Last updated: September 28, 2017.
This Data Processing Addendum (“DPA“) forms part of the Gong.io Terms of Service (“Terms of Service”) between Gong.io Ltd. an Israeli corporation with a business office located at 1 Shenkar St. Herzlia, Israel and its Affiliates (“Gong.io”) and the Customer whose details are indicated in the Order Form (“Customer”) as set forth in the signature block below, to reflect the parties’ agreement with regard to the Processing of Personal Data. All capitalized terms not defined herein will have the meaning set forth in the Terms of Service.
1. DATA PROCESSING TERMS
In the course of providing the Service to Customer pursuant to the Terms of Service, Gong.io may Process Personal Data on behalf of Customer. Gong.io agrees to comply with the following provisions with respect to Personal Data processed by Gong.io as part of the Service for Customer.
1.1 “Affiliate” means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Terms of Service, where “control” means the ownership of a majority share of the voting stock, equity or voting interests of such entity.
1.2 “Gong.io Information Security Policy” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Gong.io upon request.
1.3 “Individual” means a natural person to whom Personal Data relates, also referred to as “Data Subject” pursuant to EU data protection Laws and regulations.
1.4 “Other Parties to the Call” – parties to Customer’s phone calls, video calls and online demos, other than Personnel.
1.5 “Personal Data” means data about an identified or identifiable Individual.
1.6 “Personnel” means the employees, agents, consultants and contractors of Customer and Customer’s Affiliates.
1.7 “Privacy Laws and Regulations” means all US federal and state privacy laws and regulations, Israeli privacy laws and regulations and data protection laws and regulations of the European Union, applicable to the Processing of Personal Data under the Terms of Service.
1.8 “Privacy Shield” means the EU-US Privacy Shield Framework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
1.9 “Privacy Shield Principles” mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.
1.10 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.11 “Service Notice” – means a clear written or recorded notice about the Service and Customer’s use thereof, which at a minimum provides that the Service is a speech analytics tool, it enables Customer to record, analyze and share for a limited period of time the recordings of phone calls, video calls and online demos (as applicable), including associated data and documentation (if applicable), and further includes information as required under the applicable law.
2. DATA PROCESSING
2.1 Scope and Roles. This DPA applies when Personal Data is Processed by Gong.io as part of Gong.io’s provision of Service, as further specified in the Terms of Service and the applicable Order Form. In this context, to the extent that EU Privacy Laws and Regulations apply to the Personal Data that Gong.io processes for Customer under the Terms of Service, Customer is the Data Controller and Gong.io and applicable Affiliates are the Data Processor under such laws and regulations.
2.2 Customer’s Processing of Personal Data. Customer’s instructions to Gong.io to Process Personal Data will comply with Data Protection Laws and Regulations. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Customer acquired Personal Data, and Customer permissions to Process Personal Data pursuant to this DPA.
2.3 Instructions for Gong.io’s Processing of Personal Data. Gong.io will only Process Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs Gong.io to Process Personal Data for the following purposes: (i) Processing in accordance with the Terms of Service and applicable Order Forms; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Terms of Service and comply with applicable Privacy Laws and Regulations. Processing outside the scope of this DPA (if any) will require prior written agreement between Gong.io and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Gong.io for carrying out such instructions.
2.4 Processing for Legitimate Purposes. Notwithstanding, Gong.io may Process Personal Information for legitimate business purposes, including archiving, back-up and disaster recovery, cyber security, operations, control, improvements and development of Gong.io’s Service, fraud and service misuse prevention and legal and administrative proceedings.
3. RIGHTS OF INDIVIDUALS
3.1 Requests. Gong.io will, to the extent legally permitted, promptly notify Customer if it receives a request from an Individual, who’s Personal Data is included in Customer’s Personal Data, or a request by the Individual’s legal guardians, to exercise the right to access, correct, amend or delete Personal Data related to the Individual, or to exercise such other personal right that the Individual is entitled to pursuant the applicable Privacy laws and Regulations.
3.2 Assistance. Gong.io will provide Customer with commercially reasonable cooperation and assistance in relation to handling the Individual’s request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Service. Except if not permitted under the applicable Privacy Laws and Regulations, Customer will reimburse Gong.io with any costs and expenses related to Gong.io’s provision of such assistance.
4. GONG.IO PERSONNEL
4.1 Limitation of Access. Gong.io will ensure that Gong.io’s access to Personal Data is limited to those personnel who require such access to perform the Terms of Service.
