Constant Contact Data Processing Addendum

Last updated January 24, 2019

This data processing addendum forms part of the Constant Contact API Terms and Conditions the (“API Terms and Conditions”) and is between Constant Contact, Inc. at 1601 Trapelo Road, Waltham, Massachusetts 02451, United States (“Constant Contact”) and the developer agreeing to the API Terms and Conditions (the “Developer”) and incorporates the terms and conditions set out in the Schedules hereto (the “Addendum”).

The Parties to this Addendum hereby agree to be bound by the following terms and conditions, including the attached Schedules as applicable with effect from the effective date of the API Terms and Conditions (the “Effective Date”).

  1. Application of the terms in this Addendum
    1. Pursuant to the API Terms and Conditions, the Developer is permitted to use Constant Contact’s API and provide Offerings to Users by leveraging the Constant Contact Products.
    2. In the event the Offering provided to Users by the Developer involves:
      1. Constant Contact Processing Personal Data on behalf of the Developer, the terms set out in Schedule 1 shall apply; and
      2. the sharing of Personal Data between the Developer and Constant Contact where each party determines the purpose and means of Processing of such Personal Data independently, the terms set out in Schedule 2 shall apply.
    3. In the event of any conflict or discrepancy between the terms of the API Terms and Conditions and this Addendum, the terms of this Addendum shall prevail, to the extent of the conflict.
  2. Definitions
    1. For the purposes of this Addendum, all terms defined in the API Terms and Conditions have the same meaning in this Addendum except for the following expressions, which bear the following meanings unless the context otherwise requires:

      Data Protection Laws” means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument implementing or supplementing the GDPR and the e-Privacy Directive (in each case as amended, consolidated, re-enacted or replaced from time to time);

      Processor Model Clauses” means the standard contractual clauses for the transfer of Personal Data to Processors established in Third Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016;

      Controller Model Clauses” means the standard contractual clauses for the transfer of Personal Data to controllers established in third countries set out in the European Commission Decision 2004/915/EC as set out in Annex 1 and any amendments or replacements to such decision;

      Personal Data”, “Process”, “Processed”, “Processing”, “Supervisory Authority”, “Personal Data Breach” or “Data Subject” have the meaning given in the GDPR;

      Purpose” means enabling the Developer to provide Offerings to Users by leveraging the Constant Contact Products in accordance with the API Terms and Conditions; and

      Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.

  3. Indemnity and Liability
    1. The Developer shall indemnify and hold harmless Constant Contact on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Constant Contact arising directly or indirectly from a breach of this Addendum or any Data Protection Laws. For the avoidance of doubt, the indemnity and limitation of liability provisions set out in the API Terms and Conditions apply to this Addendum.
  4. Law and Jurisdiction
    1. This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the Commonwealth of Massachusetts and each party hereby submits to the jurisdiction of the federal or state courts located in Boston, Massachusetts.

SCHEDULE 1
TERMS FOR PROCESSING PERSONAL DATA ON DEVELOPERS BEHALF

1.Details of Processing

1.1Constant Contact shall Process the Personal Data on behalf of the Developer for the Purpose, which will include the following processing activities: storage, retrieval, use, disclosure, erasure, destruction and access of the Personal Data.

1.2The duration of the Processing shall be for the term of the API Terms and Conditions.

1.3The category of Data Subject is the Users and the Personal Data Processed by Constant Contact includes and shall be limited to the following categories of data: (i) identification and contact information (such as name, email address, address, title and contact details) of Users’ customers and other contacts; (ii) information gathered in connection with enabling the Developer to provide Offerings to Users relating to Users’ contacts, including (a) analytics and information about marketing emails sent by Constant Contact on behalf of User (including open rates and similar usage data) and (b) device, browser and information related to Users’ contacts identified through use of the Offerings.

1.4The Personal Data Processed by Constant Contact may contain special categories of Personal Data.

2.Constant Contact’s Obligations

2.1Constant Contact shall only Process Personal Data on behalf of Developer in accordance with the instructions of the Developer. The parties agree that this Addendum together with the API Terms and Conditions comprise the Developer’s instructions. If Constant Contact cannot provide such compliance for whatever reason (including if the instruction violates Data Protection Laws), it agrees to inform Developer of its inability to comply as soon as reasonably practicable.

2.2Constant Contact shall ensure that its personnel who are authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.3Constant Contact shall implement and hold in force for the term of this Addendum specific technical and organizational security measures as required by the GDPR which are further detailed at https://www.constantcontact.com/legal/security (the “Security Policy”).

2.4Constant Contact shall notify Developer promptly upon receipt by Constant Contact of a request from a User seeking to exercise any of their rights under Data Protection Laws. Taking into account the nature of the Processing, Constant Contact shall, at Developer’s expense, assist Developer by appropriate technical and organizational measures, for the fulfilment of Developer’s obligation to respond to requests by Data Subjects to exercise their rights under Chapter III of the GDPR (including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing).

2.5Taking into account the nature of the Processing under the API Terms and Conditions and the information available to Constant Contact, Constant Contact shall, insofar as possible and at Developer’s expense, assist Developer in carrying out its obligations under Articles 32 to 36 of the GDPR and any other Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities. Constant Contact shall promptly notify Developer about any Personal Data Breach of the Personal Data Processed on behalf of the Developer.

2.6Upon termination of the Processing of Personal Data on behalf of the Developer by Constant Contact and at the choice of Developer, Constant Contact shall either (i) delete all Personal Data; or (ii) return all Personal Data to the Developer and delete existing copies unless applicable law requires storage of the Personal Data.

