English
Spanish
Search
Close this search box.

SORENSON COMMUNICATIONS, LLC

DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “DPA”) is entered into as of Effective Date by and between Sorenson Communications, LLC (together with its Affiliates, “Sorenson”) and Customer. This DPA supplements and forms a part of the Agreement.  Capitalized terms not defined in this DPA are defined in the main body of the Agreement.

HOW THIS DPA APPLIES

This DPA is binding on the Parties only to the extent Applicable Data Protection Laws (as defined below) govern the Processing of Customer Personal Data in performance of the Services.  This DPA is fully incorporated into and made a part of the Agreement.  This DPA replaces any existing terms, exhibits, schedules, appendices, addendums, or other attachments related to the Processing of Customer Personal Data unless otherwise expressly stated in this DPA.  To the extent there is any inconsistency between the terms of this DPA and any terms of the Agreement with respect to Customer Personal Data, the terms of this DPA will govern and control.

DATA PROCESSING TERMS

The Parties agree that the terms of this DPA govern the Processing of Customer Personal Data in performance of the Services.  Each Party, acting reasonably and in good faith, will comply with the terms of this DPA.  Any other Processing of Personal Data with respect to Customer and its users who are authorized to use the Services (“Authorized Users”) conducted by Sorenson as a Controller, including with respect to business relationship administration and system security, will be carried out in accordance with Sorenson’s then-current privacy policy located at the following hyperlink: Sorenson Legal 

