This data protection addendum (“DPA”) is incorporated into the Agreement and forms part of the written contract between Community and Customer. Capitalized terms not defined in this DPA are defined in the Agreement.
1. Background
1.1 Purpose. This DPA applies to Customer Data that is Processed by Community and its Subprocessors in connection with its provision of the Service and the transfer of Community Data to Customer. The parties wish to supplement the terms of the Agreement to ensure that the Processing of Customer Data by Community is in compliance with Data Protection Law.
1.2 Structure. The subject-matter, nature, and purpose of the Processing of Customer Data are the provision of the Service as described in the Agreement. Annex A and Annex B are incorporated into and form part of this DPA. They set out the duration of Processing, the data subjects concerned, the categories of Personal Data, and the applicable technical and organizational measures.
2. Security of Processing
Community has implemented and will apply the technical and organizational measures set forth in Annex B. Customer has reviewed such measures and agrees that as to the Service the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the Processing of Customer Data. Community may change the measures set out in Annex B at any time without notice so long as it maintains a comparable or better level of security.
3. Community’s Obligations
3.1 Instructions. Community will Process Customer Data only in accordance with documented instructions from Customer. The Agreement (including this DPA) constitutes such documented initial instructions, and each use of the Service (including any use by Authorized Users) then constitutes further documented instructions. Additional instructions outside the scope of the Agreement and DPA will be agreed to between the parties in writing, including any additional fees that may be payable by Customer for carrying out such additional instructions. If Community cannot reasonably comply with an instruction or is of the opinion that an instruction infringes Data Protection Law, Community will immediately notify Customer. Without limiting the foregoing, Community shall not "sell" Customer Data if and to the extent such term is defined under Data Protection Law. Community hereby certifies that it understands the restrictions set forth in this section 3.1 and will comply with them.
3.2 Processing on Legal Requirement. Community may also Process Customer Data where required to do so by applicable law. In such a case, Community shall inform Customer of that legal requirement before Processing unless that law prohibits such information on important grounds of public interest.
3.3 Personnel. Community shall only grant access to Customer Data to authorized personnel who are subject to confidentiality obligations at least as restrictive as those applicable to Community hereunder.
3.4 Cooperation. Community shall reasonably cooperate with Customer by appropriate technical and organizational measures in dealing with requests from Individuals or regulatory authorities regarding Community’s Processing of Customer Data. Community may provide such assistance by enabling Customer and/or Individuals to access, copy, correct or erase Customer Data through the standard functionality of the Service. If such functionality does not exist, to the extent required under applicable Data Protection Law: (a) Community shall respond directly to any Data Subject Requests received by Community with respect to Community Data; and (b) Community shall, upon Customer’s request, provide reasonable cooperation and assistance to assist Customer in responding to any Data Subject Requests received by Customer with respect to Customer Data.
3.5 DPIAs. Community shall, taking into account the nature of the Processing and information available to Community, provide reasonable assistance to Customer in meeting its obligations under Data Protection Law relating to data protection impact assessments and prior consultation with supervisory authorities.
3.6 Data Breach Notifications. Community shall notify Customer without undue delay if Community becomes aware of a Security Incident and provide reasonable cooperation and assistance to Customer in responding to the Security Incident as required by Data Protection Law.
3.7 Audits. At Customer’s request, Community will make available information to Customer which is necessary to demonstrate compliance with this DPA. To the extent Customer’s audit requirements under Data Protection Law cannot reasonably be satisfied through audit reports, documentation or compliance information Community makes generally available to its customers, Community will promptly respond to Customer’s additional audit instructions. Before the commencement of an audit, Customer and Community will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit Community to unreasonably delay performance of the audit. To the extent needed to perform the audit, Community will make the Processing systems, facilities and supporting documentation relevant to the processing of Customer Data by Community and its Subprocessors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Community, subject to reasonable confidentiality procedures. Neither Customer nor the auditor will have access to any data from Community’s other customers or to Community systems or facilities not involved in the Service. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Community expends for any such audit, in addition to the rates for services performed by Community. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Community and Community shall promptly cure any material non-compliance.
