This Data Processing Addendum (“DPA”) is incorporated by reference into ServiceTarget PBC’s Master Subscription Agreement or other agreement governing the use of ServiceTarget services (“Agreement”) entered by and between you, the Subscriber (as defined in the Agreement) (collectively, “you”, “your”, “Subscriber”), and ServiceTarget PBC (“ServiceTarget”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by ServiceTarget solely on behalf of the Subscriber. Both parties shall be referred to as the “Parties'' and each, a “Party”.
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
By using the Services, Subscriber accepts this DPA and you represent and warrant that you have full authority to bind the Subscriber to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Subscriber or any other entity, please do not provide Personal Data to us.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
1.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data solely by ServiceTarget on behalf of Subscriber: (a) Subscriber is the Controller of Personal Data, and (b) ServiceTarget is the Processor of such Personal Data. The terms “Controller” and “Processor” below signify Subscriber and ServiceTarget, respectively.
1.2 Active Subscription. Data Controller has an active subscription to the Service under the Master Subscription Agreement, granting them a license to access and use the Service. When providing the Service, Processor will Process Personal Data submitted to and stored in the Service by Data Controller or third parties that Data Controller transacts with through the Service.
1.3 Subscriber’s Obligations In using the Services and instructing the Data Processor, Subscriber must comply with Data Protection Laws, the Agreement, and this DPA. Subscriber is responsible for establishing the required legal basis to collect, Process, and transfer Personal Data to the Processor and authorize the Processing activities conducted by the Processor on Subscriber's behalf pursuant to the Agreement and DPA, including for the Business Purpose.
1.1 Between the Parties, all Service Data Processed under this DPA and Master Subscription Agreement remains the property of the Data Controller. Under no circumstances will the Processor act or be considered a "controller" or equivalent entity of the Service Data under Applicable Data Protection Law.
3.1 Processor’s Processing of Personal Data. Processor will Process Personal Data for the following purposes:
Processor will promptly notify the Subscriber if in its reasonable opinion a Personal Data Processing instruction from the Subscriber violates applicable Data Protection Laws, unless the Data Processor is prohibited from notifying under those laws. For clarity, the Data Processor has no duty to evaluate if Subscriber's instructions infringe Data Protection Laws.
3.2 Details of Processing. The subject matter of Personal Data Processing by the Data Processor is delivering the Services under the Agreement and DPA. Schedule 1 of the DPA provides further details on the duration, nature, purpose, types of Personal Data, and categories of Data Subjects for Processing under this DPA.
3.3 Sensitive Data. The Services are not intended for Processing Sensitive Data. If the Subscriber wants to Process Sensitive Data using the Services, it must first get ServiceTarget's explicit written consent and any additional required agreements.
3.4 CCPA Standard of Care; No Sale of Personal Information. The Data Processor does not receive or process any Personal Data as consideration for services provided to the Subscriber under the Agreement or DPA. The Data Processor will not obtain rights or benefits over Personal Data Processed on the Subscriber's behalf, or combine it with other parties' data, and will logically separate it. The Data Processor may only use and disclose Personal Data for the purposes provided by the Subscriber under the Agreement and DPA.
Where the Data Processor qualifies as a Service Provider under the CCPA, it understands the CCPA's rules and agrees not to sell or share Personal Data without the Subscriber's consent or instruction. The Data Processor will refrain from any actions that would cause transfers of Personal Data to qualify as "selling" or "sharing" under the CCPA.
3.5 Confidentiality. Processor will ensure that its personnel and contractors engaged in the Processing of Personal Data are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.6. Data Subject Requests. If the Processor receives a request from a Data Subject seeking to exercise their rights under applicable Data Protection Laws (such as access, rectification, restriction of Processing, erasure, data portability, objection to Processing, rights relating to automated decision-making, opt-out of sale of Personal Information, non-discrimination), the Processor will notify the Subscriber or refer the Data Subject directly to the Subscriber. Considering the nature of the Processing, the Processor will reasonably assist the Subscriber, where possible, in responding to the request. The Processor may refer Data Subjects/Consumers to the Subscriber's Admin for handling the request or advise them on using self-service features within the Platform.