  1. DEFINITIONS
    • In this DPA, the following terms shall have the meanings set out in this Section 1, and all other terms shall have the meanings set forth in the Agreement:
      • Affiliate” means with respect to an entity, any other entity that, now or in the future, either directly or through one or more intermediaries, controls, is controlled by, or is under common control with, that entity or any of its successors.
      • Applicable Data Protection Laws” means laws, rules, regulations, orders, and ordinances governing data privacy, data security, data protection, data breach notification, and cross border data transfers to the extent they apply to Sorenson’s Processing of Customer Personal Data, including, where applicable, the GDPR and CCPA.
      • CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any binding regulations promulgated thereunder, as either may be amended from time to time.
      • Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing the Personal Data.
      • Customer Personal Data” means Personal Data Processed by Sorenson (or any Subprocessor) as a Processor on behalf of and at the direction of Customer in performance of the Services.
      • Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
      • Data Subject Request” means the exercise by a Data Subject of his or her rights in accordance with Applicable Data Protection Laws in respect Customer Personal Data and the Processing
      • Deidentified Data” means Customer Personal Data that has been deidentified in such a manner that it cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person.
      • EEA” means the European Economic Area.
      • Effective Date” means the effective date of the Agreement.
      • GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
      • Personal Data” means any information that constitutes “personal data,” “personal information,” “personally identifiable information” or similar term as defined in Applicable Data Protection Laws.
      • Personal Data Breach” means a breach of Sorenson’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data in Sorenson’s possession, custody, or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
      • Personnel” means a Party’s employees, agents, consultants, or contractors that are engaged in connection with the Services.
      • Process” and any inflection thereof means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      • Processor” means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller.
      • Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
      • SCCs” means collectively (i) the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) and (ii) the UK Transfer Addendum to the EU SCCs, issued by the Information Commissioner (Version B1.0, in force on 21 March 2022) (“UK SCCs”).
      • Services” means those services and activities to be provided by Sorenson to Customer under the Agreement.
      • Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by Sorenson from and/or about users of the Services and/or Customer’s use of the Service for use for its own purposes (certain of which may constitute Personal Data).
      • Subprocessor” means any third party appointed by Sorenson to Process Customer Personal Data on Sorenson’s behalf in connection with the Services.
      • Supervisory Authority” (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
  1. CUSTOMER PERSONAL DATA
    • Scope
      • The Parties acknowledge and agree that the details of Sorenson’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to this DPA.
      • Annex 2 (European Annex) to this DPA applies only if and to the extent Sorenson’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.
      • Annex 3 (California Annex) to this DPA applies only if and to the extent Sorenson’s Processing of Customer Personal Data under the Agreement is subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA).
      • Section 2.7 (Compliance Assistance; Audits) of this DPA applies to Sorenson’s Processing of Customer Personal Data to the extent required under any requirements concerning contracts with Processors under Applicable Data Protection Laws, and in such cases, only in respect of Processing of Customer Personal Data subject to such laws.
    • Processing of Customer Personal Data
      • Sorenson shall not Process Customer Personal Data other than on Customer’s written instructions or as required or permitted by applicable laws. For purposes of the Services and this DPA, Sorenson shall be considered the “Processor” (or “service provider” as defined under Applicable Data Protection Laws) of Customer Personal Data.
      • Customer instructs Sorenson to Process Customer Personal Data to provide the Services to Customer and in accordance with the Agreement (including this DPA). The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Sorenson only pursuant to any written amendment to this DPA signed by both Parties.  Where required by Applicable Data Protection Laws, if Sorenson receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Sorenson shall notify Customer, and Sorenson shall have the right to suspend Processing of Customer Personal Data until Customer’s instructions are clarified so that they no longer infringe Applicable Data Protection Laws.
      • The Parties acknowledge that Sorenson’s Processing of Customer Personal Data authorized by Customer’s instructions stated in the Agreement (including this DPA) are integral to the Services and the business relationship between the Parties. Access to Customer Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
    • Sorenson Personnel
      • Sorenson shall require that its Personnel who are authorized to access Customer Personal Data are subject to appropriate confidentiality obligations.
    • Security
      • Sorenson shall implement and maintain technical and organizational measures in relation to Customer Personal Data that are designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 4 (Security Measures) (the “Security Measures”). Customer warrants that it has assessed the Security Measures and has determined that they satisfy the security requirements imposed by Applicable Data Protection Laws in respect of Sorenson’s Processing of Customer Personal Data.
      • Sorenson may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
    • Data Breach
      • Sorenson shall notify Customer without undue delay upon Sorenson’s confirmation of a Personal Data Breach. Sorenson’s notification of or response to a Personal Data Breach shall not be construed as Sorenson’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