4. Data Export & Deletion
4.1 Export. Customer may export Customer Data from the Service at any time during the Subscription Term, using the Service’s then-existing features and functionality, at no additional charge. Until such time as such functionality exists, to the extent required under applicable Data Protection Law, Community shall, upon Customer’s request, provide reasonable cooperation and assistance, at Customer’s cost and expense, to provide an export of the relevant Customer Data sought by Customer.
4.2 Deletion. Customer hereby instructs Community at the expiration or earlier termination of the Agreement to delete all Customer Data within Community’s possession or control without undue delay, unless applicable law requires retention. Community is not obligated to delete Customer Data retained in automated archives generated by Community; provided, however, that Customer Data contained in such archives will remain subject to this DPA until such archives are destroyed, or until they no longer include Customer Data (whichever is sooner).
5. Subprocessors
Customer agrees that Community may use the third-party suppliers to Process Customer Data on its behalf for the provision of the Service (each a “Subprocessor”) listed at https://community.com/legal/subprocessors (which shall be updated from time-to-time). If Customer objects to any new Subprocessor that has been added to the list, it may terminate the Agreement with written notice to Community that includes legitimate and documented grounds for the objection. Community will ensure that any Subprocessors to which it transfers Customer Data enter into written agreements (which may be electronic) with Community requiring that the Subprocessor abide by the same or substantially similar terms as those contained in this DPA. Community has conducted due diligence on its Subprocessors and will remain liable for any breaches of this DPA caused by its Subprocessors.
6. Data Transfers
In the event of a restricted transfer of Customer Data via the Services from the European Economic Area, the United Kingdom, or Switzerland to another territory not recognized by the applicable competent regulatory authority or governmental body as providing an adequate level of protection for Personal Data, the parties will agree to Standard Contractual Clauses. Any transfer of Customer Data from Community to a Subprocessor shall be done in compliance with a permitted legal mechanism or agreement as required under Data Protection Law, including, as applicable, the Standard Contractual Clauses, which Customer authorizes Community to enter into with a Subprocessor on Customer’s behalf.
7. Community Data
7.1 Independent Processing of Community Data. With respect to Community Data (including information submitted by Community Members upon registration), the parties acknowledge that Community is the Controller and an independent controller, as applicable under Data Protection Law, not the Customer’s Processor or a joint controller with Customer. Community will Process Community Data consistent with the Community Privacy Policy (available at: https://www.community.com/privacy-policy). In the event of a transfer of Community Data from Community to Customer, each party shall independently comply with its own obligations under Data Protection Law and parties shall be independent controllers.
7.2 Exports of Community Data. Community may offer Customer the ability to export certain Community Data from the Service, using the Service’s then-existing features and functionality and subject to Community’s policies, terms, and legal obligations. If Customer receives an export of Community Data, then: (a) Customer will Process such Community Data consistent with Customer’s privacy policy; (b) if and to the extent the term “sell” is defined under Data Protection Law, Customer shall not sell such information; and (c) except with Community’s prior written consent, Customer shall not, directly or indirectly, use any included Personal Data to call or send text messages to an individual.
8. Miscellaneous
8.1 Failure to Perform. In the event that changes in law or regulation render performance of this DPA impossible or commercially unreasonable, the parties may renegotiate this DPA in good faith. If renegotiation would not cure the impossibility or the parties cannot reach an agreement, the parties may mutually agree to terminate the DPA for convenience.
8.2 Updates. Community may update the terms of this DPA from time to time; provided, however, Community will provide at least thirty (30) days prior written notice to Customer when an update is a) required by applicable laws (b) the result of a merger, acquisition, or other similar transaction. The then-current terms of this DPA are available at https://www.community.com/legal/data-protection-addendum.
8.3 Definitions. In this DPA, the following definitions apply:
“Agreement” means any agreement between Community and Customer relating to Customer’s use of the Services, including any addenda and amendments.
