THIS COPY IS PROVIDED AS A COURTESY ONLY AND DOES NOT CONSTITUTE LEGAL ADVICE.

Download as PDF

Legal

Data Processing Addendum

Last Updated: October 12, 2023

The Data Processing Addendum (the DPA) below is a template and is provided solely for convenience to allow current and prospective customers the ability to view these terms prior to execution. The template below is not legally binding on you or ActiveCampaign without execution.

To enter into a binding version of the DPA, you must first create an ActiveCampaign account pursuant to which you accept the ActiveCampaign Terms of Service.

You can then access an executable version of the DPA in the settings of your ActiveCampaign account. You must execute a DPA with ActiveCampaign in order for the DPA to be legally binding. This DPA form applies to ActiveCampaign customers who require a DPA with ActiveCampaign in connection with their legal requirements.

Please note: not all customers will need to sign a DPA. If you are unsure whether you require a DPA with ActiveCampaign, your legal advisors will be able to assist you in making that determination.

If you are an ActiveCampaign reseller, affiliate, or agency partner, please contact ActiveCampaign support for a partner specific agreement.

ActiveCampaign Data Processing Addendum

This Data Processing Addendum (“Addendum”) supplements the Terms of Service, located at https://www.activecampaign.com/legal/terms-of-service or its successor URL (the “Agreement”), between the client signing this Addendum (“Client”) and ActiveCampaign, LLC (“Company”), is effective as of the date of last signature of a party below, and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement. Pursuant to the Agreement, Company may make changes to this Addendum by posting the amended Addendum on the Company website. The amended Addendum will be effective as of the time it is posted but will not apply retroactively. Client’s continued use of the Services after posting of the amended Addendum constitutes Client’s acceptance of the amended Addendum. In the event of any inconsistency or conflict between this Addendum and the Agreement, or any other data processing addendum(s) executed by the same parties hereto, this Addendum will govern, supersede and prevail. Client and Company agree as follows:

1.  Personal Information. In connection with providing the Services, Company will be Processing Personal Information on behalf of Client. “Personal Information” means information that relates, directly or indirectly, to an identified or identifiable person (a “Data Subject”), which may include names, email addresses, postal addresses, or online identifiers, that is included in Contact Data. Where required by Applicable Law (defined below), any specific categories of Personal Information that Company will Process in connection with the Agreement are set forth in Schedule 1 (Scope of Processing). As between Client and Company, all Personal Information is the sole and exclusive property of Client. Client will be solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Personal Information.

2. Company and Client Responsibilities. The parties acknowledge and agree that: (a) Company is a processor and/or service provider, as applicable, with respect to Personal Information under Applicable Law; (b) Client is a controller and/or business with respect to Personal Information under Applicable Law; and (c) each party will comply with the obligations applicable to it under Applicable Law with respect to the Processing of Personal Information.

3. Company Responsibilities. “Process” or “Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Personal Information. As a part of the Services, Company will:

(a)      Process Personal Information solely in accordance with Client’s documented instructions. Without limiting the foregoing, Company will not: (i) retain, use, or disclose Personal Information outside of its direct business relationship with Client, or for any purpose (including a commercial purpose) other than as necessary for the specific purpose of performing the Services in accordance with the Agreement or as permitted by Applicable Law; and (ii) sell or share the Personal Information;

(b)      Process Personal Information in accordance with all data protection and privacy laws, rules, and regulations that apply to Company’s provision, and Client’s use, of the Services, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the GDPR as incorporated into United Kingdom law (“UK GDPR”), the California Consumer Privacy Act (“CCPA”), the Brazilian General Data Protection Law (“LGPD”) and the Privacy Act 1988 of Australia (Cth) (“Australian Privacy Act”) (collectively, “Applicable Law”);

(c)      not disclose Personal Information to any third party without first, except to the extent prohibited by Applicable Law, (i) notifying Client of the anticipated disclosure (so as to provide Client the opportunity to oppose the disclosure and obtain a protective order or seek other relief); (ii) obtaining Client’s prior consent to the disclosure; or (iii) imposing contractual obligations on the third party recipient that are at least equivalent to those obligations imposed on Company under this Addendum;

(d)      amend, correct, or erase Personal Information at Client’s written request and provide a means for Client to update and make accurate Personal Information Processed by Company;

(e)      notify Client of any third party request (by a Data Subject or otherwise) to (i) restrict the Processing of Personal Information; (ii) port Personal Information to a third party; or (iii) access, rectify, or erase Personal Information. Company will use commercially reasonable efforts to assist Client, at Client’s reasonable written request, in complying with Client’s obligations under Applicable Law to respond to requests and complaints directed to Client with respect to Personal Information Processed by Company, to the extent that Client does not have access to such Personal Information through Client’s use of the Services;

(f)      at the reasonable written request of Client, cooperate and assist Client in conducting a data protection impact assessment, where required by Applicable Law;

(g)      ensure that Company personnel Processing Personal Information are subject to obligations of confidentiality; and

(h)      keep all Personal Information compartmentalized or otherwise logically distinct from other information of Company or its personnel, suppliers, customers or other third parties.

