Last revised on
[Need a signed copy (including the full text of the SCCs, UK Addendum, and Sub-Processors)? Send a message to your CSM or legal@gorgias.com]
This Data Protection Agreement (“DPA”) forms part of the Gorgias’ Master Subscription Agreement (the “Agreement”) between the applicable Gorgias customer which is a party to such Agreement (“Customer”), and the applicable Gorgias Entity which is also a party to such Agreement (“Gorgias”). Customer and Gorgias are each referred to as a “Party” and collectively as the “Parties”.
1. Definitions
The terms used in this DPA shall have the meanings set forth in this DPA or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:
“Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Gorgias or Customer, respectively.
“Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Gorgias is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018 (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State (“EU GDPR”), (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, (e) any other applicable law with respect to any Personal Data in respect of which the Gorgias is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.
“Data Subject” shall mean an identified or identifiable natural person.
“Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy Law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Gorgias, on behalf of Customer, in connection with Gorgias’s performance of the Services.
“Gorgias Entity” shall mean Gorgias Inc., and/or any Gorgias Affiliate.
“Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of Gorgias.
“Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
“Security Breach” shall mean an actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data when transmitted, stored or otherwise processed by Gorgias.
“Services” shall mean the services as described in the Agreement or any related order form or statement of work.
“Standard Contractual Clauses” means (a) with respect to transfers of Personal Data which are subject to the EU GDPR from the European Economic Area (EEA) to countries outside the EEA that do not provide adequate protection of Personal Data, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time as set out in Exhibit D of this DPA (“EU SCCs”), (b) with respect to restricted transfers (as such term is defined under UK GDPR) subject to the UK GDPR, the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the Information Commissioner on March 21, 2022, as set out in Exhibit E of this DPA (“UK SCCs”), and (c) with respect to transfers of Personal Data which are subject to the Swiss Federal Act on Data Protection of 19 June 1992, the EU SCCs as approved by the Swiss Data Protection and Information Commissioner, including the necessary adaptations to ensure compliance with Swiss data protection law, as set out in Exhibit F of this DPA (“Swiss SCCs”).
“Subprocessor” shall mean any subcontractor (including any third party and/or Gorgias Affiliate) engaged by Gorgias to Process Personal Data on behalf of Customer.
“Supervisory Authority” shall mean: (a) in the context of the UK GDPR the UK Information Commissioner’s Office; (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR; and (c) in the context of the Swiss Federal Act on Data Protection of 19 June 1992, the Swiss Data Protection and Information Commissioner.
2. Processing Requirements
2.1 Gorgias shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Customer’s instructions, and as may subsequently be agreed between the Parties in writing. Gorgias shall promptly inform Customer if (a) in Gorgias’s opinion, an instruction from Customer violates Applicable Privacy Law; or (b) Gorgias is required by applicable law to otherwise Process Personal Data, unless Gorgias is prohibited by that law from notifying Customer under applicable law.
2.2. Gorgias shall implement and maintain reasonable and appropriate technical measures that will ensure that Customer’s reasonable and lawful instructions can be complied with, including the following:
1. updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time;
2. canceling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer;
3. otherwise facilitating Customer’s responses to Data Subject requests as required under Applicable Privacy Law; and
4. Gorgias shall promptly redirect any request from a Data Subject to exercise any of its Data Subject rights to Customer, and shall not respond directly to the Data Subject unless instructed so by Customer in writing.
2.3 Gorgias acknowledges that (a) Customer discloses Personal Data to Gorgias solely for the business purpose of Customer, and (b) Gorgias has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to Gorgias under the Agreement relates only to Gorgias’s provision of the Services. Gorgias shall not collect, retain, use, disclose, or otherwise Process the Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Customer, or (ii) outside of the direct business relationship between Gorgias and Customer. In addition, Gorgias shall not ‘sell,’ as defined under Applicable Privacy Law (including, without limitation, CCPA), or otherwise disclose any Personal Data except to authorized Subprocessors needed to render the Services.
2.4 Gorgias shall provide to Customer such co-operation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Customer’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority.
