OrgChartHub Data Protection Addendum

1               Definitions

1.1           In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Applicable Law

means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states from time to time together with applicable laws in the United Kingdom from time to time;

Appropriate Safeguards

means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Controller

has the meaning given to that term in Data Protection Laws;

Data Protection Laws

means as applicable and binding on the Customer, OrgChartHub and/or the Services:

(a)            in the United Kingdom:

(i)              the Data Protection Act 2018; and

(ii)             the GDPR, and/or any corresponding or equivalent national laws or regulations;

(b)            in member states of the European Union (EU) and/or European Economic Area (EEA): the GDPR and all relevant EU and EEA member state laws or regulations giving effect to or corresponding with any of the GDPR; and

(c)            any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;

Data Subject

has the meaning given to that term in Data Protection Laws;

Data Subject Request

means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

GDPR

means the General Data Protection Regulation, Regulation (EU) 2016/679;

International Recipient

means any countries outside the United Kingdom and/or the European Economic Area;

List of Sub-Processors

means Microsoft, Google, Amazon Web Services, and any organisation listed in the latest version of the list of Sub-Processors used by OrgChartHub, as Updated from time to time, which as at Order Acceptance is available at https://orgcharthub.com/legal/sub-processors

OrgChartHub Terms of Service

means the latest version of OrgChartHub’s terms of service available at https://orgcharthub.com/legal/terms-of-service, as Updated from time to time;

Personal Data

has the meaning given to that term in Data Protection Laws;

Personal Data Breach

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

processing

has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);

Processing Instructions

has the meaning given to that term in paragraph 3.1.1;

Processor

has the meaning given to that term in Data Protection Laws;

Protected Data

means Personal Data in the Customer Data;

Sub-Processor

means another Processor engaged by OrgChartHub for carrying out processing activities in respect of the Protected Data on behalf of the Customer; and

Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

2               Processor and Controller

2.1           The parties agree that, for the Protected Data, the Customer shall be the Controller and OrgChartHub shall be the Processor.

2.2           To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct OrgChartHub to process the Protected Data in accordance with our Agreement.

2.3           OrgChartHub shall process Protected Data in compliance with:

2.3.1       the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreement; and

2.3.2       the terms of our Agreement.

2.4           The Customer shall ensure that it and each Authorised User shall at all times comply with:

2.4.1       all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

2.4.2       the terms of our Agreement.

2.5           The Customer warrants, represents and undertakes, that at all times:

2.5.1       all Protected Data (if processed in accordance with our Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws;

2.5.2       fair processing and other information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by OrgChartHub and its Sub-Processors in accordance with our Agreement;

2.5.3       the Protected Data is accurate and up to date;

2.5.4       it shall establish and maintain adequate security measures to safeguard Protected Data in its possession or control from unauthorised access and copying and maintain complete and accurate backups of all Protected Data provided to OrgChartHub (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by OrgChartHub or any other person;

2.5.5       all instructions given by it to OrgChartHub in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and

2.5.6       it has undertaken due diligence in relation to OrgChartHub’s processing operations and commitments and it is satisfied (and all times it continues to use the Services remains satisfied) that:

(a)            OrgChartHub’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage OrgChartHub to process the Protected Data;

(b)            the technical and organisational measures set out in our Agreement (each as Updated from time to time) shall (if OrgChartHub complies with its obligations under such Addendum) ensure a level of security appropriate to the risk with regard to the Protected Data; and

(c)            OrgChartHub has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

3               Instructions and details of processing

3.1           Insofar as OrgChartHub processes Protected Data on behalf of the Customer, OrgChartHub:

3.1.1       unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this paragraph 3.1 and 3.2, as Updated from time to time (Processing Instructions);

3.1.2       if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and

3.1.3       shall promptly inform the Customer if OrgChartHub becomes aware of a Processing Instruction that, in OrgChartHub’s opinion, infringes Data Protection Laws, provided that:

(a)            this shall be without prejudice to paragraphs 2.4 and 2.5; and

(b)            to the maximum extent permitted by mandatory law, OrgChartHub shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information.

3.2           The processing of the Protected Data by OrgChartHub under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the schedule.

4               Technical and organisational measures

4.1           Taking into account the nature of the processing, OrgChartHub shall implement and maintain, at its cost and expense, appropriate technical and organisational measures to ensure a level of security appropriate to the nature of the Protected Data.

5               Using staff and other processors

5.1           OrgChartHub shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data except in accordance with our Agreement without the Customer’s written authorisation of that specific Sub-Processor (such authorisation not to be unreasonably withheld, conditioned or delayed).