Company will use commercially reasonable efforts to inform Client if Company becomes aware or reasonably suspects that Client’s instructions regarding the Processing of Personal Information may breach any Applicable Law. Notwithstanding the foregoing, Client acknowledges and agrees that such notification will not constitute a general obligation on the part of Company to monitor or interpret the laws applicable to Client and such notification will not constitute legal advice to Client.

4.  Sub-processors. Company will not engage another processor to Process Personal Information on behalf of Client for the purpose of fulfilling Company’s obligations with respect to the provision of the Services under the Agreement (a “Sub-processor”) without authorization from Client. Company will be responsible to Client for any material failure of a Sub-processor to fulfill Company’s data protection obligations as set forth in this Addendum. Client hereby provides its general written authorization for Company to engage Sub-processors. Company will notify Client of the appointment of any new Sub-processors by way of updating Company’s Sub-processor webpage located at https://www.activecampaign.com/legal/subprocessors (or such successor URL as determined by Company in its sole discretion) (the “Sub-processor Webpage”). If within 7 days of Company posting such update, Client does not notify Company in writing of any objections (on reasonable grounds relating to the protection of Personal Information) to the appointment, it will be deemed that Client has consented to the appointment.

5.  Data Transfers. Where required by Applicable Law, Company will not transfer any Personal Information from one country to another without Client’s prior written consent, which Client shall not unreasonably withhold, and which Client hereby provides as required for Company’s provision of Services under the Agreement. Where Client consents to such transfer, the transfer will be in accordance with Applicable Law and with the following:

(a)      Company has certified its compliance to the EU-U.S. Data Privacy Framework Principles, including as applied under the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework Principles (collectively, the “DPF Principles”) with the U.S. Department of Commerce (the “Department”) in respect of the Processing of Personal Information received from the European Economic Area, the United Kingdom or Switzerland. Where required by Applicable Law and at Client’s written request, Company will provide commercially reasonable assistance to Client in responding to requests from the Department or other applicable data protection regulators in the U.S., the European Economic Area, the United Kingdom and Switzerland related to compliance with the DPF Principles. Upon request of the Department, Company may disclose the terms of this Addendum to the Department.

(b)      Alternatively, where required by Applicable Law or at the election of Client, any regulated data transfer will be conducted pursuant to the Standard Contractual Clauses promulgated by the European Commission Decision 2021/914/EU under Module Two (transfer controller to processor) (the “Standard Contractual Clauses”) and the International Data Transfer Addendum issued by the United Kingdom Information Commissioner under section 119(A)(1) of the Data Protection Act 2018 (the “UK Addendum”), but in each case only if and to the extent executed by the parties and incorporated as a link in a Schedule to this Addendum. Client may access executable copies of the Standard Contractual Clauses and the UK Addendum through the settings within Client’s ActiveCampaign account console. Subject to signature by the parties of this Addendum, the Standard Contractual Clauses, and, as applicable, the UK Addendum, the following terms will apply:

(i)      Client will be referred to as the “data exporter” and Company will be referred to as the “data importer” in the Standard Contractual Clauses and, as applicable, the UK Addendum;

(ii)      Details in Schedule 1 of this Addendum and the Sub-processor Webpage will be used to complete Annex I.B of the Standard Contractual Clauses and, as applicable, Table 3 of the UK Addendum;

(iii)      Details of Section 6 of this Addendum will apply in addition to those in Annex II of the Standard Contractual Clauses and, as applicable, Table 3 of the UK Addendum;

(iv)      The optional Clause 7 (Docking Clause) will not be included in the Standard Contractual Clauses;

(v)      In Table 4 of the UK Addendum, both the data importer and the data exporter may end the UK Addendum in accordance with the terms of the UK Addendum; and

(vi)      If there is any conflict between the Standard Contractual Clauses or the UK Addendum and the terms of this Addendum or the Agreement, the Standard Contractual Clauses or, as applicable, the UK Addendum will prevail.

(c)      For clarity, neither the Standard Contractual Clauses nor the UK Addendum will be deemed executed or binding unless each of this Addendum and the various signature blocks within the Standard Contractual Clauses and, as applicable, the UK Addendum has been signed by both Company and Client.

6. Security Safeguards. Company will implement and maintain appropriate technical and organizational measures consistent with industry standards to protect and ensure the confidentiality, integrity, and availability of Personal Information.