      • To the extent the Personal Data Breach resulted from Sorenson’s breach of its security obligations under the Agreement, Sorenson shall provide Customer with reasonably requested information (insofar as such information is within Sorenson’s possession and knowledge and does not otherwise compromise the security of any Customer Personal Data Processed by Sorenson or Sorenson’s other confidentiality or nondisclosure obligations, including any imposed by a law enforcement, a Supervisory Authority, or other governmental authority) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. If the Personal Data Breach did not result from Sorenson’s breach of its security obligations under the Agreement, Sorenson shall reasonably cooperate with Customer; provided, however, Customer shall reimburse Sorenson for any costs and expenses incurred by Sorenson.  Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
      • If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other government authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Sorenson, where permitted by applicable laws, Customer agrees to:
        • Notify and obtain Sorenson’s consent to such notice in advance in writing; and
        • In good faith, consult with Sorenson and consider any clarifications or corrections Sorenson may reasonably recommend or request to any such notice, which (i) relate to Sorenson’s involvement in or relevance to such Personal Data Breach, and (ii) are consistent with applicable laws.
      • Data Subject Requests
        • Considering the nature of the Processing of Customer Personal Data by Sorenson, Sorenson shall provide Customer with such assistance by implementing appropriate technical and organizational measures as Customer may reasonably request to assist Customer in fulfilling its obligations under Applicable Data Protection Laws to respect to Data Subject Requests.
        • If Sorenson receives a Data Subject Request, Sorenson shall:
          • Promptly notify Customer of such Data Subject Request; and
          • Not respond to such Data Subject Request, other than to advise the Data Subject to submit the request to Customer, unless otherwise required by Applicable Data Protection Laws. Customer will be responsible for responding to any such request.
        • Compliance Assistance; Audits
          • Taking into account the nature of the Processing of Customer Personal Data by Sorenson and the information available to Sorenson, Sorenson shall provide such information and assistance to Customer as Customer may reasonably request (insofar as such information is available to Sorenson and the sharing thereof does not compromise the security, confidentiality, integrity or availability of any data Processed by Sorenson) to help Customer meet its obligations under Applicable Data Protection Laws, including in relation to the security of Customer Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Customer’s compliance with such obligations and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Sorenson’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.
          • Subject to Section 2.7(d) below, Sorenson shall make available to Customer such information as Customer may reasonably request for Sorenson to demonstrate compliance with Applicable Data Protection Laws and this DPA. Without limitation of the foregoing, Customer may conduct (in accordance with Section 2.7(c)), at its sole cost and expense, and Sorenson will reasonably cooperate with, reasonable audits (including inspections, manual reviews, automated scans and other technical and operational testing that Customer is entitled to perform under Applicable Data Protection Laws), in each case, whereby Customer or a qualified and independent auditor appointed by Customer using an appropriate and accepted audit control standard or framework may audit Sorenson’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Customer and Sorenson upon Customer’s request.
          • Customer shall give Sorenson reasonable advance notice of any such audits. Sorenson need not cooperate with any audit (i) performed by any individual or entity who has not entered into a non-disclosure agreement with Sorenson on terms acceptable to Sorenson in respect of information obtained in relation to the audit; (ii) conducted outside of Sorenson’s normal business hours at the relevant site; or (iii) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits that Customer is required to perform under Applicable Data Protection Laws. The audit must be conducted in accordance with Sorenson’s safety, security, or other relevant policies, must not impact the security, confidentiality, integrity, or availability of any data Processed by Sorenson and must not unreasonably interfere with Sorenson’s business activities.  Customer shall not conduct any scans or technical or operational testing of Sorenson’s applications, websites, services, networks, or systems without Sorenson’s prior approval (which shall not be unreasonably withheld).
          • If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Customer’s audit request (“Audit Report”) and Sorenson has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Sorenson shall provide copies of any such Audit Reports to Customer upon request.  
          • Such Audit Reports and any other information obtained by Customer in connection with this Section 2.7 shall constitute the Confidential Information of Sorenson, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws. Nothing in this Section 2.7 shall be construed to obligate Sorenson to breach any duty of confidentiality.
        • Subprocessors
          • Customer generally authorizes Sorenson to appoint Subprocessors in accordance with this Section 2.8. Without limitation to the foregoing, Customer authorizes the engagement of the Subprocessors listed as of the effective date of the Agreement at the Subprocessor Site, as defined below.
          • Information about Subprocessors, including their functions and locations, is available at: Sorenson Subprocessors List – Sorenson (as may be updated by Sorenson from time to time, subject to Sorenson’s obligations pursuant to Section 2.8(d) below) or such other website address as Sorenson may provide to Customer from time to time (the “Subprocessor Site”).