5.2           The Customer authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as Updated from time to time.

5.3           OrgChartHub shall:

5.3.1       prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as those on OrgChartHub in this Addendum, that is enforceable by OrgChartHub;

5.3.2       ensure each such Sub-Processor complies with all such obligations; and

5.3.3       remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

5.4           OrgChartHub shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case OrgChartHub shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

6               Assistance with compliance and Data Subject rights

6.1           OrgChartHub shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay OrgChartHub for all work, time, costs and expenses incurred in connection with such activity, calculated on a time and materials basis at OrgChartHub’s rates set out in OrgChartHub’s Standard Pricing Terms.

6.2           OrgChartHub shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to OrgChartHub) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:

6.2.1       security of processing;

6.2.2       data protection impact assessments (as such term is defined in Data Protection Laws);

6.2.3       prior consultation with a Supervisory Authority regarding high risk processing; and

6.2.4       notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,

provided the Customer shall pay OrgChartHub for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at OrgChartHub’s rates set out in OrgChartHub’s Standard Pricing Terms.

7               International data transfers

7.1           Subject to paragraph 7.2, OrgChartHub shall not transfer, or otherwise directly or indirectly disclose, any Protected Data to any International Recipient without the prior written consent of the Customer except where OrgChartHub is required to transfer the Protected Data by Applicable Law (and shall inform the Customer of that legal requirement before the transfer, unless those laws prevent it doing so).

7.2           The Customer agrees that OrgChartHub may transfer any Protected Data for to any International Recipient, provided all transfers by OrgChartHub of Protected Data to an International Recipient (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of our Agreement shall constitute the Customer’s instructions with respect to transfers in accordance with paragraph 3.1.1.

7.3           The Customer acknowledges that due to the nature of cloud services, the Protected Data may also be transferred to other geographical locations in connection with use of the Service further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that OrgChartHub does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the transfer of Protected Data to other geographical locations if Appropriate Safeguards are in place and that such transfer is in compliance with all Applicable Laws.

8               Information and audit

8.1           OrgChartHub shall maintain, in accordance with Data Protection Laws binding on OrgChartHub, written records of all categories of processing activities carried out on behalf of the Customer.

8.2           The Customer may by written notice to OrgChartHub request information regarding OrgChartHub’s compliance with the obligations placed on it under this Data Protection Addendum. On receipt of such request OrgChartHub shall provide the Customer (or auditors mandated by the Customer) with a copy of the latest third party certifications and audits to the extent made generally available to its customers from time to time. Such copies are confidential to OrgChartHub and shall be OrgChartHub’s Confidential Information for the purposes of our Agreement.

8.3           OrgChartHub shall, on request by the Customer, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate OrgChartHub’s compliance with its obligations under this Data Protection Addendum and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:

8.3.1       such audit, inspection or information request is reasonable, limited to information in OrgChartHub’s (or any Sub-Processor’s) possession or control and is subject to the Customer giving OrgChartHub reasonable prior notice of such audit, inspection or information request;

8.3.2       the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Customer or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure OrgChartHub is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3);

8.3.3       all costs of such audit or inspection or responding to such information request shall be borne by the Customer, and OrgChartHub’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Customer on a time and materials basis in accordance with OrgChartHub’s Standard Pricing Terms;

8.3.4       the Customer’s rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if the Customer (acting reasonably) believes OrgChartHub is in breach of this Data Protection Addendum;

8.3.5       the Customer shall promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to OrgChartHub;

8.3.6       the Customer shall ensure that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure required by Applicable Law);

8.3.7       the Customer shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of OrgChartHub and each Sub-Processor; and

8.3.8       the Customer shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of OrgChartHub or any Sub-Processor whilst conducting any such audit or inspection.

9               Breach notification

9.1           In respect of any Personal Data Breach involving Protected Data, OrgChartHub shall, without undue delay:

9.1.1       notify the Customer of the Personal Data Breach; and

9.1.2       provide the Customer with details of the Personal Data Breach.

10             Deletion of Protected Data and copies

Following the end of the provision of the Services (or part) relating to the processing of Protected Data OrgChartHub shall dispose of Protected Data in accordance with its obligations under this Agreement. OrgChartHub shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.

The Schedule
Data processing details

Subject-matter of processing:

Provision of the OrgChartHub service

Duration of the processing:

Until the earlier of final termination or final expiry of our Agreement, except as otherwise expressly stated in our Agreement.

Nature and purpose of the processing:

 Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with our Agreement

Type of Personal Data:

‘Placeholder’ data entered by the Customer using the Services; ‘Relationship’ data entered by the Customer using the Services.

Any personal data comprised in the Customer’s entries into any free text area in the Services.

Any personal data held in the Customer’s HubSpot account in respect of which OrgChartHub provides Support Services.

Categories of Data Subjects:

Sales prospects and contacts of the Customer.

Special categories of Personal Data:

None