DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) applies to the Services provided pursuant to the Surge Social LLC Platform License Agreement (the “Terms”) to which this Addendum is attached (the “Agreement”) between Surge Social LLC (“Surge Social”) and you (“Customer”). This Addendum is hereby incorporated into and made a part of the Agreement.

Purpose And Application

This Addendum is the parties’ agreement with respect to the Processing by Surge Sociali of Personal Data under the Agreement. The terms of this Addendum apply where the GDPR applies to the Processing of Personal Data.

The terms of this Addendum shall be in force on the date of the registration for an account with Surge Social.

Definitions

Capitalized terms used but not defined in this Addendum have the meanings set out in the Agreement. In this Addendum, unless stated otherwise:

“Authorized Personnel” has the meaning given to the term in Section 4.1.2.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“End User Data” has the meaning given to the term in the Agreement.

“Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.

“Data Protection Laws” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Personal Data” means End User Data that is information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed upon or with respect to Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

“Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means the transfer of any Personal Data to which the GDPR applies to any country or organisation, where such transfer would not be permitted by the GDPR in the absence of some legal basis permitted by the GDPR.

“Services” means the Services set out in the Terms.

“Subprocessor” means a third-party who Processes End User Data on behalf of the Processor in order to provide portions of the Services.

Processing of Personal Data

3.1 Roles and Responsibilities

3.1.1 Where the GDPR applies to the Processing of Personal Data by Surge Social, Customer is, for all purposes and with respect to all Data Protection Laws, the Controller of the Personal Data and Surge Sociali is the Processor of the Personal Data, except only when Customer acts as a Processor of Personal Data on behalf of a third party who is the Controller of same, in which case Surge Social shall be only a Subprocessor. Where Surge Social is a Subprocessor, Customer represents and warrants that it has all necessary authority of the relevant Controller to engage Surge Social as a Subprocessor. Notwithstanding anything to the contrary, in all cases, Customer acknowledges, agrees and represents that Surge Social shall not be the Controller of Personal Data.

3.1.2 Surge Social shall only comply with Data Protection Laws to the extent they apply to Surge Social`s Processing of Personal Data on behalf of Customer. Customer shall comply with all Data Protection Laws applicable to Personal Data. For clarity, Customer shall obtain all required consent from the data subjects of Personal Data for Surge Social to Process Personal Data and shall comply with all obligations under Data Protection Laws as a Controller of Personal Data and all similar obligations.

3.1.3 In the provision of some services, Surge Social, on receipt of instructions from Customer, may transfer Personal Data to and otherwise interact with third-party data Processors. Customer agrees that if and to the extent such transfers occur, Customer is responsible for entering into separate contractual arrangements with such third-party data Processors binding them to comply with obligations in accordance with Data Protection Requirements. For avoidance of doubt, such third-party data Processors are not Subprocessors.

3.2 Scope of Processing

3.2.1 Customer instructs Surge Social to process Personal Data: (a) to provide the Services; (b) as set out in the Agreement, including this Addendum; (c) as specified by Customer’s use of the Services; and, (d) as further documented in any other of Customer’s written instructions that are acknowledged by Surge Social as being instructions for the purposes of the Agreement.

3.2.2 Customer’s instructions for Surge Social`s Processing of Personal Data shall comply with all Data Protection Laws. Customer shall not instruct Surge Social to undertake any Restricted Transfer.

3.2.3 Notwithstanding Section 3.2.1 above, Surge Social may Process Personal Data where required by any applicable law to which Surge Social is subject, in which case Surge Social shall (to the extent permitted by law) inform Customer of that legal requirement before carrying out the Processing.

3.2.4 The nature and purpose of Surge Social’s Processing of Personal Data shall be to provide the Services pursuant to the Agreement. The type of Personal Data, the categories of data subjects, and the obligation and rights of Customer are set out in the Agreement, including in this Addendum.

Security

4.1 Security Measures

4.1.1 Surge Social has taken, and Customer shall take, taking into account the costs of implementation, and the nature, scope, context and purposes of Processing, the appropriate technical and organizational measures to ensure a level of security for the Personal Data, within their respective possession, which is appropriate to the risks to the applicable individual data subjects that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.

4.1.2 Surge Social shall cause that access to Personal Data within the possession of Surge Social is limited to those individuals who need access in order to meet Surge Social’s obligations under the Agreement (together the “Authorized Personnel”).

4.1.3 All Authorized Personnel are or will be trained in the handling of Personal Data, informed of the confidential nature of the Personal Data, and will be bound by appropriate confidentiality obligations when accessing it, and they will not Process Personal Data except pursuant to the instructions of Customer.

4.2 Data Incident

4.2.1 On becoming aware of a Data Incident, Surge Social will: (a) notify Customer of the Data Incident without undue delay; (b) make reasonable efforts to identify the cause of such Data Incident; and, (c) where the Data Incident was not caused by Customer or any User, take those steps that Surge Social deems necessary and reasonable in order to remediate the cause of the Data Incident to the extent the cause of the Data Incident is in Surge Social’s reasonable control.

Subprocessors

5.1 General

5.1.1 Surge Social shall not engage Subprocessors (excluding independent contractors) without prior specific or general written authorization of Customer and will require such Subprocessors to be bound by provisions substantially similar to those in this Addendum, as applicable. A list of Surge Sociali’s current Subprocessors are set out in Appendix A and Customer hereby authorizes Surge Social to use such Subprocessors.

