Data Processing Addendum

Last updated: November 7th, 2023

This GDPR Data Processing Addendum (“DPA”) forms part of the Terms of Service, entered into by and between the Customer and Koalify. (“Koalify”), pursuant to which Customer has accessed the Service as defined in the TOS. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of the Data Protection Legislation.

In the course of providing the Service to the Customer, Koalify may process personal data on behalf of the Customer. Koalify agrees to comply with the following provisions with respect to any personal data submitted by or for the Customer to the Service or collected and processed by or for Customer through the Service.

Any capitalized but undefined terms herein shall have the meaning set forth in the TOS.

1. Definitions

“Data Protection Legislation” the General Data Protection Regulation (Regulation (EU) 2016/679)) (GDPR in short), and all other applicable laws relating to processing of personal data.

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing” “Personal Data Breach”, and “Appropriate Technical and Organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;

2. Processing of personal data

The parties agree that Customer is the data controller and that Koalify is its data processor in relation to personal data that is processed in the course of providing the Service. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provides to Koalify pursuant to the TOS.

Koalify will process this personal data in respect of this DPA and the Data Protection Legislation.

The processing will be carried out until the term of the Service ceases in accordance with the Terms of Service. Further details of the data processing are set out in Annex 1 hereto.

3. Processing with instructions of Customer

Koalify shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Terms of Service or as otherwise notified by Customer to Koalify (from time to time).

If Koalify is required to process the personal data for any other purpose provided by applicable law to which it is subject, Koalify will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest.

Koalify shall notify Customer without undue delay if, in Koalify’s opinion, an instruction for the processing of personal data given by Customer infringes Data Protection Legislation.

4. Technical and organisational measures

Koalify shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental or unlawful loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data’ and having regard to the nature of the personal data which is to be protected.

The list of technical and organisational security measures is in Annex 2.

5. Subprocessors

Customer grants general consent to appoint subcontractors for the purpose of carrying out the processing activities under this DPA. The list of subcontractors is available in Annex 1.

The list of Subprocessors may be amended from time to time. Koalify will notify Customer about the intended changes regarding to the addition or replacement of Subprocessors. Koalify will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Subcontractor’s non-compliance with applicable Data Protection Legislation.

Any Subprocessors will be permitted to process personal data only to deliver the services Koalify has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Koalify remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Koalify transfers personal data will have entered into written agreements with Koalify requiring that the subcontractor abide by terms substantially similar to this DPA. In this context, Koalify ensures that in the case of data transfers to third countries or countries without an adequacy decision by the European Commission, the data transfer is based on the EU standard contractual clauses (2021/914).

Koalify shall ensure that all Koalify personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA.

6. Providing assistance

Koalify shall assist the Customer by implementing appropriate measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation, however Koalify will not response to the request rather than forward it to the Customer without undue delay (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data).

Koalify shall take reasonable steps to assist Customer in meeting Customer’s obligations under Article 32 to 36 GDPR of that regulation taking into account the nature of the processing under this DPA.

If Koalify becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Koalify in the course of providing the Service (a “Personal Data Breach”), it shall without undue delay, and where feasible, no later than 24 hours after becoming aware of the Personal Data Breach, notify Customer. Koalify shall also provide Customer (as soon as possible) with a description of the incident as well as periodic updates to information about the incident, including its impact on the Customer’s personal data.

Koalify will provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform data protection authorities and/or Data Subjects of the Personal Data Breach under the applicable laws. In addition, the Data Processor shall immediately remedy any underlying causes for each Personal Data Breach.

7. Termination

At the end of the applicable term of the Service, upon Customer’s choice, shall securely destroy or return such personal data to Customer and delete any copies. Unless applicable law obliges Koalify to store certain personal data.

8. Audits

Koalify shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Service, which shall include providing reasonable access to the premises, resources and personnel used by Koalify in connection with the provision of the Service and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause.

The purposes of an audit pursuant to this Clause include to verify that Koalify is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation (GDPR and SCCs). Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Koalify of written information (including, without limitation, questionnaires, and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Koalify’s IT personnel.

Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Koalify’s IT system, data hosting sites or centers, or infrastructure will be permitted.

Audits are allowed only once a year, unless in case of a Personal Data Breach.

9. Liability

Subject to the relevant provisions in the Terms of Service, in application of Article 82 GDPR and the general provisions on liability, the following applies:  

The data controller involved in the processing, is liable for direct damage caused by a processing activity that infringes the GDPR or other applicable legislation. 

The data processor is liable for the direct damage caused by the processing activity if the specific tasks and obligations provided for in this DPA are not met during the processing or in case he has acted outside or in violation of the legitimate instructions of the data controller. 

The data controller or data processor can be exempted from its liability if he proves that he is in no way responsible for the event that caused the direct damage. 

In case the data controller or data processor has fully compensated the direct damage, the data controller or data processor can recover from the other data controller or data processor the part of the compensation corresponding to their part of the liability for the damage. 

Notwithstanding the Terms of Service, the data processor shall be fully responsible for any direct damages arising from Personal Data Breaches, when the data processor processes the data in violation of the Data Protection Legislation and/ or fails to comply with the instructions of the data controller. The liability is extended to the maximum extent permitted by applicable law. The data processor is not liable for damages if it is proven that the data processor is not responsible for the damages.

The data processor shall maintain comprehensive and adequate insurance coverage to address liabilities arising from Personal Data Breaches. The data processor agrees to provide evidence of such insurance coverage upon request by the data controller.

10. Miscellaneous

In the event of inconsistencies between the provisions of this DPA and the Terms of Service, the provisions of this DPA shall prevail. 

Should any provision of this DPA be or become invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes as closely as possible to the Parties' initial intent.  

The Parties to this DPA hereby submit to the exclusive jurisdiction as set out in the Terms of Service and accept that Belgian law shall apply to this DPA.  

 Annex 1

Details of the Data Processing

Koalify shall process information to provide the Service pursuant to the TOS. Koalify shall process the Personal Data which the Customer makes available to Koalify by using the Service.

The following types of information may be sent to Koalify by using the Service:

Types of Personal Data

• Company name
• First Name
• Last Name
• Email address
• Phone Numbers
• Address
• City
• Country
• Linkedin URL

Categories of Data Subjects

HubSpot Contacts and Companies of the Customer

Processing Activities

The provision of the Service by Koalify to Customer.

Subprocessors

Annex 2

Technical and organizational security measures