Data Processing Agreement

Parties to this DPA

This Data Processing Agreement (“DPA”) is made by and between the parties to any Order Form or Terms incorporating this DPA by reference, and this DPA shall be in addition to any obligations set out in any Order Form or Terms.

The parties agree that in relation to Protected Data (as it may be applicable to the parties under Data Protection Laws), the Client shall be the Data Controller and Alia Software shall be the Data Processor.

(1) Client Name (“Client”) a company incorporated and existing under the laws of [jurisdiction]; and

(2) Alia Software, Inc. with offices located at 135 W 26th St #3A, New York, NY 10001 (“Alia Software”),

(each a “Party” and collectively the “Parties”).

This DPA is incorporated into and forms part of the agreement between the Parties concerning the provision of Alia Software’s Terms of Service (“Terms of Service”).

1. Definitions

All capitalized terms in this DPA shall have the meaning as prescribed by the Alia Software Terms of Service located at https://docsend.com/view/kkvwx9r333rs2yd2 (“Terms”) or as otherwise agreed between the parties, unless otherwise specified below.

1.1. “Applicable Data Protection Laws” means all applicable data protection and privacy laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), UK GDPR, the California Consumer Privacy Act (“CCPA”), and other similar laws and regulations.

1.2. “Associated Company” means a company belonging to the same group as either party;

1.3. “Personal Data” has the meaning given to that term in Data Protection Laws, or where that term is not identically defined in the applicable Data Protection Law, the meaning given to the equivalent defined term in that applicable Data Protection Law;

1.4. “Protected Data” means Personal Data received from or on behalf of the Client in connection with the performance of the Processor’s obligations under this DPA;

1.5. “Services” means the services provided by Alia Software, including the deployment and management of website pop-ups and forms that collect Personal Data from Client’s website visitors.

1.6. “Data Subject,” “Process,” “Controller,” and “Processor” shall have the meanings ascribed to them under Applicable Data Protection Laws.

2. Data Processor and Data Controller

2.1. Alia Software shall process Protected Data in compliance with:

2.1.1. the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations herein; and

2.1.2. the terms of this DPA, the Terms and the Order Form which sets out the Data Controller’s instructions in relation to such processing activities.

2.2. The Data Controller shall comply with:

2.2.1. all Data Protection Laws in connection with the processing of Protected Data, use of the Services and the exercise and performance of its respective rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

2.2.2. the terms of this DPA.

2.3. The Controller warrants, represents and undertakes, that all instructions given by it to the Processor in respect of Personal Data shall at all times be in accordance with Data Protection Laws.

2.4. The Controller shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by the Processor in order to ensure the Services and the Processor (and each Sub-Processor) can comply with Data Protection Laws.

3. Nature and Purpose of Processing

3.1. Subject Matter. The subject matter of the processing is the Personal Data collected via pop-up forms integrated on Client’s website(s).

3.2. Duration. Alia Software will process Personal Data for the duration of the Terms of Service, unless otherwise agreed or required by law.

3.3. Categories of Data Subjects. Website visitors and users of the Client’s services.

3.4. Categories of Personal Data. May include, but are not limited to: names, email addresses, phone numbers, postal addresses, and other information input by the Data Subject into the form fields.

3.5. Purpose of Processing. To collect, transmit, and store Personal Data submitted through website pop-up forms to facilitate marketing, lead generation, and communication on behalf of the Client.

4. Obligations of Alia Software

Alia Software agrees to:

4.1. Process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to a third country.

4.2. Ensure that persons authorized to process the Personal Data are subject to appropriate confidentiality obligations.

4.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and data minimization practices.

4.4. Assist the Client in ensuring compliance with its obligations regarding data security, data breach notifications, data protection impact assessments, and consultations with supervisory authorities.

4.5. At the choice of the Client, delete or return all Personal Data at the end of the Services, unless retention is required by law.

4.6. Make available to the Client all information necessary to demonstrate compliance and allow for audits (subject to reasonable notice and confidentiality obligations).

5. Technical and Organizational Measures

5.1. The Processor shall implement and maintain, at its cost and expense, appropriate technical and organizational measures in relation to the processing of Protected Data by the Processor; taking into account the nature of the processing, to assist the Controller insofar as is possible in the fulfilment of the Controller’s obligations.

6. Sub-Processors

6.1. The Client hereby authorizes the engagement of Alia Software’s existing and future Associated Companies as Sub-Processors and also authorizes the appointment of any of the Sub-Processors listed in Schedule 1.

6.2. The Controller may object (on reasonable grounds and only relating to Data Protection Laws) to the use or replacement Sub-Processor appointed per clause above within ten (10) business days of the Processor’s notice: If the Controller notifies the Processor in writing of any objections to the proposed appointment: both parties shall work in good faith toward a resolution. If a solution cannot be found, the Controller may by written notice to the Processor with immediate effect terminate the order form to the extent that it relates to the Services which require the use of the proposed Sub-Processor. This termination right is the Controller’s sole and exclusive remedy to object any Sub-Processor appointed by the Service Provider during the Term.