“CCPA” means the California Consumer Privacy Act of 2018.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable, any “Controller”, "Business”, “Database Owner”, or “Business Operator”, as defined under the Data Protection Law of UK or the EEA, California, Israel, and Japan respectively.
“Customer Data” means any Personal Data Processed by Community on Customer’s behalf in connection with its use of the Service (e.g., the login information of Customer’s seats, data collected via custom data fields on behalf of a specific Customer, imported audience lists and CRM data to drive Community sign ups and/or generate audiences on the Services). Customer Data does not include Community Data.
“Data Protection Law” means any applicable data protection laws including national implementing legislation, ordinances, rules, regulations and lawful orders of any public authority to which a party is subject in connection with the Agreement, including, as applicable, the GDPR and the CCPA.
“Data Subject Request” means a request from an Individual to exercise data privacy rights afforded to them under applicable Data Protection Law.
“GDPR” means the a) General Data Protection Regulation 2016/679 and b) the General Data Protection Regulation 2016/679 as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
“Individual” means participants of the Services subject to Data Protection Law (e.g., Community Members, imported persons) and Authorized Users of the Customer.
“Personal Data” means any “Personal Data”,“Personal Information”, or similar term as defined under Applicable Data Protection Laws, or, where undefined, information that relates, directly or indirectly, to an identified or identifiable Individual.
“Process” or “Processing” means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity that Processes Personal Data on behalf of a Controller, including a “Processor”, “Service provider”, or “Holder” as defined by the Data Protection Law of the UK or EEA, California, and Israel, respectively.
“Community Data” means any Personal Data collected by Community, including user registration data for its Services (e.g., the name, date of birth, gender identity, city, email, and phone number of an individual signing up as a Community Member), any related user data Processed by Community in connection with use of the platform (e.g., timestamp for join date, message content), and phone numbers, messages, and metadata from incoming texts to Community Leaders. For clarity, Community Data does not include Customer Data, such as imported audiences prior to such Individuals signing up to be a Community member.
“Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party or confirmed accidental or unlawful destruction, loss or alteration of Customer Data.
“Services” means any service or product provided to Customer by Community.
“Standard Contractual Clauses” means the relevant standard contractual clauses approved by under applicable Data Protection Law to enable the cross-border transfer of Personal Data, including any approved amendments, updates or replacements thereof that may be issued by the relevant authority (e.g., European Commission in the EEA). Specifically, it refers to the following:
UK – the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”) and the Standard Contractual Clauses for data controller to data controller transfers approved the European Commission in decision 2004/915/EC. The illustrative indemnification clauses will not apply. Annex A serves as the Detail of Processing schedules and Annex B serves Technical and Organizational Security Measures schedules, as applicable.
EEA and Switzerland – the Standard Contractual Clauses approved by the European Commission in decision 2021/914, with the following modifications to each Module as applicable: 1) Clause 7 shall not apply; 2) Option B shall be selected for Clause 9; 3) The optional language of Clause 11 shall be removed; 4) For any blank sections where an EAA member state must be specified, Ireland shall be selected. Annex A of this DPA shall serve as Annex I; Annex B shall serve as Annex II.
8.4 Interpretation. References in this DPA to Customer shall be understood to include any Community Leader, as applicable. Nothing in this document shall signify that Community offers or plans to offer Services in any particular country, even when a country or its laws are explicitly named or otherwise referenced.
8.5 Severability. The provisions of this DPA are severable. If any phrase, clause or provision is invalid, inapplicable, or unenforceable in whole or in part, such invalidity, inapplicability, or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.
Annex A
Additional Details Regarding Processing
Part A
Community:
Contact details: privacy@community.com
Data Exporter and Data Importer Role: See Part B.
Signature and Date: By entering into the Agreement, parties are deemed to have signed this DPA and Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Customer:
Contact details: the email address(es) for the Customer’s Community account.
Data Exporter and Data Importer Role: See Part B.
