The customer agreeing to these terms (“Customer”) has entered into an agreement with Infinite Convergence Solutions, Inc. and/or certain of its Affiliates (as applicable, “ICS”) under which ICS has agreed to provide services to Customer and/or Affiliates (the "Agreement").
This Data Processing Policy, including its annexes and appendices (the “Policy”) will be effective and replace any previously applicable data processing and security terms as of the Policy Effective Date (as defined below). This Policy is incorporated in, and made a part of, the Agreement, and is subject to change by ICS.
For purposes of this Policy, the terms below shall have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this Policy shall have the meanings set forth in the Agreement.
This Policy will take effect on the Policy Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, ICS’ deletion of all Customer Personal Data as described in this Policy.
Deletion on Termination. On expiry of the Term, Customer instructs ICS to delete all Customer Personal Data (including existing copies) from ICS’ systems in accordance with applicable law as soon as reasonably practicable, unless applicable law requires otherwise, or it is not technically or commercially feasible to do so.
ICS will (taking into account the nature of the processing and the information available to ICS) reasonably assist Customer in complying with its obligations under European Data Protection Legislation in respect of data protection impact assessments and prior consultation, including, if applicable, Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:
Customer’s Responsibility for Requests. During the Term, if ICS receives any request from a data subject in relation to Customer Personal Data, ICS will advise the data subject to submit their request to Customer and Customer will be responsible for responding to any such request.
ICS’ Data Subject Request Assistance. ICS will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfil its obligation under European Data Protection Legislation to respond to requests by data subjects, including if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights set out in Chapter III of the GDPR (Articles 12-23). Customer shall reimburse ICS for any such assistance beyond providing self-service features included as part of the Services at ICS’ then-current professional services rates, which shall be made available to Customer upon request.
Data Storage and Processing Facilities. ICS may, subject to Section 8.2 (Transfers of Data Out of the EEA), store and process Customer Personal Data anywhere ICS or its Subprocessors maintains facilities.
Transfers of Data Out of the EEA.
Disclosure of Confidential Information Containing Personal Data. If Customer has entered into Standard Contractual Clauses as described in Section 8.2 (Transfers of Data Out of the EEA), ICS will, notwithstanding any term to the contrary in the Agreement, make any disclosure of Customer's Confidential Information containing personal data, and any notifications relating to any such disclosures, in accordance with such Standard Contractual Clauses. For the purposes of the Standard Contractual Clauses, Customer and ICS agree that (i) Customer will act as the data exporter on Customer’s own behalf and on behalf of any of Customer’s entities and (ii) ICS or its relevant Affiliate will act on its own behalf and/or on behalf of ICS’ Affiliates as the data importers.
Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of ICS’ Affiliates as Subprocessors. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”). If Customer has entered into Standard Contractual Clauses as described in Section 9.2 (Transfers of Data Out of the EEA), the above authorizations will constitute Customer’s prior written consent to the subcontracting by ICS of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses.
Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available upon request to the GDPR Compliance Officer at IC-GDPR@infinite.com (as may be updated by ICS from time to time in accordance with this Policy).
Requirements for Subprocessor Engagement. When engaging any Subprocessor, ICS will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in the Agreement (including this Policy) with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor. ICS shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
Opportunity to Object to Subprocessor Changes.
When any new Third Party Subprocessor is engaged during the Term, ICS will, at least 30 days before the new Third Party Subprocessor processes any Customer Personal Data, notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform).
Customer may object to any new Third Party Subprocessor by providing written notice to ICS within ten (10) business days of being informed of the engagement of the Third Party Subprocessor as described above. In the event Customer objects to a new Third Party Subprocessor, Customer and ICS will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to ICS.
ICS’ Processing Records. Customer acknowledges that ICS is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which ICS is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to ICS, and will ensure that all information provided is kept accurate and up-to-date.
Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this Policy, and the Standard Contractual Clauses if entered into as described in Section 8.2 (Transfers of Data Out of the EEA) combined will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement, subject to Section 11.2 (Liability Cap Exclusions).
Liability Cap Exclusions. Nothing in Section 11.1 (Liability Cap) will affect any party’s liability to data subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by the European Data Protection Legislation.
Customer acknowledges and agrees that ICS may create and derive from processing related to the Services anonymised and/or aggregated data that does not identify Customer or any natural person, and use, publicise or share with third parties such data to improve ICS’ products and services and for its other legitimate business purposes.
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by ICS to Customer may be given (a) in accordance with the notice clause of the Agreement; (b) to ICS’ primary points of contact with Customer; and/or (c) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Subject Matter and Details of the Data Processing
|Subject Matter||ICS’ provision of the Services to Customer.|
|Duration of the Processing||The Term plus the period from the expiry of the Term until deletion of all Customer Personal Data by ICS in accordance with the Policy.|
|Nature and Purpose of the Processing||ICS will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Policy.|
|Categories of Data||Required Data: phone number, email address, MDN, last name, first name, company name and message content
Optional Data: date of birth, gender, physical address, age, message content, profile picture, custom contact attributes, 3rd party credentials, credit card information and VoIP call history.
|Data Subjects||Data subjects include the individuals about whom ICS Processes data in connection with the Services.|
|Processing Operations||Personal Data will be transferred from the Customer to ICS’ platform to facilitate communication engagement between Customer and its end users.
The Service will consist of providing a communication platform for the Customer to use in order to on-board and interact with end users as well as analyze their use of the product and /or Services.
Standard Contractual Clauses to be executed to permit ICS to Receive and Process Personal Data
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as well for the purposes of Chapter V of the GDPR, or any related EU delegated acts or implementing acts, Customer and ICS have agreed on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Name: Set forth in the Agreement
Address: Tel.: Fax:
Name: Infinite Convergence Solutions, Inc.
Address: 3231 N. Wilke Road, Arlington Heights, IL 60004 Tel.: (224) 764-3400 Fax: (224) 764-3430
Clause 1: Definitions
For the purposes of the Clauses:
The parties agree that the above definitions apply only for the Clauses contained in this Appendix 2.
Clause 2: Details of the Transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1, which forms an integral part of the Clauses.
Clause 3: Third-Party Beneficiary Clause
Clause 4: Obligations of the Data Exporter
The data exporter agrees and warrants:
Clause 5: Obligations of the Data Importer
The data importer agrees and warrants:
Clause 6: Liability
Clause 7: Mediation and Jurisdiction
Clause 8: Cooperation with Supervisory Authorities
Clause 9: Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10: Variation of the Contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11: Subprocessing
Clause 12: Obligation after the Termination of Personal Data Processing Services
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the entity identified as “Customer” in the Policy.
Infinite Convergence Solutions, Inc.
The personal data transferred concern the following categories of data subjects (please specify):
Categories of data
The personal data transferred concern the following categories of data (please specify):
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) include the following:
Information Security Program
ICS maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to:
The information security program includes the measures identified below.
ICS conducts periodic reviews of the security of its information security program as measured against industry security standards and its policies and procedures. ICS continually evaluates the security of its products and services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.