          • When engaging any Subprocessor, Sorenson will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data and to the extent applicable to the nature of the services provided by such Subprocessor. As between the Parties, Sorenson shall be liable for the acts and omissions of all Subprocessors under or in connection with this DPA to the same extent Sorenson would be liable under the terms of this DPA if performing such services itself directly.
          • When Sorenson engages any Subprocessor after the effective date of the Agreement, Sorenson will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor page and by signing up to receive notifications of Subprocessor changes or by other written means at least 15 days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to Sorenson within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Customer Personal Data, Customer and Sorenson will work together in good faith to consider a mutually acceptable resolution to such objection.  If the Parties are unable to reach a mutually agreeable resolution within a reasonable timeframe, Customer may, within 30 days of its initial notification of its objection to Sorenson, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Sorenson and pay Sorenson for all amounts due and owing under the Agreement as of the date of such termination. If Customer does not object to Sorenson’s appointment of a Subprocessor during the objection period referred to in this Section 2.8(d), Customer shall be deemed to have approved the engagement and ongoing use of that Subprocessor.
        • Return and Deletion
          • Within 5 years after the expiration or earlier termination of the Agreement, Sorenson shall, to the extent technically possible in the circumstances, either (i) return and/or delete all Customer Personal Data in Sorenson’s care, custody or control in accordance with Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement, or subject to Section 2.10(e), Customer’s further instructions or (ii) irreversibly anonymize or deidentify all Customer Personal Data in Sorenson’s care, custody or control.
          • Notwithstanding the foregoing, Sorenson may retain Customer Personal Data where required by law (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Economic Area, as applicable), provided that Sorenson shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention. For purposes of clarity, this Section 2.9 shall not affect Sorenson’s right to retain any Deidentified Data after the expiration or termination of the Agreement.
        • Customer’s Responsibilities
          • Without limiting Customer’s responsibilities under the Agreement or under Section 2.4 (Security), the Parties agree that Customer is solely responsible for its use of the Services, including (i) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; (iii) securing Customer’s systems and devices that Sorenson uses to provide the Services; and (iv) backing up Customer Personal Data.
          • Customer shall ensure:
            • that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Sorenson of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
            • that (and is solely responsible for ensuring that) all required notices have been given to, and all consents, permissions, and rights have been obtained from, Data Subjects and others as may be required by Applicable Data Protection Laws or otherwise for Sorenson to Process Customer Personal Data as contemplated in the Agreement.
          • Customer agrees that the Services, the Security Measures, and Sorenson’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
          • Customer shall not, and agrees to ensure its Authorized Users do not, provide or otherwise make available to Sorenson any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) health insurance information; (c) credentials to any financial accounts or credit, debit or other payment card data subject to the Payment Card Industry Data Security Standard (PCI DSS); (d) tax return data; (e) precise geolocation; (f) data revealing racial or ethnic origin, religious beliefs, sex life or sexual orientation, union membership, citizenship, or immigration status; (g) genetic data; (h) data collected from a known child; (i) any information that constitutes a special category of personal data (as described in Article 9(1) of the GDPR) and/or data relating to criminal convictions and offences; and (l) any online account credentials (together, “Restricted Data”).
          • Except to the extent prohibited by applicable law, Customer shall compensate Sorenson at Sorenson’s then-current professional services rates for, and reimburse any costs reasonably incurred by Sorenson while providing, cooperation, information or assistance requested by Customer pursuant to Sections 2.6 (Data Subject Requests), 2.7 (Compliance Assistance; Audits), and 2.9 (Return and Deletion) of this DPA.
        • Deidentified, Anonymized or Aggregated Data
          • To the extent Sorenson generates or retains any Deidentified Data, Sorenson shall (i) take reasonable measures to ensure that such data cannot be associated with a natural person, (ii) publicly commit to maintaining and using Deidentified Data only in a de-identified fashion and without attempting to re-identify such data, and (iii) act as a Controller with respect to such Deidentified Data.
          • If Sorenson’s creation and/or use of aggregated, anonymized or deidentified personal information is subject to Applicable Data Protection Laws, then Sorenson’s creation and/or use of such data, including but not limited to Deidentified Data, shall be permitted only to the extent such data constitutes “aggregate consumer information” or has been “deidentified” (as such terms are defined under the Applicable Data Protection Laws).
        • Liability
          • The total aggregate liability of either Party towards the other Party, however so arising, under or in connection with this Section 2 and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 2.12 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
        • Change in Laws
          • Sorenson may on notice modify this DPA to the extent that, acting reasonably, it considers necessary to address the requirements of Applicable Data Protection Laws from time to time with respect to Customer Personal Data, including by varying or replacing the SCCs in the manner described in Paragraphs 2.1 and 2.2 of Annex 2 (European Annex).
  1. MISCELLANEOUS
    • In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail. In the event of any conflict or inconsistency between any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