4.2 Confidentiality. Gong.io will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection and data security. Gong.io will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Gong.io will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
5. AFFILIATES AND THIRD-PARTY SERVICE PROVIDERS
5.1 Affiliates. Some or all of Gong.io’s obligations under the Terms of Service may be performed by Gong.io Affiliates.
5.2 Agents. Customer acknowledges and agrees that: (i) Gong.io’s Affiliates may retain Process Personal Data on Gong.io’s behalf to perform the Service under the Terms of Service; and (ii) Gong.io and Gong.io’s Affiliates respectively may engage third-party service providers in the performance of the Service. All Affiliates and agents to whom Gong.io transfers Personal Data to provide the Service have entered into written agreements with Gong.io or other binding instruments that bind them by substantially the same material obligations under this DPA.
5.3 Liability. Gong.io will be liable for the acts and omissions of its Affiliates and agents to the same extent Gong.io would be liable if performing the Service of each Affiliate or agent directly under the terms of this DPA, except as otherwise set forth in the Terms of Service.
5.4 Consent. Customer consents to Gong.io’s use of Gong.io Affiliates and agents in the performance of the Service in accordance with the terms of this Section 5.
6. ADDITIONAL TERMS FOR EU PERSONAL DATA
6.1 Gong.io Ltd. complies with Israeli Privacy Laws and Regulations. Transfer of Personal Data related to EU Individuals to Israel is made in accordance the EU Commission decision 2011/61/EU of January 31, 2011, on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data.
6.2 Gong.io Inc. (a Gong.io Ltd. Affiliate) self-certifies to and complies with the Privacy Shield and will maintain its self-certification to and compliance with the Privacy Shield throughout the terms of Terms of Service.
6.3 All Gong.io Affiliates and agents to whom Gong.io transfers Personal Data to provide the Service are certified to the Privacy Shield, or provide at least the same level of protection for the Personal Data as is required by the relevant principles of the Privacy Shield and comply with the requirements under the Privacy Shield for the onward transfer of Personal Data to agents.
6.4 If the Privacy Shield is revoked, or if Gong.io or any of its Affiliates and agents are no longer able to continue complying with the Privacy Shield, then Gong.io will take such measures to continue facilitating the lawful Processing of Personal Data related to EU Individuals by Gong.io, and its Affiliates and agents.
7.1 Controls. Gong.io will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer’s Personal Data, pursuant to the Gong.io Information Security Policy. Gong.io regularly monitors compliance with these safeguards. Gong.io will not materially decrease the overall security of the Service during the term of the Terms of Service.
7.2 Policies, Certifications and Audit Reports. Gong.io uses external auditors to verify the adequacy of its security measures. The internal controls of the Service are subject to periodic testing by such auditors and are based on the Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organisation Control (SOC2) report. Upon Customer’s written request at reasonable intervals and subject to confidentiality limitations, Gong.io will make available to Customer that is not a Gong.io competitor (or to a third party auditor on Customer’s behalf, that is not a Gong.io competitor and subject to the auditor’s execution of Gong.io’s non-disclosure agreement), the then most recent version of the Gong.io Information Security Policy summaries of third-party audit or certification reports commonly made available to Gong.io Customers.
8. SECURITY BREACH MANAGEMENT AND NOTIFICATION
8.1 Breach prevention and management. Gong.io will maintain security incident management policies and procedures and will, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized access to, acquisition of, or disclosure of Customer Personal Data, by Gong.io or its Affiliates or agents of which Gong.io becomes aware (a “Security Incident”).
8.2 Remediation. To the extent that a Security Incident is caused by a violation of the requirements of this DPA by Gong.io, Gong.io will make reasonable efforts to identify and remediate the cause of such Security Incident.
10. DELETION AND RETENTION OF PERSONAL DATA
10.1 Data Deletion. Gong.io will return Customer Personal Data to Customer or delete such data in accordance with the procedures and timeframes specified in the Gong.io’s data retention and destruction policies and procedures. At Customer’s request, Gong.io will state in writing that it has completed the deletion of the Customer Personal data from its systems.
10.2 Data Retention. Notwithstanding, Customer acknowledges and agrees that Gong.io may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under the applicable law, including to retain data pursuant to legal requirements and to use such data to protect Gong.io, its Affiliates, agents and any person on their behalf in court and administrative proceedings, and for investigations and inspections related to the use of Gong.io’s services.
11. ANONYMIZED AND AGGREGATED DATA
Gong.io may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Gong.io’s legitimate business purposes, including for testing, development, controls and operations of the Service, and may share and retain such data at Gong.io’s discretion.
12. LIMITATION OF LIABILITY
Each party’s and its Affiliates’ liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the section ‘Limitation of Liability’ of the Terms of Service, and any reference in such section to the liability of a party means that party and its Affiliates in the aggregate.
This DPA will commence on the same date that the Terms of Service are effective, and will continue until the Terms of Service are expired or terminated, pursuant to the terms therein.
14.1 Gong.io’s compliance team is responsible to make sure that all relevant Gong.io’s personnel adhere to this DPA.
14.2 Gong.io’s compliance team can be reached at: email@example.com.
Last updated: September 28, 2017.