7.  Audits. Where required by Applicable Law, at Client’s reasonable request and with advance written notice, Company will make available to Client such records and information as is necessary to demonstrate its compliance with this Addendum (“Audit Information”) and allow an independent third party to conduct an audit to verify such compliance on behalf of Client. Client acknowledges and agrees that Client will exercise its audit rights under this Addendum by instructing Company to comply with the audit measures described in this Section. Company will provide to Client, no more than once a year, Company’s latest available security package, which will include a copy of Company’s SOC 2 Type 2 report, upon Client’s written request and on the condition that the parties have a separate non-disclosure agreement in place which protects such security package as Company’s confidential information.  In the event that Client requires additional Audit Information after having reviewed such security package, Company will use commercially reasonable efforts to respond to all reasonable requests for information made by Client in writing necessary to confirm Company’s compliance with this Addendum, subject to the strictest confidentiality obligations.

8.  Security Breach. If Company becomes aware of any actual Security Breach (defined below), Company will take commercially reasonable efforts to, without undue delay: (a) notify Client of the Security Breach and any third-party legal processes relating to the Security Breach; and (b) help Client investigate, remediate, and take any action required under Applicable Law regarding the Security Breach. “Security Breach” means a breach of security leading to any unlawful or accidental loss, destruction, alteration, or unauthorized Processing of Personal Information under Company’s possession or control, that is notifiable under Applicable Law. The obligations in this Section do not apply to incidents that are caused by Client or Client’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. Company’s obligation to notify a Security Breach under this Section is not and will not be construed as an acknowledgement by Company of any fault or liability of Company with respect to such Security Breach. Prior to making any Security Breach notification that names Company or from which Company’s identity could reasonably be determined, Client agrees to timely provide Company with a draft for discussion on the content of its intended Security Breach notification and this draft will be discussed in a timely fashion and in good faith between the parties, provided however that Client will not be required to prejudice its obligations under Applicable Law.

9.  Return or Destruction of Personal Information. Upon termination of the Agreement and written request by Client, Company will return all Personal Information to Client or destroy all Personal Information and all copies thereof (excluding any backup or archival copies which will be deleted in accordance with Company’s data retention schedule), except to the extent that Company is required or allowed by Applicable Law to keep a copy of Personal Information for a specified period of time.

10.  DISCLAIMER. COMPANY MAKES NO REPRESENTATION OR WARRANTY THAT THIS ADDENDUM IS LEGALLY SUFFICIENT TO MEET CLIENT’S NEEDS UNDER APPLICABLE LAW, INCLUDING THE GDPR, UK GDPR, CCPA, LGPD AND AUSTRALIAN PRIVACY ACT. COMPANY EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, THROUGH A COURSE OF DEALING, OR OTHERWISE THAT THIS ADDENDUM WILL COMPLY WITH OR SATISFY ANY OF CLIENT’S OBLIGATIONS UNDER APPLICABLE LAW, INCLUDING THE GDPR, UK GDPR, CCPA, LGPD AND AUSTRALIAN PRIVACY ACT. CLIENT FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS ADDENDUM WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.

SCHEDULE 1
Scope of Processing

Subject Matter of Processing: The context for the Processing of Personal Information is Company’s provision of Services under the Agreement.

Duration of Processing: The duration of the Processing of Personal Information is subject to the term of this Addendum and the Agreement. This Addendum will terminate simultaneously and automatically with the termination of the Agreement.

Nature and Purpose of Processing: Company specializes in the development of email marketing, marketing automation, sales, CRM, contact management, and business marketing services. Client, as a client of Company, uses the Services to process Personal Information of its customers or contacts for marketing and related customer relationship management purposes on a continuous basis. Company stores the Personal Information on its servers and processes such Personal Information only for the purposes of, and in accordance with, the instructions of Client and does not make any decisions itself as to the use, updating, or deletion of Personal Information.

Types of Personal Information: The Personal Information may concern the following categories of data, the extent of which is determined by Client in its sole discretion: contact details including name, address, telephone or mobile number, fax number and email address; details of goods and/or services which customers/potential customer have purchased or inquired about; IP address; place of employment; occupation; personal interests; and other Personal Information collected and provided by Client in connection with Client’s use of the Services.

Categories of Data Subjects: The Personal Information concerns the following categories of data subjects: customers and prospective customer of Client and other marketing contacts determined by Client in connection with Client’s use of the Services.

SCHEDULE 2
Standard Contractual Clauses

As applicable, a link to the Standard Contractual Clauses is available here: https://www.activecampaign.com/legal/newscc

SCHEDULE 3
UK Addendum

As applicable, a link to the UK Addendum is available here: https://www.activecampaign.com/legal/ukaddendum