 

Annex 1
Data Processing Details

‘DATA IMPORTER’ DETAILS

Name:

Sorenson Communications, LLC

Address:

The address for Sorenson as set forth in the Agreement

Contact Details for Data Protection:

The contact details for Sorenson as set forth in the Agreement

Sorenson Activities:

Performance of the Services

Role:

Processor

‘DATA EXPORTER’ DETAILS

Name:

Customer

Address:

The address for Customer as set forth in the Agreement

Contact Details for Data Protection:

The contact details for Customer as set forth in the Agreement

Customer Activities:

Receipt of the Services

Role:

Controller

 

DETAILS OF PROCESSING

Categories of Data Subjects:

Relevant Data Subjects include:

  • Customer’s Authorized Users

Each category includes current, past, and prospective Data Subjects.

Categories of Customer Personal Data:

Relevant Customer Personal Data includes:

·       Data regarding Customer’s Authorized Users, including first name and surname, email address, phone number, and order/transaction information.

Sensitive Categories of Data, and associated additional restrictions/safeguards:

Categories of sensitive data:

N/A

Additional safeguards for sensitive data:

N/A

Frequency of transfer:

Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services. 

Nature of the Processing:

Processing operations required for Sorenson to provide the Services in accordance with the Agreement.

Purpose of the Processing:

Customer Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.

Duration of Processing / Retention Period:

Concurrent with the term of the Agreement and then thereafter pursuant to Section 2.9 (Return and Deletion) of this DPA.

Transfers to Subprocessors:

Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor Site (as may be updated from time to time in accordance with the DPA).

Annex 2

 

European Annex

  1. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
    • Taking into account the nature of the Processing of Customer Personal Data by Sorenson and the information available to Sorenson, Sorenson shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Sorenson.
  2. RESTRICTED TRANSFERS

EEA Restricted Transfers

  • To the extent that any Processing of Customer Personal Data under this DPA involves an EEA Restricted Transfer from Customer to Sorenson, the Parties shall comply with their respective obligations set out in the EU SCCs, which are hereby deemed to be:
    • populated in accordance with Part 1 of Attachment 1 to this Annex 2 (European Annex); and
    • entered into by the Parties and incorporated by reference into this DPA.

UK Restricted Transfers

  • To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Sorenson, the Parties shall comply with their respective obligations set out in the UK SCCs, which are hereby deemed to be:
    • The EU SCCs as varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to this Annex 2 (European Annex); and
    • entered into by the Parties and incorporated by reference into this DPA.

Adoption of new transfer mechanism

  • Sorenson may on notice vary this DPA and replace the relevant SCCs with:
    • any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
    • another transfer mechanism,

that enables the lawful transfer of Customer Personal Data by Customer to Sorenson under this DPA in compliance with Chapter V of the GDPR. 

Provision of full-form SCCs

  • In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), the Parties shall execute a version of the relevant set(s) of SCCs responsive to the request made to either Party (amended and populated in accordance with Attachment 1 to this Annex 2 (European Annex) in respect of the relevant Restricted Transfer).
  1. OPERATIONAL CLARIFICATIONS
    • When complying with its transparency obligations under Clause 8.3 of the EU SCCs, Customer agrees that it shall not provide or otherwise make available and shall take all appropriate steps to protect Sorenson’s and its licensors’ trade secrets, business secrets, Confidential Information and/or other commercially sensitive information.
    • Where applicable, for the purposes of Clause 10(a) of Module Two of the EU SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Sorenson to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
    • Where applicable, for the purposes of Clause 15.1(a) of the EU SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
    • The terms and conditions of Section 2.8 of this DPA apply in relation to Sorenson’s appointment and use of Subprocessors under Module Two of the EU SCCs. Any approval by Customer of Sorenson’s appointment of a Subprocessor that is given expressly or deemed given pursuant to Section 2.8 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the Module Two of the EU SCCs.
    • The audits described in Clauses 8.9(c) and 8.9(d) of Module Two of the EU SCCs shall be subject to any relevant terms and conditions detailed in Section 2.7 of this DPA.
    • Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of Module Two of the EU SCCs shall be provided only upon Customer’s written request.
  • TO EUROPEAN ANNEX

    POPULATION OF SCCs

Notes:

·       In the context of any EEA Restricted Transfer, the EU SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA).

