless specifically written otherwise in this DPA and/or in the Agreement, Customer shall bear all costs associated with the Compliance Process.
6.2 Audits and Inspections
If not written otherwise in the Agreement, Processor shall maintain an audit process to help ensure compliance with the obligations set forth in this DPA and shall make available to Customer, within 30-days after Customer's reasonable written request, information necessary to demonstrate compliance with this DPA. Where Customer request to inspect Processor's audit process and/or request to implement an audit, Processor shall fulfill such request, provided that: (A) such request is submitted in a good faith and in proportion to the nature and complexity of the request; (B) Customer is not Processor's industry competitor and there is no conflict of interest between Processor and Customer's request; (C) such inspection and/or audit request is required by applicable Data Protection Laws and Regulations or by Customer's competent supervisory authority; (D) such request is reasonable and shall not overburden Processor. Where Customer received documents and/or records from Processor following Customer's inspection and/or audit request, Customer shall return, at Processor's request, all records or documentation in Customer's possession or control that are provided by Processor in context of the audit and/or inspection request.
6.3 Audit and Inspection Confidentiality
All records, information, materials, and/or reports provided by Processor, and/or by any third-party on behalf of Processor, to Customer, following Customer's audit and/or inspection request, shall be considered Confidential Information and shall not be used for any other purpose or disclosed to any third party without Processor's prior written consent.
6.4 Third-Party Auditor
Customer shall be entitled to use a third-party auditor, which is not Processor's industry competitor, provided that: (A) the third-party auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement in order to protect Processor's proprietary information and; (B) the costs of the third-party auditor shall be at Customer's expense.
6.5 Disruption Minimization
Customer and any of Customer's mandated auditors shall ensure that there is no injury, damage or disruption to Processor's equipment, employees, premises, and/or business while conducting an inspection and/or audit.
7. Customer Data Incident Management and Notification
Processor maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of any unlawful destruction, alteration, loss, unauthorized disclosure of, or access to, Customer Data that is Processed by Processor on behalf of Customer ("Data Incident"). Processor shall make reasonable efforts to identify the Data Incident and to take all necessary steps to rectify, remediate and/or mitigate the effects of any such Data Incident to the extent that remediation and/or mitigation is within Processor's reasonable control. Processor shall not be liable, nor will have any obligation to rectify, mitigate and/or remediate any Data Incident that are caused by Customer, Customer's Authorized Users, or any individual or entity using Processor's Service(s) on Customer's behalf. Customer shall not make, release, publish, disclose, give notice, report, or release details by any other method, concerning any Data Incident that directly or indirectly identifies Processor, including, to the extent permitted by any applicable Law, any legal proceedings, nor provide any notification to regulatory and/or supervisory authorities or affected individuals without Processor's prior consent. In such event, Customer shall provide Processor with reasonable prior written notice and Processor shall have the right to object to any such disclosure.
8. Return and Deletion of Customer Data
Following termination of the Agreement, Processor shall return Customer all Customer Data Processed on behalf of Customer in an accessible format and shall, thereafter, delete existing copies of Customer's Customer Data unless Data Protection Laws and Regulations require otherwise. Processor may retain a copy of Customer's Personal Data solely to the extent permitted by any applicable Data Protection Laws and Regulations.
9. Cross-Border Data Transfer
International data transfers from EU Member States, the EEA, the United Kingdom, and Switzerland, to countries that offer adequate level of data protection, pursuant to the adequacy decision, as published by relevant data protection authorities in each territory or state (as applicable), shall be allowed without further safeguarding measures, while data transfers to territories or states lacking adequate data protection shall be subject to additional safeguard measures and/or an alternative secure data transfer mechanism.
10. Authorized Affiliates
10.1 Contractual Relationship
The Parties acknowledge and agree that by executing the Agreement, Customer enters into this DPA on Customer's own behalf and, as applicable, in the name and on behalf of Customer's Authorized Affiliates. Where Customer enters into this DPA, behalf of Customer's Authorized Affiliates, each Authorized Affiliate must agree to be bound by the obligations set-forth under this DPA and, to the extent applicable, under the Agreement. Authorized Affiliates' access to, and use of, Processor's Service(s) and content, must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement and this DPA, by an Authorized Affiliate, shall be deemed a violation by Customer.
10.2 Communication
Customer that is the contracting Party to the Agreement shall remain responsible for coordinating all communications with Processor under this DPA and be entitled to make and receive any communications in relation to this DPA on behalf of any Authorized Affiliates.
11. General Provisions
11.1 Changes and Updates
Processor reserves the right to change or modify this DPA as required by corresponding changes and/or modifications to any applicable Data Protection Laws and Regulations. Whenever Processor changes or modifies this DPA, Processor shall update the "last revision effective date" at the bottom of this DPA and shall notify Customer by sending an email and/or by notification via the Service(s). Processor may also notify customers by posting a message on Processor's Sites. In the event Customer objects to any such changes and/or modifications to the DPA, Customer must give Processor written notice within 14 days after publication of the revised DPA.
11.2 Translated Versions
This DPA was written in English and for convenience, we may translate this DPA into other languages. If there is a conflict between a translated version (non-English) to this English version of the DPA, the provisions of the English version shall prevail.