Blissfully Data Processing Addendum
The Customer agreeing to these terms (“Customer”) and Blissfully Tech Inc (“Blissfully”) have entered into one or more master agreement(s) (as defined below) (each, as amended from time to time, an “Agreement“).
This Data Processing Addendum will, as from the Amendment Effective Date (as defined below), be effective and replace any previously applicable data processing amendment and/or other terms previously applicable to privacy, data processing and/or data security.
In this Addendum, the following terms have the meanings set out below:
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party hereto, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Amendment Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, this Data Processing Addendum.
- “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company (including, without limitation, on behalf of Company clients) pursuant to or in connection with the Agreement;
- “Contracted Processor” means Vendor or a Subprocessor;
- “Data Protection Laws” means the laws and regulations applicable to the Processing of Company Personal Data, including, without limitation, GDPR and related laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom;
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation);
- “Personal Data” shall have the same meaning set forth in the in the Data Protection Laws;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Restricted Transfer“** **means a transfer of Company Personal Data from (a) Company to a Contracted Processor; or (b) an onward transfer of Company Personal Data from a Contracted Processor to another Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses or other compliance mechanism sanctioned by Supervisory Authorities;
- “Services” means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Company pursuant to the Agreement;
- “Standard Contractual Clauses” means the Standard Contractual Clauses (Controller to Controller Transfers – Set II) in the Annex to the European Commission Decision of December 27, 2004, and the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission.
- “SOC 2 Report” means a confidential Service Organization Control (SOC) 2 Report (or a comparable report) on Blissfully’s systems examining logical security controls, physical security controls, and system availability, as produced by Blissfully’s Third Party Auditor in relation to the Audited Services.
- “Subprocessor” means any third party appointed by or on behalf of Vendor to Process Personal Data on behalf of Company in connection with the Agreement.
The terms, “Data Subject“, “Member State“, “Personal Data Breach“,** **shall have the same meaning as in the Data Protection Laws.
2. Processing of Company Personal Data
- Vendor shall (a) comply with all applicable Data Protection Laws in the Processing of Company Personal Data; (b) not Process Company Personal Data other than on Company’s documented instructions unless Processing is required by applicable laws, in which case Vendor shall to the extent permitted by applicable laws inform the Company of that legal requirement before the Processing of that Personal Data; and (c) treat Company Personal Data as confidential.
- Company’s instructions for the Processing of Company Personal Data shall comply with Data Protection Laws.
3. Vendor Personnel
Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement appropriate technical and organizational measures as set out in Appendix 2 to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to Data Protection Laws. In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1. Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors of those entities listed as of the Amendment Effective Date at the URL specified in Section 5.2 (Information about Subprocessors). In addition, Customer generally authorizes the engagement as Subprocessors of any other third parties (“New Third Party Subprocessors”). If Customer has entered into Standard Contractual Clauses (Transfers of Data Out of the EEA), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Blissfully of the processing of Customer Data if such consent is required under the Standard Contract Clauses.
5.2. Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at https://www.blissfully.com/subprocessors/ (as may be updated by Blissfully from time to time in accordance with this Data Processing Addendum).
5.3 – With respect to each Subprocessor, Vendor shall:
- before the Subprocessor first Processes Company Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
- ensure that the arrangement between Vendor and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this Addendum, meet the requirements of article 28(3) of the GDPR and ensure that the relevant obligations (including, without limitation, the audit rights set forth in Section 10) can be directly enforced by Company against the Subprocessors;
- if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between the Vendor and the Subprocessor, or before the Subprocessor first Processes Company Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with Company; and
- provide to Company for review such copies of the Vendors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Company may request from time to time.
- remain responsible for its Subprocessors and liable for their acts and omissions, and any reference to the Vendor’s obligations in this Addendum shall be construed as referring also to Vendor’s Subprocessors.
6. Data Subject Rights
Taking into account the nature of the Processing, Vendor shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company’s obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Vendor shall:
- promptly notify Company if Vendor or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
- ensure that Vendor or the Subprocessor does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Subprocessor is subject.
7. Personal Data Breach
Vendor shall notify Company without undue delay upon Vendor or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Vendor shall co-operate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
Vendor shall provide reasonable assistance to Company with any data protection impact assessments, and consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to the Subprocessors.
9. Deletion or return of Company Personal Data
The parties agree that on the termination of the provision of Services, Vendor and any Subprocessor shall, at the choice of Company, return all Company Personal Data transferred and the copies thereof to the Company or shall destroy all the Company Personal Data and certify to Company that it has done so, unless legislation imposed upon Vendor or any Subprocessor, as applicable, prevents it from returning or destroying all or part of the Company Personal Data transferred. In that case, Vendor warrants that it will guarantee the confidentiality of the Company Personal Data transferred and will not actively process the Company Personal Data transferred anymore.
