Data Processing Agreement
Last Updated: December 9, 2023
Download a signed copy here.
Interpretation and Definitions
Terms beginning with capital letters are defined under the following conditions. These definitions apply irrespective of whether they are in singular or plural form.
Company (also known as "the Company", "We", "Us", or "Our" in this Agreement) pertains to KBP Holdings (Pty) Ltd., located at 47 Commodore Close, Pezula Golf Estate, Knysna, South Africa.
Customer Data implies any personal data processed by ClientManager on behalf of the Customer through the Service, as detailed in this DPA.
Control denotes an ownership, voting, or similar stake representing fifty percent (50%) or more of the total interests of the entity in question. "Controlled" will be interpreted in line with this definition.
Data Protection Laws encompass all applicable laws and regulations related to a party’s processing of Customer Data under this Agreement, including, as appropriate, European Data Protection Laws and Non-European Data Protection Laws.
European Data Protection Laws include all data protection laws and regulations relevant to Europe, comprising (i) the General Data Protection Regulation (GDPR) (Regulation 2016/679); (ii) Directive 2002/58/EC for privacy in electronic communications; (iii) national implementations of (i) and (ii); (iv) GDPR as part of UK law under the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018; and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance.
Europe, in this DPA, refers to the European Economic Area (EEA) member states, Switzerland, and the United Kingdom (UK).
Non-European Data Protection Laws involve the California Consumer Privacy Act (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Brazilian General Data Protection Law (LGPD, Federal Law no. 13,709/2018), and the Australian Privacy Law (Privacy Act 1988 (Cth), as amended).
Security Incident is any unauthorized or illegal security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or controlled by ClientManager.
Sensitive Data includes (a) identifiers like social security, tax file, passport, or driver’s license numbers; (b) full credit or debit card numbers; (c) personal employment, financial, credit, genetic, biometric, or health details; (d) information on racial, ethnic, political, or religious beliefs, trade union membership, sexual life or orientation, or criminal record; (e) account passwords; or (f) data categorized as “special categories of data” under Data Protection Laws.
Sub-processor means any processor used by ClientManager or its Affiliates to aid in fulfilling obligations regarding the Service under this Agreement or DPA, including third parties or Affiliates of ClientManager, but excluding its employees, contractors, or consultants.
UK Addendum refers to the International Data Transfer Addendum (version B1.0) from the Information Commissioner's Office under S.119(A) of the UK Data Protection Act 2018, subject to updates or amendments.
The terms personal data, controller, data subject, processor, and processing are as defined under applicable Data Protection Laws or, if not defined therein, by the GDPR. The terms process, processes, and processed in relation to Customer Data are to be understood correspondingly.
Roles and Responsibilities
2.1 Parties' Roles: If European Data Protection Laws or the LGPD are applicable to either party's processing of Customer Data, it is recognized and agreed that in relation to the processing of Customer Data, ClientManager acts as a processor on behalf of the Customer (who may be a controller or processor themselves). It should be noted that this DPA does not cover situations where ClientManager serves as a controller (as defined by European Data Protection Laws), except as specified in Annex C (Jurisdiction-Specific Terms) of this DPA.
2.2 Purpose Limitation: ClientManager will process Customer Data, as detailed in Annex A (Details of Data Processing) of this DPA, solely based on Customer’s lawful documented instructions as outlined in this DPA, as needed to comply with applicable laws, or as otherwise mutually agreed in writing ("Permitted Purposes"). The Agreement, including this DPA, and the Customer’s use or adjustment of any settings or features in the Service are considered the Customer’s comprehensive and final instructions to ClientManager for processing Customer Data (including for SCCs purposes). Any processing beyond these instructions will require a prior written agreement between the parties.
2.3 Prohibited Data: The Customer shall not supply (or cause to be supplied) any Sensitive Data to ClientManager for processing under the Agreement, and ClientManager bears no responsibility for Sensitive Data, whether related to a Security Incident or otherwise. To clarify, this DPA does not encompass Sensitive Data.
2.4 Customer Compliance: The Customer asserts and guarantees that (i) it has adhered to, and will continue to adhere to, all applicable laws, including Data Protection Laws, regarding its processing of Customer Data and any processing instructions given to ClientManager; and (ii) it has provided, and will continue to provide, all necessary notices and obtained, and will continue to obtain, all required consents and rights under Data Protection Laws for ClientManager to process Customer Data for the purposes described in the Agreement. The Customer is solely responsible for the accuracy, quality, and legality of Customer Data and the methods of obtaining Customer Data. The Customer agrees to be responsible for adhering to all laws (including Data Protection Laws) relevant to any Campaigns (as defined in the Agreement) or content created, sent, or managed through the Service, including laws pertaining to obtaining consents (where necessary) for emails, the content of emails, and email deployment practices.
2.5 Lawfulness of Customer’s Instructions: The Customer will ensure that ClientManager’s processing of Customer Data per the Customer's instructions will not lead ClientManager to breach any applicable laws, regulations, or rules, including Data Protection Laws. ClientManager will promptly inform the Customer in writing, unless prohibited under European Data Protection Laws, if it becomes aware or suspects that a data processing instruction from the Customer violates European Data Protection Laws. If the Customer acts as a processor for a third-party controller (or an intermediary to the ultimate controller), the Customer warrants that its instructions as laid out in the Agreement and this DPA, including its authorizations to ClientManager for appointing Sub-processors per this DPA, have been authorized by the relevant controller. The Customer shall be the sole point of contact for ClientManager, which need not interact directly with any third-party controller, except through regular provision of the Service as required under the Agreement. The Customer is responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
3.1 Authorized Sub-processors: The Customer agrees that ClientManager may engage Sub-processors to process Customer Data on the Customer’s behalf. The Sub-processors currently engaged by ClientManager and authorized by the Customer are:
Amazon Web Services, used for Hosting & Infrastructure, located in United States, Ireland and United Kingdom.
