(b) Your Compliance with Data Protection Laws.
The parties agree that you are a Controller, and we are a Processor for the purposes of Processing Protected Data pursuant to the Terms of Use. You shall at all times comply with all Data Protection Laws in connection with the Processing of Protected Data. You shall ensure all instructions given by you to us in respect of Protected Data (including the terms of the Terms of Use) shall at all times be in accordance with Data Protection laws.
(c) Our Compliance with Data Protection Laws.
We shall Process Protected Data in compliance with the obligations placed on us under Data Protection Laws and the Terms of Use.
(d) Security.
Taking into account the state of technical development and the nature of Processing, we shall implement and maintain the technical and organizational measures set out in Section 2(b) of this Addendum to protect the Protected Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.
(e) Instructions.
(i) We shall only process (and shall ensure our personnel only process) the Protected Data in accordance with Section 2(a) of this Addendum and the Terms of Use, except to the extent:
(A) that alternative Processing instructions are agreed between the parties in writing; or
(B) otherwise required by applicable law (and shall inform you of that legal requirement before Processing, unless applicable law prevents us doing so on important grounds of public interest).
(ii) Without prejudice to Section 1(e)(i), if we believe that any instruction received by us from you is likely to infringe the Data Protection Laws, we shall promptly inform you and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.
(f) Sub-processing and Personnel.
(i) We shall:
(A) not permit any processing of Protected Data by any agent, subcontractor, or other third party (except its or its Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without your authorization;
(B) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Schedule (including those relating to sufficient guarantees to implement appropriate technical and organizational measures) that is enforceable by us and ensure each such Sub- Processor complies with all such obligations;
(C) remain fully liable to you under this Addendum for all the acts and omissions of each Sub-Processor as if they were our own; and
(D) ensure that all persons authorized by us or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
(g) List of Authorized Sub-Processors.
(i) You expressly authorize the appointment of the Sub-Processors listed below.
(A) Amazon:Cloud Hosting
(B) Digital Ocean:Cloud Hosting
(C) Compose.com:Cloud Database
(D) Google:Cloud Storage, Internal Collaboration, Marketing, Analytics
(E) CloudFlare:Content Delivery Network
(F) Transloadit:File Conversion
(G) Zapier:Process Automation
(H) Elastic.io:Log & Monitoring
(I) Sentry.io:Log & Monitoring
(J) HubSpot:Customer Relation Management
(K) Customer.io:Customer Communication
(L) Slack:Internal Communication
(M) ZenDesk:Issue Management
(N) Stripe:Payment Processor
(h) Assistance.
(i) We shall (at your cost) assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the Processing and the information available.
(ii) We shall (at your cost) taking into account the nature of the Processing, assist you (by appropriate technical and organizational measures), insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
(i) Audits and Processing.
We shall, in accordance with Data Protection Laws, make available to you such information that is in our possession or control as is necessary to demonstrate our compliance with the obligations placed on us under this Addendum and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to your audits, including inspections, (or another auditor mandated by you) for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph).
(j) Breach.
We shall notify you without undue delay and in writing on becoming aware of any Personal Data breach in respect of any Protected Data.
(k) Deletion/Return and Survival.
On the end of the provision of the services relating to the Processing of Protected Data, at your cost and your option, we shall either return all of the Protected Data to you or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires us to store such Protected Data. This Addendum shall survive termination or expiry of the Terms of Use.