Privacy Addendum

four smiling coworkers in a meeting
arrow-grid

Last updated: December 1, 2023


This Privacy Addendum (this “Addendum”), entered into by SOCi, Inc. (“SOCi”) and the customer identified on the applicable SOCi ordering document for SOCi services (“Customer”) (each, a “Party” and collectively, the “Parties”), governs the Processing of Personal Data that Customer provides or otherwise makes available to SOCi in connection with the delivery of SOCi’s products and services (“Services”).

This Addendum is incorporated into the relevant SOCi services agreement executed by the Parties (the “Agreement”). This Addendum reflects the Parties’ agreement with respect to the Processing of the Customer Personal Data (as defined below) pursuant to the Agreement and is applicable solely to the extent that the Data Protection and Privacy Laws apply (as defined below). In the event of any inconsistency between the terms of the Agreement and this Addendum, the terms of this Addendum shall prevail.

1. Definitions. Capitalized terms used in this Addendum that are not defined herein shall have the same meaning as set forth in the Agreement.

  • 1.1. “Controller” means the party that alone or jointly with others determines the purpose(s) and means of the Processing of Personal Data.
  • 1.2 “Data Protection and Privacy Laws” means the data protection and privacy laws and regulations applicable to the Processing of Personal Data in any relevant jurisdiction, including the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (the “UK GDPR”), the U.S. State Privacy Laws, and any other similar applicable laws that are in effect or come into effect during the term of the Agreement.
  • 1.3 “Personal Data” means any information relating to an identified or identifiable individual that is subject to protection under the Data Protection and Privacy Laws and includes information that is referred to as “personal data” or “personal information” in the Data Protection and Privacy Laws.
  • 1.4“Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Customer Personal Data.
  • 1.5 “Privacy Rights Request” means a request made by (or on behalf of) an individual to exercise his or her rights under the Data Protection and Privacy Laws in relation to the Customer Personal Data.
  • 1.6 “Process” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means.
  • 1.7 “Processor” means the party that Processes Personal Data on behalf of the Controller.
  • 1.8 “Subcontractor” means a party engaged by SOCi in the Processing of the Customer Personal Data on Customer’s behalf.
  • 1.9 “U.S. State Privacy Laws” means the U.S. state privacy laws and regulations applicable to the Processing of Personal Data, including the California Consumer Privacy Act, as amended, including by the California Privacy Rights Act and implementing regulations (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Act Concerning Protection and Online Monitoring (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and any other similar applicable laws that are in effect or come into effect during the term of the Agreement.
  • 1.10 The terms “Business,” “Sale” (or “Sell”), “Service Provider,” and “Share,” have the meanings ascribed to them in the CCPA.

2. Processing of the Customer Personal Data

  • 2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of any Personal Data that Customer provides or otherwise makes available to SOCi for Processing on Customer’s behalf (“Customer Personal Data”), Customer is the Business or Controller and SOCi is the Service Provider or Processor. Each Party shall comply with the obligations that apply to it under the Data Protection and Privacy Laws and provide the Customer Personal Data the level of privacy protection required by such laws. In the event that either Party determines that it can no longer meet its obligations under the Data Protection and Privacy Laws with respect to the Customer Personal Data, it shall take commercially reasonable steps to notify the other Party.
  • 2.2 SOCi’s Processing of the Customer Personal Data. Customer makes the Customer Personal Data available to SOCi for the limited and specified business purpose of performing the Services on behalf of Customer (as further described in Appendix I) (Details of the Processing). SOCi shall Process the Customer Personal Data only as permitted by the Agreement (including this Addendum) and in accordance with any additional documented instructions from Customer. If SOCi is required by applicable law to Process the Customer Personal Data for another purpose, SOCi shall take commercially reasonable steps to inform Customer of the legal obligation unless that law prohibits such information. SOCi shall not: (i) Sell or Share the Customer Personal Data; (ii) Process the Customer Personal Data for any commercial purpose other than the purposes specified in the Agreement and in this Addendum or as otherwise permitted by the Data Protection and Privacy Laws; (iii) Process the Customer Personal Data outside of the direct business relationship between Customer and SOCi unless expressly permitted by the Data Protection and Privacy Laws; or (iv) combine the Customer Personal Data with Personal Data that SOCi receives from, or on behalf of, another person or persons, or collects from its own interactions with individuals unless such combining of Personal Data is expressly permitted by the Data Protection and Privacy Laws. SOCi will grant access to the Customer Personal Data only to its personnel who require access and are subject to appropriate confidentiality agreements or duties of confidentiality.
  • 2.3 Customer’s Processing Obligations. As the Business or Controller of the Customer Personal Data, Customer shall ensure that the Customer Personal Data is collected and provided or otherwise made available to SOCi in compliance with the Data Protection and Privacy Laws. In particular, Customer shall ensure that it has provided all legally-required notices and privacy disclosures to all individuals whose Personal Data is included in the Customer Personal Data. Customer shall also be responsible for the accuracy and use of the Customer Personal Data.