4.1 Appointment of Sub-processors. Subscriber acknowledges and agrees that (a) Processor’s Affiliates may be engaged as Sub-processors; and (b) Processor and Processor’s Affiliates may each engage third party Sub-processors in connection with the provision of the Services.
4.2 List of Current Sub-processors and Notification of New Sub-processors. As of the Effective Date Subscriber hereby grants Processor general written authorization to engage with the Sub-processors set out in Sub-Processor Policy , which are currently used by Processor to process Personal Data. Subscriber may sign up to receive email notification of the engagement of new and the replacement of existing Sub-processors (“Sub-processor Notice”) and Subscriber acknowledges that it shall subscribe to this mechanism upon entering this DPA and that the notifications sent through this mechanism fulfills the Processor’s obligations to notify Subscriber of the appointment of a new or replacement of an existing Sub-processor.
4.3 Objection to New Sub-processors. Pursuant to the notification by Processor of a new Sub-processor that will Process Personal Data, Subscriber may reasonably object within 7 days if Subscriber has concerns about how that Sub-processor will protect the Personal Data. Such an objection must be submitted in writing to Processor at privacy@servicetarget.com explaining the reasons for the objection. If Subscriber does not object within 7 days, Subscriber is deemed to have accepted the new Sub-processor.
If Subscriber reasonably objects to a new Sub-processor, Processor will make commercially reasonable efforts to either modify the Services or recommend a change to Subscriber's configuration or use of the Services to avoid processing by the objected-to new Sub-processor without unreasonably burdening Subscriber. If Processor cannot accommodate such change within 30 days of receiving the objection, Subscriber may terminate the Agreement and Data Processing Agreement solely for those aspects of the Services requiring the objected-to new Sub-processor by providing written notice to Processor. Subscriber must pay any outstanding amounts owed under the Agreement before the termination date.
While Processor evaluates the new Sub-processor, Processor may temporarily suspend Processing of the affected Personal Data and/or suspend access to the Services. If the Agreement is terminated in this situation, Subscriber shall have no further claims against Processor, including requesting refunds.
4.4 Agreements with Sub-processors. Processor or Processor's Affiliate have a written agreement with each existing Sub-processor, and shall execute a written agreement with each new Sub-processor, incorporating data protection commitments materially similar to those in this Data Processing Agreement, in particular requiring the implementation of appropriate technical and organizational measures to ensure the Processing satisfies the requirements of the GDPR. In cases where a Sub-processor fails to meet its data protection obligations regarding the Processing of Personal Data, Processor retains responsibility to Subscriber for ensuring compliance by that Sub-processor with its obligations.
4.5 Non-ServiceTarget Services. As stated in the Master Subscription Agreement, the Service provides integration capabilities with Non-ServiceTarget Services, including certain Non-ServiceTarget Services that may connect directly to Subscriber's account or instance. If Subscriber enables, accesses or uses such Non-ServiceTarget Services, its access and use is governed solely by the terms, conditions and privacy policies of those Non-ServiceTarget Services. Processor does not endorse and is not responsible or liable for any aspect of those Non-ServiceTarget Services, including their content or handling of Personal Data. The providers of Non-ServiceTarget Services shall not be deemed Sub-processors under this DPA.
5.1 Controls for the Protection of Personal Data. Processor shall implement and maintain appropriate technical and organizational measures consistent with industry standards to safeguard Personal Data Processed under this Agreement, including measures to protect against unauthorized or unlawful Processing, accidental loss, destruction, damage, alteration or disclosure. Upon reasonable request by Subscriber, Processor shall reasonably assist Subscriber, at Subscriber's expense and subject to Section 10.1 below, in ensuring compliance with Subscriber's obligations under Articles 32-36 of the GDPR, taking into account the nature of the Processing and information available to Processor.
