This Data Processing Addendum (“Addendum”) applies to the Services provided pursuant to the Surge Social LLC Platform License Agreement (the “Terms”) to which this Addendum is attached (the “Agreement”) between Surge Social LLC (“Surge Social”) and you (“Customer”).  This Addendum is hereby incorporated into and made a part of the Agreement.

  1.   Purpose And Application

This Addendum is the parties’ agreement with respect to the Processing by Surge Sociali of Personal Data under the Agreement.  The terms of this Addendum apply where the GDPR applies to the Processing of Personal Data.

The terms of this Addendum shall be in force on the date of the registration for an account with Surge Social.

  1.   Definitions

Capitalized terms used but not defined in this Addendum have the meanings set out in the Agreement. In this Addendum, unless stated otherwise:

“Authorized Personnel” has the meaning given to the term in Section 4.1.2.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“End User Data” has the meaning given to the term in the Agreement.

“Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.

“Data Protection Laws” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Personal Data” means End User Data that is information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed upon or with respect to Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

“Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means the transfer of any Personal Data to which the GDPR applies to any country or organisation, where such transfer would not be permitted by the GDPR in the absence of some legal basis permitted by the GDPR.

“Services” means the Services set out in the Terms.

“Subprocessor” means a third-party who Processes End User Data on behalf of the Processor in order to provide portions of the Services.

  1.   Processing of Personal Data

3.1   Roles and Responsibilities

3.1.1   Where the GDPR applies to the Processing of Personal Data by Surge Social, Customer is, for all purposes and with respect to all Data Protection Laws, the Controller of the Personal Data and Surge Sociali is the Processor of the Personal Data, except only when Customer acts as a Processor of Personal Data on behalf of a third party who is the Controller of same, in which case Surge Social shall be only a Subprocessor. Where Surge Social is a Subprocessor, Customer represents and warrants that it has all necessary authority of the relevant Controller to engage Surge Social as a Subprocessor. Notwithstanding anything to the contrary, in all cases, Customer acknowledges, agrees and represents that Surge Social shall not be the Controller of Personal Data.

3.1.2   Surge Social shall only comply with Data Protection Laws to the extent they apply to Surge Social`s Processing of Personal Data on behalf of Customer. Customer shall comply with all Data Protection Laws applicable to Personal Data. For clarity, Customer shall obtain all required consent from the data subjects of Personal Data for Surge Social to Process Personal Data and shall comply with all obligations under Data Protection Laws as a Controller of Personal Data and all similar obligations.

3.1.3   In the provision of some services, Surge Social, on receipt of instructions from Customer, may transfer Personal Data to and otherwise interact with third-party data Processors. Customer agrees that if and to the extent such transfers occur, Customer is responsible for entering into separate contractual arrangements with such third-party data Processors binding them to comply with obligations in accordance with Data Protection Requirements.  For avoidance of doubt, such third-party data Processors are not Subprocessors.

3.2   Scope of Processing

3.2.1   Customer instructs Surge Social to process Personal Data: (a) to provide the Services; (b) as set out in the Agreement, including this Addendum; (c) as specified by Customer’s use of the Services; and, (d) as further documented in any other of Customer’s written instructions that are acknowledged by Surge Social as being instructions for the purposes of the Agreement.

3.2.2   Customer’s instructions for Surge Social`s Processing of Personal Data shall comply with all Data Protection Laws. Customer shall not instruct Surge Social to undertake any Restricted Transfer.

3.2.3   Notwithstanding Section 3.2.1 above, Surge Social may Process Personal Data where required by any applicable law to which Surge Social is subject, in which case Surge Social shall (to the extent permitted by law) inform Customer of that legal requirement before carrying out the Processing.

3.2.4   The nature and purpose of Surge Social’s Processing of Personal Data shall be to provide the Services pursuant to the Agreement. The type of Personal Data, the categories of data subjects, and the obligation and rights of Customer are set out in the Agreement, including in this Addendum.

  1.   Security

4.1   Security Measures

4.1.1   Surge Social has taken, and Customer shall take, taking into account the costs of implementation, and the nature, scope, context and purposes of Processing, the appropriate technical and organizational measures to ensure a level of security for the Personal Data, within their respective possession, which is appropriate to the risks to the applicable individual data subjects that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.

4.1.2   Surge Social shall cause that access to Personal Data within the possession of Surge Social is limited to those individuals who need access in order to meet Surge Social’s obligations under the Agreement (together the “Authorized Personnel”).

4.1.3   All Authorized Personnel are or will be trained in the handling of Personal Data, informed of the confidential nature of the Personal Data, and will be bound by appropriate confidentiality obligations when accessing it, and they will not Process Personal Data except pursuant to the instructions of Customer.

4.2   Data Incident

4.2.1   On becoming aware of a Data Incident, Surge Social will: (a) notify Customer of the Data Incident without undue delay; (b) make reasonable efforts to identify the cause of such Data Incident; and, (c) where the Data Incident was not caused by Customer or any User, take those steps that Surge Social deems necessary and reasonable in order to remediate the cause of the Data Incident to the extent the cause of the Data Incident is in Surge Social’s reasonable control.