·       In the context of any UK Restricted Transfer, the UK SCCs (i.e. the EU SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1) are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA).

 

PART 1: POPULATION OF THE SCCs – EU SCCs

  1. SIGNATURE OF THE EU SCCs:

Where the EU SCCs apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the EU SCCs at the relevant signature block in Annex I to the Appendix to the EU SCCs; and (b) those EU SCCs are entered into by and between the Parties with effect from (i) the Effective Date; or (ii) the date of the first EEA Restricted Transfer to which they apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, whichever is earlier.

  1. MODULES

The following modules of the EU SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 To Annex 2  (European Annex) to the DPA): (i) Module Two of the EU SCCs applies to any EEA Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right, and (ii) Module One of the EU SCCs applies to any EEA Restricted Transfer involving Processing of Customer Personal Data in respect of which both Parties act as independent and separate Controllers.

  1. POPULATION OF THE BODY OF THE EU SCCs
    • For each Module of the EU SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
      • The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
      • In Clause 9 of Module Two of the EU SCCs:
        • OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 2.8(d) of the DPA; and
        • OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used, and that optional language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.
      • In Clause 11, the optional language is not used and is deleted.
      • In Clause 13, all square brackets are removed, and all text therein is retained.
      • In Clause 17: OPTION 1 applies, and the Parties agree that the EU SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
      • For the purposes of Clause 18, the Parties agree that any dispute arising from the EU SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
    • In this Paragraph 3, references to “Clauses” are references to the Clauses of the EU SCCs.
  2. POPULATION OF ANNEXES TO THE APPENDIX TO THE EU SCCs
    • Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Customer being ‘data exporter’; and Sorenson being ‘data importer’.
    • Part C of Annex I to the Appendix to the EU SCCs is populated as below:
      • Where Customer is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
      • Where Customer is not established in an EU Member State, Article 3(2) of the EU GDPR applies, and Customer has appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
      • Where Customer is not established in an EU Member State, Article 3(2) of the EU GDPR applies, but Customer has not appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Sorenson’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
    • Annex II to the Appendix to the EU SCCs is populated as below:

General:

  • Please refer to Section 2.4 of the DPA and the Security Measures described therein.
  • Where Module Two of the EU SCCs applies, and Customer receives a Data Subject Request under the EU GDPR and requires assistance from Sorenson, Customer should email Sorenson’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.

Subprocessors: When Sorenson engages a Subprocessor in the context of Module Two of the EU SCCs, Sorenson shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:

  • applicable information security measures;
  • notification of Personal Data Breaches to Sorenson;
  • return or deletion of Customer Personal Data as and where required; and
  • engagement of further Subprocessors.

PART 2: UK RESTRICTED TRANSFERS – UK SCCs

  1. UK TRANSFER ADDENDUM
    • Where relevant in accordance with Paragraph 2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum (UK SCCs) in the manner described below –
      • Part 1 to the UK Transfer Addendum. The Parties agree:
        • Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Annex 2 (European Annex) (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
        • Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
      • Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
    • As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
    • In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.

Annex 3

California Annex

  1. In this Annex, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes “personal information” as defined in and that is subject to the CCPA.
  2. The business purposes and services for which Sorenson is Processing personal information are for Sorenson to provide the services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details).
  3. It is the Parties’ intent that with respect to any personal information, Sorenson is a service Sorenson (a) acknowledges that personal information is disclosed by Customer only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 2.7 (Compliance Assistance; Audits) of this DPA to help ensure that Sorenson’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Sorenson that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. 
  4. Sorenson shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Sorenson and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Sorenson’s own interaction with any consumer to whom such personal information pertains, except as otherwise permitted by the CCPA.
  5. Sorenson shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 2.4 (Security) of the DPA.
  6. When Sorenson engages a Subprocessor, Sorenson shall notify Customer of such Subprocessor engagements in accordance with Section 2.8 (Subprocessors) of the DPA.