3. Security of Personal Data
3.1. Gorgias shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Exhibit B.
3.2. Gorgias shall ensure the reliability of any employees who Process Personal Data.
3.3 Gorgias will ensure that any employees entrusted with the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Customer Obligations
4.1 Customer’s Security Responsibilities. Customer agrees that, without limitation of Gorgias’s obligations under Section 3 (Security of Personal Data) or the Parties’ obligations under the Agreement, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Gorgias uses to provide the Services; and (d) backing up Personal Data.
4.2. Customer’s Security Assessment. Customer agrees that the Services and Gorgias’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
5. Subprocessors
5.1 Gorgias shall not, without Customer’s prior written consent, sub-contract or outsource any Processing of Personal Data to any Subprocessor; provided that Customer shall not unreasonably withhold or delay consent to Gorgias’s appointment of any Subprocessor. Without limiting the foregoing, Gorgias authorizes Customer to engage the Subprocessors specified in Exhibit B of this DPA.
5.2 Gorgias shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.
5.3 Gorgias will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on Gorgias under this DPA.
6. Breach Notification.
6.1 Notification to Customer. Unless otherwise prohibited by applicable law, Gorgias shall notify Customer without undue delay, and in any event within 72 hours after Gorgias becomes aware of a Security Breach. Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). In addition, Gorgias shall communicate to Customer (i) the name and contact details of Gorgias’s data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by Gorgias to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6.2. Investigation. Gorgias shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.
7. Privacy Impact Assessment
Gorgias shall, promptly upon receipt of written request by Customer and where required by Applicable Privacy Law (a) make available to Customer such information as is reasonably necessary to demonstrate Customer’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Customer in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Gorgias. Gorgias shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Customer shall not make any such request more than once in any 12-month period.
8. Audit Rights
Customer may audit Gorgias’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Supervisory Authority. Gorgias will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance that Gorgias considers appropriate in the circumstances and reasonably necessary to conduct the audit.To request an audit, Customer must submit a proposed audit plan to Gorgias at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Gorgias will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Gorgias security, privacy, employment or other relevant policies). Gorgias will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 8 shall require Gorgias to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Gorgias has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Gorgias’s safety, security or other relevant policies, and may not unreasonably interfere with Gorgias business activities. Any audits are at Customer’s sole expense. Customer shall reimburse Gorgias for any time expended by Gorgias and any third parties in connection with any audits or inspections under this Section 8 at Gorgias’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
9. Deletion of Personal Data
Gorgias shall, promptly and in any event within 90 days of expiration or termination of the Agreement, or following receipt of written notice from, (a) return a complete copy of all Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Gorgias; and (b) delete and procure the deletion of all other copies of Personal Data Processed by Gorgias.This obligation is in addition to Gorgias’ obligations concerning the destruction or return of Customer’s Confidential Information as provided in the Agreement.
10. Third Party Disclosure Requests.
10.1. Unless prohibited by applicable law, Gorgias shall promptly notify Customer of any inquiry, communication, request or complaint, to the extent relating to Gorgias’s Processing of Personal Data on behalf of Customer, from:
(a) any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
(b) any Data Subject,
and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Gorgias shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 9.1 and Section 9.2.
10.2. In the event that Gorgias is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer, including any national security authority or other government body, Gorgias shall attempt to redirect the government request to Customer. If Gorgias is unable to redirect the request, Gorgias shall, unless prohibited by applicable law, notify Customer promptly and shall provide all reasonable assistance to Customer to enable Customer to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines. If Gorgias is prohibited by applicable law from providing notice to Customer of a Legal Request, Gorgias shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Gorgias shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 10.2.
10.3 Transfers of Personal Data Outside of the European Economic Area, the United Kingdom, and Switzerland. Where Personal Data originating in the European Economic Area is Processed by Gorgias outside the European Economic Area, in a territory that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to Applicable Privacy Law, Customer and Gorgias agree that the transfer shall be undertaken pursuant to Standard Contractual Clauses which form integral part of this DPA. For transfers from Switzerland only, the term “personal data” as used in the Standard Contractual Clauses, shall include, as applicable, personality profiles and the personal data of legal persons. Gorgias shall provide a copy of the signed version of the Standard Contractual Clauses to Customer upon request.
11. Claims. Any claims brought under, or in connection with, this DPA, shall be subject to the exclusions and limitations of liability set forth in the Agreement.