2.7Constant Contact shall upon written request from Developer from time to time provide Developer with all information necessary to demonstrate compliance with the obligations laid down in this Addendum. Constant Contact shall permit Developer or a third party authorized by it and which is not a competitor of Constant Contact, to carry out audits and inspections of the processing of Personal Data by the Constant Contact, on reasonable notice in normal business hours. Constant Contact may require a third party auditor to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. Unless such audit or inspection has been necessitated by a material breach by Constant Contact of the terms of this Addendum, such audits and inspections shall be carried out at Developer’s expense.

2.8Developer acknowledges and agrees that Constant Contact may, or may appoint an affiliate or third party subcontractor to, Process the Developer’s Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of Data Protection Laws. Developer hereby consents to Constant Contact’s access to Personal Data from the United States for the Purpose.

2.9Developer acknowledges and agrees that Constant Contact relies solely on Developer for direction as to the extent to which Constant Contact is entitled to access, use and process Personal Data. Consequently, Constant Contact is not liable for any claim brought by Developer or a data subject arising from any action or omission by Constant Contact to the extent that such action or omission resulted from Developer’s instructions.

3.Developer’s Obligations

3.1.1Developer warrants that it has complied and continues to comply with the Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Constant Contact and enable the Processing of the Personal Data by the Constant Contact as set out in this Addendum and as envisaged by the API Terms and Conditions.

4.Sub-Contracting

4.1Developer hereby consents to the use by Constant Contact of the Subcontractors set out in the list of third party subprocessors accessible at https://www.endurance.com/privacy/third-party-data. If Constant Contact appoints a new Subcontractor to Process Personal Data, it shall provide Developer with twenty (20) business days’ prior written notice, during which Developer can object to the appointment. If Developer does not object, Constant Contact may proceed with the appointment. Constant Contact ensures that it has a written agreement in place with all Subcontractors which contains obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the obligations on Constant Contact under this Addendum.

5. Transfers outside the EEA

5.1The Developer acknowledges and agrees that the Constant Contact may Process the Personal Data in the United States in accordance with the Constant Contact’s Privacy Shield certification which can be accessed here. In the event the Privacy Shield is invalidated, where Constant Contact processes, accesses, and/or stores Personal Data in any Third Country and the Developer transfers Personal Data from the European Economic Area, Constant Contact shall comply with the data importer’s obligations set out in the Processor Model Clauses, which are hereby incorporated into and form part of this Addendum and Developer shall comply with the data exporter’s obligations. The processing details set out at Clause 4 of this Schedule 1 of this Addendum shall apply for the purposes of Appendix 1 of the Processor Model Clauses and the terms of the Security Policy apply for the purposes of Appendix 2 of the Processor Model Clauses. Developer hereby grants Constant Contact a mandate to execute the Processor Model Clauses, for and on behalf of Developer, with any relevant subcontractor (including affiliates) it appoints.

SCHEDULE 2
TERMS FOR INDEPENDENT PROCESSING FOR OWN PURPOSES

1.Details of Processing

1.1This Schedule 2 applies to the extent that each party independently determines the purpose and means of Processing of the Personal Data shared in connection with the API terms and conditions.

1.2The category of Data Subject is the Users and the categories of data shared includes and shall be limited to the following: (i) identification and contact information (such as name, email address, address, title and contact details) of Users’ customers and other contacts; (ii) information gathered in connection with enabling the Developer to provide Offerings to Users relating to Users’ contacts, including (a) analytics and information about marketing emails sent by Constant Contact on behalf of Users (including open rates and similar usage data) and (b) device, browser and information related to Users’ contacts identified through use of the Offerings. The Personal Data may contain special categories of Personal Data.

1.3The sharing of Personal Data is for the Purpose, and Constant Contact’s business purposes, including marketing.

1.4The recipients of the Personal Data shall be the Constant Contact and its affiliates, advisors and service providers.

2.Developer Obligations

2.1The Developer shall only Process the Personal Data for the Purpose and in accordance with the terms of the API Terms and Conditions, including this Addendum.

2.2The Developer shall comply with Data Protection Laws, including implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing.

2.3The Developer shall promptly assist Constant Contact in complying with any:

  2.3.1  data subject rights request under the GDPR that Constant   Contact may receive from any individuals to whom any Personal   Data shared by the Developer relates; and

  2.3.2  duties to cooperate with supervisory authorities under the   GDPR.

2.4The Developer shall promptly report any Personal Data Breach of the Personal Data of the Users to Constant Contact.

2.5In addition to the requirements set out in clause 1.2 with respect to ensuring all Users agree to the User Agreements, the Developer agrees to do so in a manner that enables Constant Contact to Process the Personal Data shared with Constant Contacts as contemplated by this Schedule 2 in accordance with Data Protection Laws, including by obtaining all necessary consents on behalf of Constant Contact and providing all necessary privacy policies, including as directed by Constant Contact.

3Transfers outside the EEA

3.1The Developer acknowledges and agrees that the Constant Contact may Process the Personal Data in the United States in accordance with the Constant Contact’s Privacy Shield certification which can be accessed here. In the event the Privacy Shield is invalidated, where Constant Contact processes, accesses, and/or stores Personal Data in any Third Country and the Developer transfers Personal Data from the European Economic Area, Constant Contact shall comply with the data importer’s obligations set out in the Controller Model Clauses, which are hereby incorporated into and form part of this Addendum and Developer shall comply with the data exporter’s obligations. For the purposes of the Controller Model Clauses, the parties agree that option (iii) in clause 2(h) of the Controller Model Clauses has been chosen and the information required by Annex B of the Controller Model Clauses is set out in clause 8 to this Schedule 2 of this Addendum.

Copyright © 1996-2018, Constant Contact, Inc.

Back to Top