5.2 Audits and Inspections.Upon at least 14 days prior written request by Subscriber at reasonable intervals no more than once every 12 months, and subject to strict confidentiality undertakings by Subscriber, Processor shall make available to Subscriber, who is not a competitor of Processor, information necessary to demonstrate Processor's compliance with this DPA. Processor may also allow Subscriber's independent third-party auditor, who is not a competitor of Processor and has executed confidentiality and non-compete undertakings, to audit and inspect Processor's compliance with this DPA. Processor may satisfy its obligations under this section by providing questionnaires, attestations, certifications, and summaries of audit reports related solely to Processor's compliance with this DPA. Any information related to such audits, inspections, and results may only be used by Subscriber to assess Processor's DPA compliance and shall not be disclosed to any third party without Processor's prior written consent. Upon Processor's request, Subscriber shall return all records provided by Processor and collected by Subscriber or its auditors in the context of the audit or inspection.
In the event of an audit or inspection as described above, Subscriber shall ensure that it and its authorized auditors avoid causing any damage, injury or disruption to Processor's operations, premises, equipment, personnel and business while conducting such audit or inspection. If some degree of interference is unavoidable, Subscriber shall endeavor to minimize the impact.
The audit rights described in this Section 5.2 shall apply only to the extent that the Agreement does not otherwise grant Subscriber audit rights satisfying the relevant requirements of Data Protection Laws, including Article 28(3)(h) of the GDPR or UK GDPR, if applicable. If and to the extent the Standard Contractual Clauses apply, nothing in this Section 6 varies or modifies the Standard Contractual Clauses or impacts any Supervisory Authority's or Data Subject's rights under the Standard Contractual Clauses.
6.1 Processor maintains internal security incident response policies and procedures. To the extent required under applicable Data Protection Laws, Processor shall notify Subscriber without undue delay upon becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed on behalf of Subscriber ("Data Incident"). Processor shall make reasonable efforts to identify and take steps it deems necessary and reasonable to remediate and/or mitigate the cause of such Data Incident to the extent within Processor's reasonable control. These obligations do not apply to Data Incidents caused by Subscriber, its Users, or any party using the Services on Subscriber's behalf.
6.2 Subscriber shall not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report regarding a Data Incident that directly or indirectly identifies Processor without Processor's prior written approval. This includes any legal proceeding or notification to regulatory authorities or affected individuals, unless Subscriber is compelled to do so under applicable Data Protection Laws. In such cases, unless prohibited by law, Subscriber shall provide Processor reasonable prior written notice to object to the disclosure, and Subscriber shall limit the disclosure to the minimum required by law.
Upon termination of the Agreement and cessation of Services, at Subscriber's election either through the Platform or written notice, Processor shall delete or return to Subscriber all Personal Data processed on behalf of Subscriber as described in the Agreement, unless applicable laws require or permit Processor to retain the Personal Data.
coming soon
9.1 Contractual Relationship. The Parties acknowledge that by executing this DPA, Subscriber enters into the DPA on behalf of itself and its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by Subscriber's obligations under this DPA where the Processor processes Personal Data on the Authorized Affiliate's behalf, designating the Authorized Affiliate as the Controller for that Personal Data. Any access to or use of the Services by Authorized Affiliates must comply with the Agreement and DPA terms. A violation by an Authorized Affiliate constitutes a violation by Subscriber.
9.2 Communication. Subscriber remains responsible for coordinating all communication with the Processor under the Agreement and this DPA. Subscriber is entitled to make and receive any DPA-related communication on behalf of its Authorized Affiliates.