  1.   Subprocessors

5.1   General

5.1.1   Surge Social shall not engage Subprocessors (excluding independent contractors) without prior specific or general written authorization of Customer and will require such Subprocessors to be bound by provisions substantially similar to those in this Addendum, as applicable. A list of Surge Sociali’s current Subprocessors are set out in Appendix A and Customer hereby authorizes Surge Social to use such Subprocessors.

5.1.2   Surge Social may, at its discretion, choose to engage additional third-parties as Subprocessors generally. If Surge Social chooses to engage Subprocessors generally, Surge Social will inform Customer of any new Subprocessors at least 30 days prior to authorizing the Subprocessor to Process Personal Data and Customer may object to the new Subprocessor by providing Surge Social written notice within 15 days of receipt of such notice. If Customer objects to the new Subprocessor under this Section 5.1.2: (i) Surge Social will, in its sole discretion, provide the Services without the new Subprocessor Processing any Personal Data; or, (ii) Customer may terminate the Services which require the new Subprocessor.

  1.   Audits

6.1   GDPR Audits

6.1.1   Where the Processing of Personal Data is subject to the GDPR, at Customer’s sole expense, Surge Social shall make available to Customer such of Surge Social’s information as is reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

  1.   Deletion and Return of PErsonal Data

7.1.1   At the end of the Services and at the choice of Customer, Surge Social shall delete or return all the Personal Data to Customer, and delete all Personal Data unless prohibited by Data Protection Laws.

  1.   Rights of Data Subjects

8.1.1   Surge Social shall, at Customer’s sole expense, fulfill data subject requests to access, rectify, and restrict processing of Personal Data in a manner consistent with Data Protection Laws, the functionality of the Services, and Surge Social’s role as a Processor.

  1.   Impact Assessment

9.1.1   Where the Processing of Personal Data is subject to the GDPR, at Customer’s sole expense, Surge Social will provide reasonable assistance to Customer in its obligations to comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any Processing of Personal Data undertaken under this Agreement.

  1.   Indemnity

10.1.1  Customer shall fully indemnify and keep indemnified and defend at its own expense Surge Social against all liability, losses, claims, costs and reasonable expenses, including legal fees, which Surge Social may incur, or for which Surge Social may become liable to the extent arising from any Processing of Personal Data in accordance with the instructions of the Customer, any Customer breach of this Addendum or any Data Protection Laws, or any of Customer’s acts or omissions in respect of its obligations as a Controller of Personal Data.


APPENDIX A: Surge Social Subprocessors

Surge Social uses the following sub-processors to assist in providing Services on behalf of Surge Social Customers:

  •   Amazon Web Services (Data Hosting) – https://aws.amazon.com/compliance/eu-data-protection/
  •   Sendgrid – Email service provider – https://www.sendgrid.com/resource/general-data-protection-regulation/
  •   Twilio (SMS service provider) – https://www.twilio.com/gdpr
  •   Google, Inc. (Map APIs and analytics) – https://cloud.google.com/security/gdpr/
  •   Facebook, Inc. (Social network) – https://www.facebook.com/business/gdpr
  •   Zapier, Inc. (Web app automation) – https://zapier.com/help/gdpr/
  •   Periscope Data (Data analytics) – https://www.periscopedata.com/gdpr
  •   Segment (Analytics management) – https://segment.com/docs/legal/privacy/
  •   FullStory (User analytics) – https://help.fullstory.com/gdpr
  •   BugSnag (Error reporting) – https://www.bugsnag.com/security/
  •   Logentries.com, Inc. (System logging) – https://docs.logentries.com/docs/security/
  •   Recurly (Credit card processing) – https://recurly.com/legal/
  •   Stripe (Payments) – https://stripe.com/ca/privacy
  •   PayPal (Payments) – https://www.paypal.com/gdpr
  •   Intercom Inc. (Live chat) – https://docs.intercom.com/privacy
  •   Active Campaign (CRM) – https://www.activecampaign.com/gdpr
  •   Close.io (CRM) – https://close.io/gdpr/
  •   ClickFunnels (Website marketing) – https://signup.clickfunnels.com/gdpr-policy
  •   Typeform (Data forms) – https://admin.typeform.com/to/dwk6gt
  •   FirstPromoter (Affiliate software) – https://firstpromoter.com/gdpr
  •   Shopify, Inc. (Online store) – https://help.shopify.com/manual/your-account/GDPR
  •   Whiplash Merchandising (Shipping) – https://docs.getwhiplash.com/pages/gdpr-and-data-privacy


More information Surge Social’s Privacy & Compliance can be found at:

Licence Agreement

Any questions regarding this Data Processing Addendum should be sent to: support@surgesocial.com

Last Updated: May 25, 2018