6.3. Alia Software shall ensure:

6.3.1. via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by the Processor; and

6.3.2. remain fully liable for all the acts and omission of each Sub-Processor as if they were its own.

7. International Data Transfers

7.1. If Alia Software Processes Personal Data outside the EEA or UK, it shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or UK Addendum where applicable.

8. Data Subject Rights

8.1. Alia Software shall promptly notify the Client of any request received directly from a Data Subject and shall not respond to such a request without the Client’s prior written consent unless required by law.

8.2. Further to the above and notwithstanding anything to the contrary in the Terms, the Service Provider reserves the right to disclose the identity of the Client to any relevant Data Subject following any such request.

9. Security Incidents

In the event of a Personal Data breach, Alia Software shall:

9.1. Notify the Client without undue delay after becoming aware of the breach.

9.2. Provide reasonable cooperation and assistance to enable the Client to meet its breach notification obligations.

10. Deletion or Return of Data

10.1. The Processor shall meet its obligation to delete or return Protected Data by providing facilities for the Controller to perform such actions. Upon written request from the Controller, any return of Protected Data shall be in such form as the Controller reasonably requests, within a reasonable time after the earlier:

10.1.1. the end of the provision of the relevant Services related to processing; or

10.1.2. once processing by the Processor of any Protected Data is no longer required for the purpose of the Processor’s performance of its relevant obligations under the Order Form, and delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Processor shall inform the Controller of any such requirement).

11. Liability

11.1. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set out in the Terms.

11.2. Notwithstanding the foregoing, the limitation specified in 9.1 above shall not apply to Data Protection Losses. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

11.3. Any Data Protection Losses incurred by one party arising from or in connection with the other’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall be considered a liability to the non-compliant party.

12. Miscellaneous

12.1. This DPA is governed by the laws set forth in the Terms of Service.

12.2. In the event of conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail with respect to data protection matters.

13. Cooperation

13.1. If a party receives a compensation claim from an individual or Supervisory Authority relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

13.1.1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and

13.1.2. consult fully with the other party in relation to such action.

14. Audits and Records

14.1. Alia shall maintain, in accordance with Data Protection Laws binding on the Processor, written records of all categories of processing activities carried out on behalf of the Client.

14.2. Alia Software shall, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate the Processor’s compliance with the obligations of Data Processors under Data Protection Laws and allow for and contribute to audits, including inspections by the Client (or another auditor mandated by the Company) for this purpose, subject to the Client:

14.2.1. giving Alia Software reasonable prior notice of such information request, audit and/or inspection being required by the Client;

14.2.2. ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the supervisory authority or as otherwise required by Applicable Law);

14.2.3. ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Alia Software’s business and the business of other clients of Alia; and

14.2.4. paying Alia Software’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits on-site, calculated on a time & materials basis.

15. Government Requests

15.1. The Processor does not, as a matter of course, voluntarily supply government authorities, agencies or law enforcement access to or information relating to the Processor’s Customer accounts or Protected Data. If the Processor receives a compulsory request (whether via court order, warrant, or other valid legal process) from any government authority, agency or law enforcement for access to or information relating to a Customer account (including Protected Data) belonging to a Controller (hereafter, a “Government Request”), the Processor shall take all such reasonable steps as necessary to confirm the validity of such a request.

15.2. In the event that the Processor satisfies itself that a Government Request is valid, the Processor shall:

15.2.1. inform the government authority, agency or law enforcement that Alia Software is a processor of the Protected Data;

15.2.2. attempt to redirect the government authority, agency or law enforcement to request the data directly from the Controller; and

15.2.3. notify the Controller via email of the Government Request to allow the Customer to seek their own appropriate remedy, whereby the Processor may provide the Controller’s contact information.

15.3. The Processor shall not be required to comply with the provision of clauses 14.1 or 14.2 above if:

15.3.1. The Processor is legally prohibited from doing so; or

15.3.2. if the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, the safety of the public, or the Processor’s Services or property.

IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their authorized representatives.

CLIENT

By: ********___********

Name:

Title:

Date:

ALIA SOFTWARE, INC.

By: ********___********

Name:

Title:

Date:

Schedule 1: Sub-Processors

Alia Software is a Dotdigital company. Data may be transferred to Dotdigital entities for the purposes of providing the service. These entities include:

• Dotdigital EMEA Ltd
• Dotdigital Inc
• Dotdigital APAC Pty Ltd
• Dotdigital B.V
• Dotdigital Development SA Pty Ltd
• Dotdigital SG Pte, Ltd
• Dotdigital Poland sp. z o. o
• Dotdigital Japan Limited

We engage with the external sub-processor for the purposes of hosting and data back-ups: