PickMyCall Data Privacy Agreement
DATA PROCESSING AGREEMENT/addendum
This Data Processing Agreement (“DPA”) forms part of the Terms of Use (the “Agreement”) between the subscriber of the Agreement (“You”, and “Your”) and Roojoom – Web Experiences Ltd. (“Roojoom”, “Us”, “We”, and “Our”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below). Both parties shall be referred to as the “Parties” and each, a “Party”.
WHEREAS, Roojoom shall provide the services set forth in the Agreement (collectively, the “Services”); and
WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
- INTERPRETATION AND DEFINITIONS
- The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. Definitions:
- (a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- (b) “CCPA” means the California Consumer Privacy Act of 2018 and its modifications and amendments.
- (c) “Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their Member States, including the GDPR, the UK GDPR, and the Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (including Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017), and any binding instructions, guidelines and requirements of the Israeli Privacy Protection Authority, as applicable to the Processing of Personal Data under the Agreement.
- (d) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- (e) “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
- (f) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- (g) “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- (h) “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined under Data Protection Laws and Regulations and/or under the CCPA, as applicable. For the avoidance of doubt, basic business contact information pertaining to you is not deemed to be Personal Data subject to this DPA.
- (i) “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- (j) “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
- (k) “Roojoom Group” means Roojoom and its Affiliates engaged in the Processing of Personal Data.
- (l) “Security Documentation” means the Security Documentation applicable to the specific Services purchased by you, as updated from time to time. You shall send a request to security-inquiry@roojoom.com to receive a copy of the Security Documentation.
- (m) “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here as updated, amended, replaced or superseded from time to time by the European Commission; or (ii) where required from time to time by a supervisory authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Regulatory Authority or Data Protection Laws and Regulations;
- (n) “Sub-processor” means any Processor engaged by Roojoom and/or Roojoom Affiliate to Process Personal Data on your behalf.
- (o) “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
- The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. Definitions:
- PROCESSING OF PERSONAL DATA
- 2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA Roojoom is the Data Processor and Roojoom or members of the Roojoom Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. For clarity, this DPA shall not apply with respect to Roojoom processing activity as a Data Controller with respect to Roojoom data as detailed in Roojoom’s privacy policy.
- 2.2 You shall, in your use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, your instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. You shall have sole responsibility for the means by which you acquired Personal Data. Without limitation, you shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer (by you or any other third party on your behalf) to Roojoom the Personal Data and to authorize the Processing by Roojoom of the Personal Data which is authorized in this DPA. You shall defend, hold harmless and indemnify Roojoom, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by you and/or your authorized users (if any) of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
- 2.3 Subject to the Agreement, Roojoom shall Process Personal Data that is subject to this DPA only in accordance with your documented instructions as necessary for the performance of the Services and for the performance of the Agreement and this DPA. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
- 2.4 To the extent that Roojoom or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from you relating to Processing of Personal Data or where Roojoom considers such a request to be unlawful, Roojoom (i) shall inform you, providing relevant details of the problem (but not legal advice), (ii) Roojoom may, without any kind of liability towards you, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and you shall pay to Roojoom all the amounts owed to Roojoom or due before the date of termination. You will have no further claims against Roojoom (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
- 2.5 Roojoom retains all right, title and interest, in and to the Personal Data that Roojoom Processes on your behalf in the context of the provision of the Services. Subject to the Agreement, you grant Roojoom a worldwide, royalty-free, limited license to access, use, process, copy, distribute, perform, modify, export, and display the Personal Data solely: (i) to maintain, develop, improve, support and provide our Services; (ii) to prevent or address technical or security issues and resolve support requests; (iii) to compile statistical and performance information for Roojoom’s business purposes; (iv) to investigate when we have a good faith belief, or have received a complaint alleging that you have violated of the terms of the Agreement or this DPA; (v) to comply with our obligations under the Agreement and this DPA, applicable laws, a valid legal subpoena, request, or other lawful processes; and (vi) as otherwise permitted by you.
- 2.6 Roojoom will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Roojoom, to the extent that such is a result of your instructions.