10. Audit rights
Vendor shall make available to Company on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of the Company Personal Data. Vendor acknowledges and agrees that the audit rights set forth in this Section 10 can be directly enforced by Company clients whose Personal Data is being Processed by Vendor as part of Company Personal Data.
Company shall give Vendor reasonable notice of any audit or inspection to be conducted and shall make (and ensure that its auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Vendor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.*** ***
11. Restricted Transfers
In the case Vendor is established in a country that is neither a Member State nor considered by the European Commission to have adequate protection, by agreeing to this Addendum, Vendor (as “data importer”) is entering into the Standard Contractual Clauses in respect of any Restricted Transfer from Company to Vendor.
If a Vendor Subprocessor is a data importer, Vendor shall enter into Standard Contractual Clauses with Company on behalf of such Subprocessor. To the extent the foregoing is not possible, Vendor shall inform Company and obtain such Subprocessor’s agreement to the Standard Contractual Clauses as an additional data importer.
12. General Terms
12.1 – Nothing in this Addendum reduces Vendor’s obligations under the Agreement in relation to the protection of Company Personal Data or permits Vendor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12.2 – Subject to section 12.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
12.3 – If Company gives notice that an amendment to this Addendum is required in order to comply with Applicable Laws or comply with requirements set out by Company’s clients, Company will provide an amendment and the parties shall negotiate in good faith to address the requirements identified in Company’s notice as soon as is reasonably practicable.
12.4 – Neither Company nor Vendor shall require the consent or approval of any Company Affiliate or Vendor Affiliate to amend this Addendum pursuant to this section 12.5 or otherwise.
12.5 – Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Appendix 1: Subject Matter and Details of the Data Processing
Blissfully’s provision of the Services and related technical support to Customer.
Duration of the Processing
The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by Blissfully in accordance with the Data Processing Addendum
Nature and Purpose of the Processing
Blissfully will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Addendum.
Categories of Data
Personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may include the following categories of data: user IDs, email, company information, and role.
Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
Appendix 2: Security Measures
As from the Addendum Effective Date, Blissfully will implement and maintain the Security Measures set out in this Appendix 2 to the Data Processing Addendum. Blissfully may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
1. Data Center & Network Security
Blissfully uses secure AWS data centers. AWS is compliant with ISO 27001, SOC 2, GDPR and more.
Networks & Transmission.
Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Blissfully transfers data via Internet standard protocols.
External Attack Surface. Blissfully employs multiple layers of network devices and intrusion detection to protect its external attack surface. Blissfully considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Blissfully’s intrusion detection involves:
- Tightly controlling the size and make-up of Blissfully’s attack surface through preventative measures;
- Employing intelligent detection controls at data entry points; and
- Employing technologies that automatically remedy certain dangerous situations.
Incident Response. Blissfully monitors a variety of communication channels for security incidents, and Blissfully’s security personnel will react promptly to known incidents.
Encryption Technologies. Blissfully makes HTTPS encryption (also referred to as SSL or TLS connection) available. Blissfully’s data on our cloud provider’s servers support encryption at rest and in transit.
2. Access and Site Controls.
(a) Site Controls.
Blissfully does not own or maintain data centers that would require site controls.
(b) Access Control.
Infrastructure Security Personnel. Blissfully has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Blissfully’s infrastructure security personnel are responsible for the ongoing monitoring of Blissfully’s security infrastructure, the review of the Services, and responding to security incidents.
Access Control and Privilege Management. Customer’s Administrators and End Users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services. Each application checks credentials in order to allow the display of data to an authorized End User or authorized Administrator.
Internal Data Access Processes and Policies – Access Policy. Blissfully’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Blissfully aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Blissfully employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel.
Blissfully requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Blissfully’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), Blissfully uses hardware tokens.
Data Storage, Isolation & Authentication
Blissfully stores data in a multi-tenant environment on AWS-owned servers. Data, the Services database and file system architecture are replicated between multiple geographically dispersed data centers. Blissfully logically isolates data on a per End User basis at the application layer. Blissfully logically isolates each Customer’s data, and logically separates each End User’s data from the data of other End Users, and data for an authenticated End User will not be displayed to another End User (unless the former End User or an Administrator allows the data to be shared). A central authentication system is used across all Services to increase uniform security of data.
4. Personnel Security.
Blissfully personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Blissfully conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Blissfully’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (eg., certifications). Blissfully’s personnel will not process Customer Data without authorization.
5. Subprocessor Security.
Before onboarding Subprocessors, Blissfully conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Blissfully has assessed the risks presented by the Subprocessor, then subject always to the requirements set out in the Data Processing Addendum, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
Blissfully Confidential and Proprietary
Last Updated: August 2, 2018