 

Annex 4

 

Security Measures

As from the Effective Date, Sorenson will implement and maintain the Security Measures as set out in this Annex 4.

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Sorenson’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Sorenson’s organization, monitoring and maintaining compliance with Sorenson’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Data security controls which include at a minimum: logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially reasonable encryption technologies for Customer Personal Data.
  4. Logical access controls designed to manage electronic access to data and system functionality, based on authority levels and job functions.
  5. Password controls designed to manage and control password strength, expiration and usage.
  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
  7. Physical and environmental security of data centers, server room facilities and other areas containing Customer Personal Data designed to protect information assets from unauthorized physical access or damage.
  8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Sorenson’s possession.
  9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Sorenson’s technology and information assets.
  10. Incident management procedures designed to allow Sorenson to investigate, respond to, mitigate, and notify of events related to Sorenson’s technology and information assets.
  11. Network security controls that are (i.e., firewalls) designed to protect systems from intrusion and limit the scope of any successful attack.
  12. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
  13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Sorenson footer corporate logo

Follow us

Personal Services
Captioned Calls Services
Video Relay Services
Sound Off Project
CaptionCall for Veterans
Home Phone
Mobile
Service Providers
Refer a Patient
Business Services
Support
Industries
Community
ADA Support
Provider
Company
Sorenson footer corporate logo

Follow us

CaptionCall and CaptionCall Mobile are available in the United States only. FEDERAL LAW PROHIBITS ANYONE BUT REGISTERED USERS WITH HEARING LOSS FROM USING INTERNET PROTOCOL (IP) CAPTIONED TELEPHONES WITH THE CAPTIONS TURNED ON. IP captioned telephone service may use a live operator. The operator generates captions of what the other party to the call says. These captions are then sent to your phone. There is a cost for each minute of captions generated, paid from a federally administered fund. No costs are passed along to individuals who qualify for the service. The CaptionCall phone and CaptionCall Mobile app remain the property of Sorenson in order to provide ongoing support, service, and upgrades. Patent information: sorenson.com/legal.
FCC rules permit you to port your telephone number to the VRS provider of your choice. If you request a new number, Sorenson will provide you with one for the geographic area where you live or work. To ensure proper routing of 911 calls, it is important that you provide, and update in the event it changes, the physical address (i.e., the Registered Location) from which you are placing the call. You can update your Registered Location in your device settings or by calling (866) 756-6729. To learn how to update on your device visit https://sorenson.com/vrs/vrs/manage-account/. Emergency calls made via internet-based TRS may not function the same as traditional E911 service. For example, you may not be able to dial 911 if there is an internet-service failure or if you lose electrical power, and your 911 call may not be routed correctly if you have not updated your Registered Location. Hearing point-to-point video users will not be able to place emergency calls. For more information on the process of obtaining ten-digit numbers and the limitations and risks associated with using Sorenson’s VRS to place a 911 call, please visit Sorenson’s website: sorenson.com/legal. For information on toll-free numbering, please visit https://sorenson.com/vrs/toll-free-numbers/.

Sorenson VRS is only available if you are eligible for VRS and have registered in the FCC’s User Registration Database. The cost of VRS is paid by a federally administered fund. Accordingly, use of Sorenson VRS calling for video conferencing is subject to compliance with FCC regulations and Sorenson’s VRS EULA. Under federal law, you may use VRS only if you have a speech or hearing disability and need VRS in order to communicate. Also, call participants must be in a different location than the other individuals on the call. VRS cannot be used for webinars or with a privacy screen because the interpreter must be able to see the Deaf participant at all times.

Legal Notices | Privacy PolicyCookie Settings | Your Privacy Choices

©2024 Sorenson Communications, LLC. All rights reserved.