Signature and Date: By entering into the Agreement, parties are deemed to have signed this DPA and Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Part B
Customer Data Processed by Community (Controller-to-Processor transfers):
Data Exporter: Customer
Data Importer: Community
Leader Account Information (Customer Data):
- Data categories – Customer’s name, email, password, profile name, profile picture, voicemail messages, automated text message templates, and other account information
- Sensitive data – Any sensitive data submitted by Customer
- Data subjects – Customers and Individuals authorized to use the Service on the Customer’s behalf
- Frequency – Continuous basis for the duration of the Agreement
- Processing operations - Providing the Service to Customer in accordance with the Agreement (including by permitting Community Leaders to send or receive messages from Individuals, and storing, structuring, and retrieving Customer Data)
- Duration – The duration of the Agreement to which this DPA relates
- Subprocessors - A list of subprocessors is available here and will be updated from time to time: https://community.com/legal/subprocessors
Imported Audience Information (Customer Data):
- Data categories – Phone numbers, names, demographic and similar audience information, and any other information submitted to Community
- Sensitive data – Any sensitive data imported by Customer
- Data subjects – Customer imported audiences
- Frequency – On each data import containing such information
- Processing operations - Sending messages to Individuals included in Customer Data, augmenting or matching Community Data with Customer Data, analyzing responses
- Duration – The duration of the Agreement to which this DPA relates
- Subprocessors - A list of subprocessors is available here and will be updated from time to time: https://community.com/legal/subprocessors
Transfer of Community Data (Controller-to-Controller transfers):
Data Exporter: Community
Data Importer: Customer (Community may transfer Community Data to Customer to provide the Services as permitted under Community’s functionality, policies, and applicable laws, such as when a Community Member consents to share their personal info with a particular Leader).
Community Member Data (Community Data):
- Data categories – Name, email, phone number, community groups, message content (collected both before and after registration), and other member information
- Sensitive data – Any sensitive information submitted by Community Members
- Data subjects – Community Members that have subscribed to a particular Customer
- Frequency – On each data export or sync containing such information
- Processing operations – Data exports or integration/syncing with Customer service (e.g., to migrate a customer list to another service)
- Duration – The duration of the Agreement to which this DPA relates
- Subprocessors: A list of subprocessors is available here and will be updated from time to time: https://community.com/legal/subprocessors
Part C
The Irish Data Protection Commission shall be the competent supervisory authority in the EEA, if and to the extent applicable.
Annex B
Security Measures
Community maintains a written information security program (WISP) that defines the policies, processes, and other administrative and technical controls that apply to Community’s processing of Customer Data. The WISP directly specifies an owning individual who is responsible for both annually reviewing and continuously executing the WISP. The WISP includes the following measures:
Access Control
- Community follows a data handling and classification policy. Only authorized employees and contractors with a business need can access Customer Data.
- Community’s systems require authentication and are integrated with single sign-on and multi-factor authentication whenever possible.
- Community monitors repeated attempts to gain access to the Service using an invalid password.
- Community maintains a password policy in accordance with NIST Special Publication 800-63B.
- When required, access control is revoked following a regularly reviewed checklist.
- Access to Community’s production systems is restricted to employees and contractors with a direct business need and is controlled via group membership.
Data Security
- Community delivers security awareness training to all newly-hired employees that inform them of Community’s expectations around their security behavior.
- Except for SMS messages which, by necessity, must be unencrypted for transmission over carrier networks, Community encrypts Customer Data at rest and in transit.
- Community collects, monitors and alerts on log information from the Service.
- Community maintains appropriate backups to ensure the availability of Customer Data.
- Community manages all hardware used by employees and contractors with access to Customer Data, including installing and operating antivirus software.
- Community operates a vulnerability management program, reporting to Product and Engineering leadership. This program executes our vulnerability management process, which assigns severity-based SLAs for remediation.
- Community engages in external and internal security assessments regularly.
- Passwords are stored cryptographically hashed following industry best practices.
Physical Security
- Community does not currently operate an office, as all employees and contractors are working remotely.
- The Service is hosted by Amazon Web Services (AWS). For more information on AWS’s physical security controls, please refer to their security whitepaper https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.