5.1.2 Surge Social may, at its discretion, choose to engage additional third-parties as Subprocessors generally. If Surge Social chooses to engage Subprocessors generally, Surge Social will inform Customer of any new Subprocessors at least 30 days prior to authorizing the Subprocessor to Process Personal Data and Customer may object to the new Subprocessor by providing Surge Social written notice within 15 days of receipt of such notice. If Customer objects to the new Subprocessor under this Section 5.1.2: (i) Surge Social will, in its sole discretion, provide the Services without the new Subprocessor Processing any Personal Data; or, (ii) Customer may terminate the Services which require the new Subprocessor.

Audits

6.1 GDPR Audits

6.1.1 Where the Processing of Personal Data is subject to the GDPR, at Customer’s sole expense, Surge Social shall make available to Customer such of Surge Social’s information as is reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

Deletion and Return of PErsonal Data

7.1.1 At the end of the Services and at the choice of Customer, Surge Social shall delete or return all the Personal Data to Customer, and delete all Personal Data unless prohibited by Data Protection Laws.

Rights of Data Subjects

8.1.1 Surge Social shall, at Customer’s sole expense, fulfill data subject requests to access, rectify, and restrict processing of Personal Data in a manner consistent with Data Protection Laws, the functionality of the Services, and Surge Social’s role as a Processor.

Impact Assessment

9.1.1 Where the Processing of Personal Data is subject to the GDPR, at Customer’s sole expense, Surge Social will provide reasonable assistance to Customer in its obligations to comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any Processing of Personal Data undertaken under this Agreement.

Indemnity

10.1.1 Customer shall fully indemnify and keep indemnified and defend at its own expense Surge Social against all liability, losses, claims, costs and reasonable expenses, including legal fees, which Surge Social may incur, or for which Surge Social may become liable to the extent arising from any Processing of Personal Data in accordance with the instructions of the Customer, any Customer breach of this Addendum or any Data Protection Laws, or any of Customer’s acts or omissions in respect of its obligations as a Controller of Personal Data.

APPENDIX A: Surge Social Subprocessors

Surge Social uses the following sub-processors to assist in providing Services on behalf of Surge Social Customers:

Amazon Web Services (Data Hosting) – https://aws.amazon.com/compliance/eu-data-protection/
Sendgrid – Email service provider – https://www.sendgrid.com/resource/general-data-protection-regulation/
Twilio (SMS service provider) – https://www.twilio.com/gdpr
Google, Inc. (Map APIs and analytics) – https://cloud.google.com/security/gdpr/
Facebook, Inc. (Social network) – https://www.facebook.com/business/gdpr
Zapier, Inc. (Web app automation) – https://zapier.com/help/gdpr/
Periscope Data (Data analytics) – https://www.periscopedata.com/gdpr
Segment (Analytics management) – https://segment.com/docs/legal/privacy/
FullStory (User analytics) – https://help.fullstory.com/gdpr
BugSnag (Error reporting) – https://www.bugsnag.com/security/
Logentries.com, Inc. (System logging) – https://docs.logentries.com/docs/security/
Recurly (Credit card processing) – https://recurly.com/legal/
Stripe (Payments) – https://stripe.com/ca/privacy
PayPal (Payments) – https://www.paypal.com/gdpr
Intercom Inc. (Live chat) – https://docs.intercom.com/privacy
Active Campaign (CRM) – https://www.activecampaign.com/gdpr
Close.io (CRM) – https://close.io/gdpr/
ClickFunnels (Website marketing) – https://signup.clickfunnels.com/gdpr-policy
Typeform (Data forms) – https://admin.typeform.com/to/dwk6gt
FirstPromoter (Affiliate software) – https://firstpromoter.com/gdpr
Shopify, Inc. (Online store) – https://help.shopify.com/manual/your-account/GDPR
Whiplash Merchandising (Shipping) – https://docs.getwhiplash.com/pages/gdpr-and-data-privacy

More information Surge Social’s Privacy & Compliance can be found at:

Licence Agreement

Any questions regarding this Data Processing Addendum should be sent to: support@surgesocial.com

Last Updated: May 25, 2018

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
_GRECAPTCHA	5 months 27 days	Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
_gaexp	14 days 10 hours	Google Optimize sets this cookie to determine a user's inclusion in an experiment and the expiration of experiments a user has been included in.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect a user's first pageview session, which is a True/False flag set by the cookie.
messagesUtk	5 months 27 days	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.
pll_language	1 year	Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way.

Cookie	Duration	Description
__hstc	5 months 27 days	Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_fbp	3 months	Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores the true/false value, indicating whether it was the first time Hotjar saw this user.
_hjRecordingEnabled	never	Hotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjRecordingLastActivity	never	Hotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.
_hjSession_*	30 minutes	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements by tracking user behaviour across the web, on sites with Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_hjIncludedInSessionSample_3583452	2 minutes	Description is currently not available.
ASI	30 minutes	Description is currently not available.
CCK	3 hours	Description is currently not available.
CDI	1 year	Description is currently not available.
cf_clearance	1 year	Description is currently not available.
CPA	3 hours	Description is currently not available.
guest	1 month	No description available.
JOTFORM_SESSION	session	No description available.
userReferer	1 month	No description available.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.

DATA PROCESSING ADDENDUM

Privacy Policy

License Agreement

Data Processing Addendum

Dear User!