This Data Processing Addendum (the “Addendum”) is made by and between Honeybook, Inc. (“Honeybook”) and you. This Addendum is incorporated into the Terms of Service or other written agreement (“Agreement”) between Honeybook and you that incorporates this Addendum. Your use of the Service constitutes your acceptance of the Agreement and this Addendum. This Addendum apppes in respect of Honeybook’s provision of the Services to you if the Processing of Customer Personal Data (as defined below) is subject to the GDPR, only to the extent you are a Controller and Honeybook is a Processor of Customer Personal Data. This Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR. This Addendum shall be effective for the term of the Agreement.
1.1. For the purposes of the Addendum:
1.1.1. Customer Personal Data means the Personal Data described under Section 2 of this Addendum, in respect of which you are the Controller;
1.1.2. Data Protection Legislation means the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent apppcable, in any other country, as amended, repealed, consopdated or replaced from time to time;
1.1.3. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parpament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; and
1.1.4. Personal Data, Data Subject, Personal Data Breach, Process, Processor and Controller will each have the meaning given to them in the GDPR.
1.2. Capitapzed terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2.1. Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data relating to the clients that you interact with through the Services.
2.2. Types of Personal Data. Customer Personal Data includes Personal Data, the extent of which is determined and controlled by you in your sole discretion, such as names, contact information, and financial information.
2.3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Honeybook is the provision of the Services to you that involves the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities which Honeybook needs to perform in order to provide the Services pursuant to the Agreement.
2.4. Purpose of the Processing. Customer Personal Data will be Processed by Honeybook for purposes of providing the Services set out into the Agreement.
2.5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 11 of this Addendum.
3.1. The parties acknowledge and agree that you are the Controller of Customer Personal Data and Honeybook is the Processor of that data. Honeybook will only Process Customer Personal Data as a Processor on behalf of and in accordance with this Addendum and your prior written instructions, including with respect to transfers of personal data. You hereby instruct Honeybook to Process Customer Personal Data to the extent necessary to enable Honeybook to provide the Services in accordance with the Agreement.
3.2. If Honeybook cannot process Customer Personal Data in accordance with your instructions due to a legal requirement under any applicable European Union or Member State law, Honeybook will (i) promptly notify you of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as you issue new instructions with which Honeybook is able to comply. If this provision is invoked, Honeybook will not be liable to you under the Agreement for failure to perform the Services until such time as you issue new instructions.
3.3. The parties will comply with their respective obligations under the Data Protection Legislation. You shall ensure that you have obtained (or will obtain) all rights and consents (if required) which are necessary for Honeybook to Process Customer Personal Data in accordance with this Addendum.
4.1. In connection with the performance of the Agreement, Customer authorizes Honeybook to Process Customer Personal Data associated with Data Subjects from the European Economic Area and/or Switzerland (collectively “EEA”) in the United States, whether Honeybook transfers Customer Personal Data from the EEA or whether receives Customer Personal Data from the EEA that was already transferred by Customer.
4.2. Honeybook has certified to the Privacy Shield framework as administered by the U.S. Department of Commerce (the “Privacy Shield”) and commits to comply with its obligations for the Customer Personal Data transferred under the Privacy Shield throughout the term of this Addendum.
4.3. If Honeybook is not able to comply with its Privacy Shield obligations, it will nevertheless provide an adequate level of protection for Customer Personal Data, wherever processed, in accordance with the requirements of applicable data protection law.
5.1. Honeybook will ensure that any person whom Honeybook authorizes to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
6.1. Honeybook will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
6.2. Honeybook will, at your request and subject to you paying all of Honeybook’s fees at prevailing rates, and all expenses, provide you with reasonable assistance as necessary for the fulfilment of your obligation to keep Customer Personal Data secure.
7.1. You authorize Honeybook to appoint sub-Processors to perform specific services on Honeybook’s behalf which may require such sub-Processors to Process Customer Personal Data. Honeybook will inform you of any intended changes concerning the addition or replacement of any sub- Processors and You will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
7.2. Honeybook will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Honeybook under this Addendum. Where any of its sub-Processors fails to fulfil its data protection obligations, Honeybook will be liable to you for the performance of its sub-Processors’ obligations.
8.1. Honeybook will, at your request and subject to you paying all of Honeybook’s fees at prevailing rates, and all expenses, provide you with assistance necessary for the fulfilment of your obligation to respond to requests for the exercise of Data Subjects’ rights. Honeybook shall not respond to such requests without your prior written consent and written instructions. You shall be solely responsible for responding to such requests.
9.1. Honeybook will notify you as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Customer Personal Data. At your request and subject to you paying all of Honeybook’s fees at prevailing rates, and all expenses, Honeybook will promptly provide you with all reasonable assistance necessary to enable you to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if you is required to do so under the GDPR. You are solely responsible for complying with data incident notification requirements applicable to you and fulfilling any third-party notification obligations related to any data incidents.
10.1. Honeybook will, at your request and subject to you paying all of Honeybook’s fees at prevailing rates, and all expenses, provide you with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if you are required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by Honeybook of the Customer Personal Data, taking into account the nature of the Processing and the information available to Honeybook.
11.1. Honeybook will return or delete, at your choice, Customer Personal Data to you after the end of the provision of Services relating to the Processing, and delete existing copies unless the applicable European Union or member state law requires storage of the data.
12.1. Honeybook will, at your request and subject to you paying all of Honeybook’s fees at prevailing rates, and all expenses, provide you with all information necessary to enable you to demonstrate compliance with your obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, to the extent that such information is within Honeybook’s control and Honeybook is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. Honeybook will immediately inform you if, in its opinion, an instruction from you infringes the Data Protection Legislation.
13.1. Each party’s liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
13.2. You acknowledge that Honeybook is reliant on you for direction as to the extent to which Honeybook is entitled to Process Customer Personal Data on behalf of you in performance of the Services. Consequently Honeybook will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Honeybook, to the extent that such action or omission resulted directly from your instructions or from your failure to comply with your obligations under the Data Protection Legislation.
14.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.