3. Data Security. Taking into account the nature of the Processing, SOCi shall maintain technical and organizational measures designed to protect the Customer Personal Data against any breach of security leading to the accidental or unlawful destruction, use, loss, alteration, unauthorized disclosure of, or unauthorized access to the Customer Personal Data. SOCi shall notify Customer without undue delay after becoming aware of a Personal Data Breach.

4. Assessments and Assistance. Upon reasonable written request, SOCi shall provide Customer with available information and documentation regarding SOCi’s Processing of the Customer Personal Data to assist Customer in fulfilling its obligation under the Data Protection and Privacy Laws to conduct and document data protection impact assessments (or other similar assessments). Additionally, taking into account the nature of the Processing and the information available to SOCi, upon reasonable written request, SOCi shall assist Customer in ensuring compliance with other obligations pursuant to the Data Protection and Privacy Laws.

5. Compliance Verification and Audits. At reasonable intervals during the term of the Agreement not to exceed more than once in a given twelve (12) month period, SOCi shall, upon written request, make available to Customer information or documentation necessary to demonstrate its compliance with its obligations under this Addendum with respect to the Customer Personal Data. In the event of a Personal Data Breach, at the reasonable written request of Customer, SOCi shall allow for and contribute to an audit conducted by an independent third-party auditor mutually agreed upon by the Parties to assess SOCi’s data security measures. Any such audit shall be at the expense of Customer and conducted during normal business hours and in a manner that minimizes any disruption to SOCi’s business and operations. If an audit conducted pursuant to this Section 5 reveals any unauthorized use of the Customer Personal Data by SOCi, Customer and SOCi shall promptly work together in good faith to agree upon reasonable and appropriate steps to stop and remediate the unauthorized use. If, in SOCi’s opinion, any instruction from Customer pursuant to this Section 5 infringes the Data Protection and Privacy Laws, SOCi shall take commercially reasonable steps to notify Customer.

6. Privacy Rights Requests. Customer shall notify SOCi in writing or through other methods agreed upon by the Parties of all Privacy Rights Requests it receives relating to the Customer Personal Data with which SOCi must comply. Taking into account the nature of the Processing and the information available, SOCi shall assist Customer in fulfilling its obligation to respond to Privacy Rights Requests, insofar as this is possible.

7. Subcontractors. As of the Effective Date, Customer authorizes SOCi to engage the parties listed here: www.soci.ai/subprocessors/ in the Processing of the Customer Personal Data as Subcontractors, provided that SOCi has in place a written agreement with each party that imposes on it the same restrictions and requirements with respect to Personal Data imposed on SOCi in this Addendum. SOCi shall provide Customer with (20) days’ prior notice of its plans to engage any additional party in the Processing of the Customer Personal Data by updating the information on this page: www.soci.ai/subprocessors/. If, during that 20-day period, Customer objects to SOCi’s appointment of an additional party on reasonable grounds relating to the protection of the Customer Personal Data, the Parties will promptly work together in good faith to address Customer’s concerns.

8. International Transfers of the Customer Personal Data. Customer authorizes SOCi to Process the Customer Personal Data in the United States and any other country or jurisdiction in which SOCi or any Subcontractor maintains facilities.