- RIGHTS OF DATA SUBJECTS. Taking into account the nature of the Processing, Roojoom shall use commercially reasonable efforts to assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to a Data Subject request under Data Protection Laws and Regulations. To the extent legally permitted, you shall be responsible for any costs arising from Roojoom’s provision of such assistance.
- ROOJOOM PERSONNEL. ACCESS TO PERSONAL DATA
- 4.1 Roojoom shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 4.2 Roojoom may disclose and Process the Personal Data (a) as permitted hereunder and as instructed by you, (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, Roojoom shall inform you of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
- AUTHORIZATION REGARDING SUB-PROCESSORS
- 5.1 A list of Roojoom’s Sub-Processors will be provided to you upon request. You hereby grant a general authorization to Roojoom to appoint new Sub-processors. The Sub-processor List as of the date of execution of this DPA, is hereby authorized by you. You shall send an email to security-inquiry@roojoom.com with the subject SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION, to subscribe to notifications of new Sub-processors, and if you subscribe, Roojoom shall provide notification of any new Sub-processor(s).
- 5.2 You may reasonably object to Roojoom’s use of a Sub-processor for reasons related to the GDPR by notifying Roojoom promptly in writing within three (3) business days after receipt of Roojoom’s notice in accordance with the mechanism set out in Section 1. and such written objection shall include the reasons related to the GDPR for objecting to Roojoom’s use of such Sub-processor. Failure to object to such Sub-processor in writing within three (3) business days following Roojoom’s notice shall be deemed as acceptance of the Sub-Processor. In the event you reasonably object to a Sub-processor, as permitted in the preceding sentences, Roojoom will use reasonable efforts to make available to you a change in the Services or recommend a commercially reasonable change to your use of the Services. If Roojoom is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, you may, as your sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Roojoom without the use of the objected-to Sub-processor by providing written notice to Roojoom provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Roojoom. Until a decision is made regarding the Sub-processor, Roojoom may temporarily suspend the Processing of the affected Personal Data. You will have no further claims against Roojoom due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
- 5.3 This Section 5 shall not apply to subcontractors of Roojoom which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.
- SECURITY
- 6.1 Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Roojoom shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by you.
- 6.2 Roojoom may satisfy the audit obligation under this Section by providing you with attestations, certifications and summaries of Roojoom’s compliance with Section 6.1. To the extent that the information provided is not sufficient, at Roojoom’s sole discretion and when required under Data Protection Laws, at your cost and expense, Roojoom may allow for and contribute to audits (which shall not include any on-premiss inspection or audit), conducted by you or another auditor mandated by you (who is not a direct or indirect competitor of Roojoom); provided that the Parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, nothing in this DPA will require Roojoom either to disclose to you (and/or your authorized auditors), or provide access to: (i) any data of any other clients or subscribers of Roojoom; (ii) Roojoom’s internal accounting or financial information; (iii) any trade secret of Roojoom; or (iv) any information that, in Roojoom’s sole reasonable discretion, could compromise the security of any of Roojoom’s systems or premises or cause Roojoom to breach obligations under any applicable law or its obligations to any third party.
- PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. Roojoom shall notify you without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Roojoom of which Roojoom becomes aware (a “Personal Data Incident”). Roojoom shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Roojoom deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Roojoom’s reasonable control. In any event, you will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
- RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, Roojoom shall, at your choice, delete or return the Personal Data to you after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. Roojoom may retain electronic copies of files containing Personal Data created pursuant to automatic archiving or back-up procedures which cannot reasonably be deleted. In these cases, Roojoom shall ensure that the Personal Data is not further actively processed. In any event, to the extent required or allowed by applicable law, Roojoom may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations.
- TRANSFERS OF DATA. To the extent that there is Processing of Personal Data from the European Union to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, you as a Data Exporter (as defined in the SCCs) and Roojoom on behalf of itself and each Roojoom Affiliate (as applicable) as a Data Importer (as defined in the SCCs), hereby enter into the SCC set out in Schedule 3. To the extent that there is any conflict or inconsistency between the terms of the SCC and the terms of this DPA, the terms of the SCC shall take precedence.
- TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.2, 2.4, 2.5, 8 and 12 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
- CCPA. To the extent that the Personal Data is subject to the CCPA, Roojoom shall not sell or share your Personal Data. Roojoom agrees not to retain, use or disclose your Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between the Parties. Notwithstanding the foregoing, Roojoom may use, disclose, or retain Personal Data to: (i) transfer the Personal Data to other Roojoom’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties, partners and vendors, in order to provide the Services to you; (ii) to comply with, or as allowed by, applicable laws and regulations and in the Agreement; (iii) to defend legal claims or comply with a law enforcement investigation; (iv) for internal use by Roojoom to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (v) to detect data security incidents, or protect against fraudulent or illegal activity; and (vi) collect and analyse anonymous information. Notwithstanding anything to the contrary, you shall be fully and solely responsible for complying with your own requirements under CCPA. “Business purpose” means the Processing activities that Roojoom will perform to provide Services (as described in the Agreement), this DPA and any other instruction from you, as otherwise permitted by applicable law, including, CCPA and the applicable regulations, or as otherwise necessary to provide the Services to you.
- RELATIONSHIP WITH AGREEMENT. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) Roojoom’s (including Roojoom’s Affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation or applicable law regarding data protection or privacy, shall be limited to the amounts paid to Roojoom under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Roojoom and/or Roojoom Affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Roojoom, Roojoom Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
- GENERAL. This DPA may be amended at any time by a written instrument duly signed by each of the Parties. This DPA shall only become legally binding between you and Roojoom when the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed. Roojoom may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Roojoom obligation hereunder may be performed (in whole or in part), and any Roojoom right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Roojoom. The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA. You, as the signing person, represent and warrant that you have, or you were granted, full authority to bind you and the relevant organization (if any) to this DPA. If you cannot, or do not have authority to, bind the relevant organization, you shall not supply or provide Personal Data to Roojoom. By signing this DPA, you enter into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of the relevant organization, if and to the extent that Roojoom processes Personal Data for which such organization qualify as the/a “data controller”.
Instructions on how to execute this DPA:
- To complete this DPA, you must complete the missing information; and
- Send the completed and signed DPA to us by email, indicating your name, to security-inquiry@roojoom.com.
List of Schedules
- SCHEDULE 1 – DETAILS OF THE PROCESSING
- SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES
SCHEDULE 1 – DETAILS OF THE PROCESSING
Subject matter. Roojoom will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by you in your use of the Services.
Nature and Purpose of Processing.
- Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) to you and providing support and technical maintenance, if agreed in the Agreement.
- For Roojoom to comply with and follow instructions provided by you.
Duration of Processing. Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Roojoom will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data. The categories of Personal Data are within your control and may include:
- Information provided by your (which is considered Personal Data) for example: calendar information, details and appointments.
- Leads / clients contact details information (including, without limitation, name and last name, phone number, email address.
- Personal Data provided in the context of the call (including, name, recordings and messages).
- Personal Data provided by your contacts during conversation that is requested by you while using the Services
- Any other Personal Data provide by your contacts which was not required but automatically collected by us.
- Any other Personal Data or information that you decide to provide to the Roojoom or the Services.
For the avoidance of doubt, the information subject to the Roojoom’s privacy policy available here: shall not be subject to the terms of this DPA.
Categories of Data Subjects. The categories of Data Subjects are within your control and may include individuals about whom data is provided to Roojoom by or at your the direction pursuant to the Agreement.
The frequency of the transfer. Continuous basis
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. As described in this DPA and/or the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As detailed in Schedule 2.
SCHEDULE 2 STANDARD CONTRACTUAL CLAUSES
EU SCCs. If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
- a) The Standard Contractual Clauses (Controller-to-Processor) as applicable, will apply, with respect to restricted transfers between you and Roojoom that are subject to the GDPR.
- b) The Parties agree that for the purpose of transfer of Personal Data between you (as Data Exporter) and Roojoom (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to you, as informed by you to Roojoom; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
- c) Annex I.A: With respect to Module Two: (i) Data Exporter is you as a data controller and (ii) the Data Importer is Roojoom as a data processor. Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
- d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
- e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Irish supervisory authority.
- f) Annex II of the Standard Contractual Clauses shall be completed as described in the Security Documentation.
- g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.