Data processing agreement

THIS IS A CONTRACT("DPA") BETWEEN YOU THE CUSTOMER (A LEGAL ENTITY) (“YOU”,”Data controller”) AND CRALL AS (“WE”, “US”,”CRALL”,”Data processor”). PLEASE READ THESE TERMS OF USE CAREFULLY BEFORE USING THE SERVICES OFFERED BY CRALL AS. BY USING OUR SERVICES, YOU AGREE THAT YOU HAVE READ AND THAT YOU WILL BE BOUND BY THIS AGREEMENT.

1. Definitions

“Customer data”: means data you submit to, store on, or send to us via the Service.

“Data Incident” means a breach of Crall’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems that are managed and controlled by Crall. Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including, without limitation, pings, port scans, denial of service attacks, network attacks on firewall or networked systems, or unsuccessful login attempts.

“EEA” means the European Economic Area.

“European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Personal Data” means any personal data (as that term is defined by European Data Protection Legislation) contained within the Customer Data.

“Subprocessor” means a third party that we use to process Customer Data in order to provide parts of the Service and/or related technical support.

The terms “personal data”, “sensitive personal data” “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the MCCs, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

2. Data processing

2.1 -Roles and Regulatory Compliance; Authorization.

         a. Processor and Controller Responsibilities. If European Data Protection Legislation applies to the processing of Customer’s Personal Data, the parties acknowledge and agree as follows: (i) that the subject matter and details of the processing are described in Appendix 1 hereto; (ii) that Crall is a processor of Customer’s Personal Data under European Data Protection Legislation; (iii) that you are a controller or processor, as applicable, of the Personal Data under European Data Protection Legislation; and (iv) that each of us will comply with our obligations under applicable European Data Protection Legislation with respect to the processing of the Personal Data. 

         b. Authorization by Third Party Controller. If European Data Protection Legislation applies to the processing of Personal Data and you are a processor of the Personal Data, you warrant to us that your instructions and actions with respect to that Personal Data, including your appointment of Crall as another processor, have been authorized by the relevant controller.

         c. Responsibilities Under Non-European Legislation. If Non-European Data Protection Legislation applies to either party’s processing of Personal Data, the parties acknowledge and agree that each of us will comply with any applicable obligations under that legislation with respect to the processing of Personal Data.

2.2 - Scope of Processing

         a. Customer Authorization. By entering into this DPA, you hereby authorize and instruct us to process the Personal Data: (i) to provide the Service, and related technical support; (ii) as otherwise permitted or required by your use of the Service and/or your requests for technical support; (iii) as otherwise permitted or required by the Agreement, including this DPA; and (iv) as further documented in any other written instructions that you give us, provided we acknowledge those instructions in writing as constituting processing instructions for the purposes of this DPA. We will not process the Personal Data for any other purpose, unless required to do so by applicable law or regulation. 

         b. Prohibition on Sensitive Data. You will not submit, store, or send any sensitive data or special categories of Personal Data (collectively, “Sensitive Data”) to us for processing, and you will not permit nor authorize any of your employees, agents, contractors, or data subjects to submit, store, or send any Sensitive Data to us for processing. You acknowledge that we do not request or require Sensitive Data as part of providing the Service to you, that we do not wish to receive or store Sensitive Data, and that our obligations in this DPA will not apply with respect to Sensitive Data.

3. Deletion

3.1 - Deletion during an active subscription

We will enable you to delete Personal Data during an active subscription in a manner that is consistent with the functionality of the Service. If you use the Service to delete any Personal Data in a manner that would prevent you from recovering the Personal Data at a future time, you agree that this will constitute an instruction to us to delete the Personal Data from our systems in accordance with our standard processes and applicable law. We will comply with this instruction as soon as reasonably practicable, but in all events in accordance with applicable law.

3.2 - Deletion When Term Expires

When your subscription expires, we will destroy any Customer Data in our possession or control. This requirement will not apply to the extent that we are required by applicable law to retain some or all of the Customer Data, in which event we will isolate and protect the Customer Data from further processing except to the extent required by law.

4. Data security

4.1 Security measures

         a. Security Measures. We will implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (collectively, the “Security Measures”). The Security Measures will have regard to the state of the art, the costs of implementation, and nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Security Measures will include, as appropriate: (i) the pseudonymization and/or encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of data processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner, in the event of a Data Incident; and (iv) a process for regularly testing, accessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing. We may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

         b. Security Compliance by our Staff. We will take appropriate steps to ensure that our employees, contractors, and Subprocessors comply with the Security Measures to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligations of confidentiality.