  • 8.1 With regard to any transfers of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to countries that do not provide adequate protection for such data (as determined by the Data Protection and Privacy Laws) (“Data Transfers”), and except as provided in Sections 8.2 and 8.3 below, the Data Transfers will be conducted pursuant to the EU-U.S. Data Protection Framework (“DPF”) for Personal Data transferred from the European Economic Area, the UK Extension to the EU-U.S. DPF for Personal Data transferred from the United Kingdom (and Gibraltar), and the Swiss-U.S. Data Privacy Framework for Personal Data transferred from Switzerland, unless the Parties agree to enter into the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council (available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (the “SCCs”) in support of such transfer.
  • 8.2 EU Standard Contractual Clauses: Where the Parties have agreed to the enter into the SCCs as an alternative mechanism to the DPF for Data Transfers from the European Economic Area, the Parties agree that the terms of Module Two (Transfer controller to processor) of the SCCS, which are incorporated herein by reference, shall apply and be considered duly executed between the Parties. Under the SCCs, Customer acts as the “data exporter” and SOCi acts as the “data importer.” Additionally, the following terms apply: (i) the Data Protection Commission of Ireland shall be the competent Supervisory Authority pursuant to Clause 13 of the SCCs; (ii) the SCCs shall be governed by the law of Ireland, which allows for third-party beneficiary rights pursuant to Clause 17 of the SCCs; and (iii) any dispute arising from the SCCs shall be resolved by the courts of Ireland pursuant to Clause 18 of the SCCs. Appendix I to this Addendum shall apply as Annex I of the SCCs, Appendix II to this Addendum shall apply as Annex II of the SCCs, and Appendix III of this Addendum shall apply as Annex III of the SCCs. Notwithstanding the foregoing, where Customer is established in Switzerland or falls within the territorial scope of application of the revised Swiss Federal Act on Data Protection (“revFADP”), the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by revFADP; in addition, for the purposes of Clause 18, for data subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
  • 8.3 UK Addendum: Where the Parties have agreed to the enter into the SCCs as an alternative mechanism to the DPF for Data Transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (the “UK Addendum”), the terms of which are incorporated herein by reference, shall be deemed executed between the Parties, and the SCCs between the Parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of the Customer Personal Data outside of the UK.

9. Deletion or Return of the Customer Personal Data. Upon termination or expiration of the Agreement, SOCi, at Customer’s written request and to the extent technically feasible, shall either delete or return to Customer the Customer Personal Data, unless retention of the data is required or permitted by any applicable law.

10. Modifications. The Parties agree to cooperate in good faith to amend the terms of this Addendum and/or enter into additional terms as necessary to address modifications, amendments, or updates to the Data Protection and Privacy Laws.

Appendix I

Details of the Processing

This Appendix I describes the Processing of the Customer Personal Data by SOCi on Customer’s behalf.

Categories of Personal Data Processed The categories of Personal Data Processed include: 

  • Names
  • Contact information (e.g., email addresses, phone numbers, physical addresses, etc.)
  • Online identifiers (e.g., cookie IDs, device IDs, IP addresses, etc.)
  • Internet or other electronic network activity information (e.g., information about interactions with online services)
  • Commercial information (e.g., purchase, order, or transaction details)
  • Professional information (e.g., company names, job titles/roles, etc.)
  • Photos/videos
Categories of individuals impacted by the Processing The Customer Personal Data relates to individuals from or about whom Customer collects Personal Data.
Nature and purpose of the Processing SOCi will Process the Customer Personal Data as necessary to provide the Services and as otherwise permitted by applicable law.
Duration of the Processing The term of the Agreement.

The following additional details are applicable to the extent required under the SCCs.

A. LIST OF PARTIES

Data exporter

Name: The Customer as listed in the Agreement.

Address: As provided in the Agreement.

Contact person’s name, position and contact details: As provided in the Agreement.

Activities relevant to the data transferred under these Clauses: As provided in the Agreement.

Role (controller/processor): Controller

Data importer

Name: SOCi, Inc.

Address: As provided in the Agreement.

Contact person’s name, position and contact details: As provided in the Agreement.