10.1 Data Protection Impact Assessment and Prior Consultation. Upon Subscriber's reasonable request and at Subscriber's cost, Processor shall provide reasonable cooperation and assistance to Subscriber to fulfill its obligation under the GDPR or UK GDPR to conduct a data protection impact assessment regarding Subscriber's use of the Services, to the extent Subscriber does not have access to relevant information available to Processor. Processor shall also provide reasonable assistance, at Subscriber's cost, with Subscriber's cooperation and prior consultation with the Supervisory Authority as required under the GDPR or UK GDPR relating to this Section 10.1.
10.2 Modifications. Either Party may request in writing variations to this DPA upon at least forty-five (45) days prior notice if such changes are required due to modifications in applicable Data Protection Laws to permit continued Processing of Personal Data without violation. Pursuant to such notice, the Parties shall use commercially reasonable efforts to accommodate the required modifications and negotiate in good faith to implement those or alternative variations designed to address the requirements under Data Protection Laws, as identified in the requesting Party's notice, as soon as reasonably practicable.
Additionally, Processor may amend this DPA without notice provided the changes do not materially and adversely impact Subscriber's rights or Processor's obligations (e.g. correcting errors or making technical adjustments). If Processor makes any material adverse change to Subscriber's rights or Processor's obligations, Processor shall provide notice by posting an announcement on the Service site, in the Service itself, and/or by email.
(a) "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) "Authorized Affiliate" means any Customer Affiliate explicitly permitted to use the Services under the Agreement between Customer and Processor, but which has not signed its own agreement with Processor and is not a "Customer" per the Agreement.
(c) "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended.
(d) "Controller", "Member State", "Processor", "Processing", and "Supervisory Authority" have the meanings given in the GDPR. "Business", "Business Purpose", "Consumer", and "Service Provider" have the meanings given in the CCPA. For clarity, in this DPA "Controller" also means "Business" and "Processor" also means "Service Provider" where the CCPA applies. Likewise, Sub-processor also refers to a Service Provider.
(e) "Data Protection Laws" means the applicable and binding privacy and data protection laws and regulations, including those of the EU, EEA, Member States, Switzerland, UK, Canada, Israel and US, such as the GDPR, UK GDPR, and CCPA.
(f) "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
(g) "GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.
(h) "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor solely on behalf of Controller under this DPA and the Agreement.
(i) "Services" means the cloud-based work operating system platform and other services provided by Processor to Controller under the Agreement.
(j) "Security Documentation" means Processor's security documentation describing the technical and organizational measures applicable to Processing under the Agreement and this DPA, accessible at www.monday.com/trustcenter/datasecure or as otherwise made available by Processor.
(k) "Sensitive Data" means Personal Data requiring special treatment under law, such as special categories of data, sensitive data, or similar terms, including: (a) government identifiers; (b) financial/credit information; (c) racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health/sex life/sexual orientation data, or criminal convictions/offenses data; (d) data on children; and/or (e) unhashed account passwords.
(l) "Standard Contractual Clauses" means: (a) for Personal Data under the GDPR, the Standard Contractual Clauses in the EU Commission Implementing Decision 2021/914, including Annexes I-V ("EU SCCs"); (b) for Personal Data under the UK GDPR, the International Data Transfer Addendum to the EU SCCs in Annex III ("UK Addendum"); and (c) for Personal Data under the Swiss FADP, the terms in Annex IV of the EU SCCs ("Switzerland Addendum").
(m) "Sub-processor" means any third party instructed by a Processor to carry out specific Personal Data processing activities.
(n) "UK GDPR" means the GDPR as incorporated into UK law per the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
Nature and Purpose of Processing
Duration of Processing
Subject to any DPA or Agreement terms governing duration of Processing and effects of expiration or termination, Processor will Process Personal Data for the duration of the Agreement and provision of Services, unless otherwise agreed in writing.
Type of Personal Data
Subscriber may submit Personal Data to the Services, with the type and extent determined and controlled solely by Subscriber.
Categories of Data Subjects
The categories of Data Subjects whose Personal Data may be processed by Processor depend on Subscriber and may include, but are not limited to:
.svg)