4.2 - Data incidents

If we become aware of a Data Incident, we will notify you promptly and without undue delay, and will take reasonable steps to minimize harm and secure Customer Data. Any notifications that we send you pursuant to this Section 4.2 will be sent to your Notification Email Address and will describe, to the extent possible, the details of the Data Incident, the steps we have taken to mitigate the potential risks, and any suggestions we have for you to minimize the impact of the Data Incident. We will not assess the contents of any Customer Data in order to identify information that may be subject to specific legal requirements. You are solely responsible for complying with any incident notification laws that may apply to you, and to fulfilling any third party notification obligations related to any Data Incident(s). Our notification of or response to a Data Incident under this Section will not constitute an acknowledgement of fault or liability with respect to the Data Incident.

4.3 - Your Security Responsibilities

You agree that, without prejudice to our obligations under Sections 4.1 or 4.2: (i) you are solely responsible for your use of the Service, including making appropriate use of the Service to ensure a level of security appropriate to the risk in relation to Customer Data, securing any account authentication credentials, systems, and devices you use to use the Service, and backing up your Customer Data. You understand and agree that we have no obligation to protect Customer Data that you elect to store or transfer outside of our or our Subprocessors’ systems (e.g., offline or on-premise storage). You are solely responsible for evaluating whether the Service and our commitments under this Section 4 meet your needs, including with respect to your compliance with any of your security obligations under European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. You acknowledge and agree that – taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of Personal Data, as well as the risks to individuals – the Security Measures that we implement in this DPA provide a level of security appropriate to the risk in respect to the Customer Data.

5. Data subject rights; Data export

5.1 - Access; Rectification; Restricted Processing; Portability

During an active subsciption, we will, in a manner consistent with the functionality of the Service, enable you to: (i) access the Customer Data; (ii) rectify inaccurate Customer Data; (iii) restrict the processing of Customer Data; (iv) delete Customer Data; and (v) export Customer Data.

5.2 - Cooperation; Data Subjects’ Rights

We will provide you, at your expense, with all reasonable and timely assistance to enable you to respond to: (i) requests from data subjects who wish to exercise any of their rights under European Data Protection Legislation; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to us, we will promptly inform you of it, and provide you with as much detail as reasonably possible.

6. Data transfers

6.1 - Data Storage and Processing Facilities

You agree that we may, subject to Section 6.2, store and process Customer Data in Norway and any other country in which we or our Subprocessors maintain facilities.

7. Subprocessors

7.1 - Consent to Engagement

You specifically authorize us to engage third parties as Subprocessors. Whenever we engage a Subprocessor, we will enter into a contract with that Subprocessor to help ensure that the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement and this DPA.

7.2 - List of Subprocessors

A list of our current Subprocessors are: Amazon Web Services, Google Cloud Platform, SendGrid, Slack, Intercom, Campaign Monitor, Mailtrap and Sentry. We will update this list from time to time upon written notice to you, as our Subprocessors change.

7.3 - Objections; Sole Remedy

Within ninety (90) days of our engagement of any Subprocessor (as determined by the date that we update the list of Subprocessors described in Section 7.2, above), you have the right to object to the appointment of that Subprocessor by providing documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements set forth in this DPA (each, an “Objection”). If we do not remedy or provide a reasonable workaround for your Objection within a reasonable time, you may, as your sole remedy and our sole liability for your Objection, terminate the Agreement for your convenience, and without further liability to either party. We will not owe you a refund of any fees you have paid in the event you decide to terminate the Agreement pursuant to this Section.

8. Additional Information

You acknowledge that we are required under European Data Protection Legislation (i) to collect and maintain records of certain information, including, among other things, the name and contact detail of each processor and/or controller on whose behalf we are acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (ii) to make such information available to the supervisory authorities. Accordingly, if European Data Protection Legislation applies to the processing of Personal Data, you will, when requested, provide this additional information to us, and ensure that the information is kept accurate and up-to-date.

9. Data protection impact assessment

If we believe or become aware that our processing of Customer Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, we will promptly inform you of that risk, and provide you with reasonable and timely assistance as you may require in order to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority.

Appendix 1 to Data processing Agreement

Subject Matter: Crall's provision of the Service to the Customer, and related technical support.

Processing Duration: As long as the customer has an active subscription.

Nature and Purpose of the Processing: Crall will process Personal Data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related technical support in accordance with this DPA.

Categories of Data: Personal data submitted to, stored on, or sent via the Service may include, without limitation, the following categories of data: IP addresses, browser agents, email addresses, full names, order information, visited products, visited categories, browsing pattern, email clicks, email opens, chat log, browser and operating system identifiers, and any other personal data that Customer chooses to send us related during the course of our provision of the Service and technical support.