Activities relevant to the data transferred under these Clauses: As provided in the Agreement.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described in the table above.

Categories of personal data transferred

As described in the table above.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

Collection, recording, organization, structuring, storage, adaptation, use, disclosure, and other processing in accordance with the provision of the Services.

Purpose(s) of the data transfer and further processing

Provision of the Services and compliance with applicable law.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As specified in Section 9 of the Addendum.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As specified in Section 7 of the Addendum.

C. COMPETENT SUPERVISORY AUTHORITY

Customer agrees that the competent supervisory authority will be the Data Protection Commission of Ireland.

Appendix II

Security Measures

SOCi has implemented technical and administrative safeguards to protect Personal Data or Personal Information (as defined under applicable Privacy Laws), where applicable to the SOCi Platform and Subscription Services, against security incidents, which include the following security measures (all capitalized terms used herein are defined in Customer’s Agreement or as defined under applicable Privacy Laws):

  • Information Security Policy: SOCi has implemented a written information security policy that mandates the use of appropriate technical and organizational security measures in SOCi’s organization to protect Personal Data or Personal Information (as defined under applicable privacy laws) against unauthorized and unlawful processing and against accidental loss, damage or destruction as well as appropriate measures in the event of an actual or suspected data or security breach.
  • Security Function: SOCi has designated a security committee tasked with responsibility for development, implementation, and maintenance of the SOCi’s information security practice. SOCi employs a VP of Information Security to oversee the information security function, and a Virtual Security Team (VST) to actively manage security issues.
  • Physical Security: SOCi’s Servers hosting Customer Data are secured in Amazon Data Centers and Google Cloud. Refer to https://aws.amazon.com/compliance/data-center/controls/ and/or https://cloud.google.com/security/compliance for details.
  • Logical Security: SOCi supports and recommends customers’ use of Single-Sign-On. To the extent that customers use customized login for its SOCi instance, SOCi saves a secure hash of the password, not the password itself.
  • Network Security: SOCi relies on Amazon Web Services and Google Cloud network protection features to protect Personal Data and to safeguard from threats. SOCi also conducts independent pen tests and periodic assessment of security setup. SOCi has implemented appropriate network security controls both in internal network and cloud network systems.
  • Encryption: SOCi encrypts data at rest, uses HTTPS by default for all internet traffic and uses secure protocols to connect to Social Media service providers and other third-party systems. All encryption utilizes industry standard encryption techniques.
  • Access Controls: SOCi has implemented role-based access controls that restrict access to Personal Data it processes to duly authorized employees and contractors who require access only to the extent necessary for the performance of their duties. SOCi has appointed a system administrator with overall responsibility for granting, changing or voiding data access privileges to its data processing systems. Access is controlled by multiple technical systems, and administrative access is logged.
  • Usernames and Passwords: Access to Personal Data is controlled through access privileges (described above), usernames and confidential passwords. No two Users may share or use the same username. Users will be required to change their passwords on a regular basis. All User passwords have a minimum character requirement.
  • Back-up: SOCi has taken and will continue to take regular, at least weekly, back-ups of the Personal Data that it processes on behalf of the data exporter. Data back-ups are stored securely in different availability zones and will be available for data restoration in the event of catastrophic system failure and non-catastrophic system failure or user error.
  • Disaster Recovery and Business Continuity: SOCi has implemented appropriate disaster recovery and business continuity plans that ensure the availability, security, integrity and (where necessary) restoration of the Personal Data on the occurrence of a business interruption event. Business continuity and incident response processes are tested at least annually.
  • Audit: SOCi will audit its compliance with the agreement between SOCi and Customer and its information security policy at least once per annum or in the event of a material change. Any remedial measures identified as necessary following an audit will be remediated in the order of severity. SOCi has multiple independent audits performed each year. A copy of SOCi’s current audit reports will be provided upon request.
  • Secure Disposal: SOCi has implemented policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed.

Appendix III

List of Sub-Processors

Customer has authorized the use of the parties listed on this page: www.soci.ai/subprocessors/

Isn’t it time you had a Marketing Platform that does the work for you?

Get started