OpenAI, used for AI, located in United States.
Google, used for Analytics & User Behaviour, located in United States.
Paddle, used for payment processing and subscriptions, located in United Kingdom.
3.2 Sub-processor Obligations: ClientManager shall: (i) enter into an agreement with each Sub-processor that includes data protection terms offering at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the Sub-processor’s services; and (ii) remain liable for the Sub-processor’s adherence to the obligations of this DPA and for any actions or inactions of the Sub-processor that cause ClientManager to breach any of its obligations under this DPA. The Customer acknowledges and agrees that ClientManager meets its obligations under Clause 9 of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) by adhering to this Section 3. ClientManager may be restricted from revealing Sub-processor agreements due to confidentiality concerns but will, upon request, endeavor to provide the Customer with all pertinent information it can regarding Subprocessor agreements.
4.1 Security Measures: ClientManager will implement and maintain appropriate technical and organizational security measures aimed at protecting Customer Data from Security Incidents and ensuring the confidentiality and security of Customer Data, consistent with ClientManager’s security standards outlined in Annex B (“Security Measures”) of this DPA.
4.2 Confidentiality of Processing: ClientManager will ensure that any authorized person processing Customer Data (including its staff, agents, and subcontractors) is bound by a suitable confidentiality obligation (be it contractual or statutory).
4.3 Updates to Security Measures: The Customer is responsible for reviewing information provided by ClientManager related to data security and independently determining whether the Service meets the Customer’s requirements and legal obligations under Data Protection Laws. The Customer acknowledges that Security Measures may evolve due to technological advancement and development, and ClientManager may update or modify the Security Measures, provided such changes do not reduce the overall security of the Service provided to the Customer.
4.4 Security Incident Response: Upon becoming aware of a Security Incident, ClientManager shall: (i) inform the Customer without undue delay, ideally within 48 hours of becoming aware; (ii) provide timely information about the Security Incident as it becomes known or as requested by the Customer; and (iii) quickly take reasonable steps to contain and investigate any Security Incident. Notification or response by ClientManager to a Security Incident does not constitute an admission by ClientManager of any fault or liability regarding the Security Incident.
4.5 Customer Responsibilities: The Customer acknowledges that, aside from the stipulations in this DPA, it is responsible for securely using the Service, including securing account authentication credentials, ensuring the security of Customer Data during transit to and from the Service, and taking necessary steps to securely encrypt or backup any Customer Data uploaded to the Service.
5.1 Data Center Locations: Subject to Section 5.2, the Customer acknowledges that ClientManager may transfer and process Customer Data to and in the United States and any other global locations where ClientManager, its Affiliates, or Sub-processors operate data processing facilities. ClientManager will always ensure such transfers comply with the requirements of Data Protection Laws and this DPA.
5.2 Australian Data: When ClientManager receives Customer Data protected by the Australian Privacy Law, both parties recognize and agree that ClientManager may transfer this Customer Data outside of Australia as per the terms agreed by the parties, subject to ClientManager’s compliance with this DPA and the Australian Privacy Law.
5.3 EEA Data Transfers: If ClientManager receives Customer Data protected by GDPR in a country outside the EEA that is not recognized as offering adequate data protection (as per European Data Protection Laws), the parties agree to process such Customer Data in accordance with the Standard Contractual Clauses (SCCs), which are integrated into and form a vital part of this DPA.
5.4 UK Data Transfers: For transfers subject to UK Data Protection Laws, the SCCs shall apply and are deemed modified as outlined in the UK Addendum. The UK Addendum is considered executed by the parties and an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed with information from Annexes I and II of the relevant SCCs; and Table 4 in Part 1 of the UK Addendum shall be completed by selecting "neither party".
5.5 Swiss Data Transfers: For transfers subject to the Swiss DPA, the SCCs apply as per Section 6.3, with these modifications: (i) "Regulation (EU) 2016/679" references shall mean the Swiss DPA; (ii) specific Articles of "Regulation (EU) 2016/679" shall be replaced with equivalent articles or sections of the Swiss DPA; (iii) "EU", "Union", and "Member State law" shall be replaced with "Switzerland"; (iv) Clause 13(a) and Part C of Annex II shall be removed; (v) "competent supervisory authority" and "competent courts" shall be replaced with "the Swiss Federal Data Protection and Information Commissioner" and "relevant courts in Switzerland"; (vi) Clause 17 will state "The Clauses are governed by the laws of Switzerland"; and (vii) Clause 18 will state "Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland".
5.6 Compliance with the SCCs: The parties agree that if ClientManager cannot ensure compliance with the SCCs, it must promptly inform the Customer. If the Customer plans to suspend European Data transfer or terminate the affected parts of the Service, it must first notify ClientManager and provide a reasonable period for ClientManager to rectify the non-compliance. The Customer may suspend data transfer or terminate the affected parts of the Service for non-compliance with the SCCs only if ClientManager has not or cannot remedy the non-compliance within a reasonable timeframe.
5.7 Alternative Transfer Mechanism: If ClientManager adopts an alternative lawful data transfer mechanism for transferring European Data not described in this DPA (“Alternative Transfer Mechanism”), it will apply instead of the mechanisms in this DPA, but only if the Alternative Transfer Mechanism complies with applicable European Data Protection Laws and covers the countries to which European Data is transferred. Furthermore, if a competent court or supervisory authority rules that the measures in this DPA cannot lawfully transfer European Data, ClientManager may implement any additional measures or safeguards necessary for the lawful transfer of European Data.
Return or Deletion of Data
6. Deletion or Return on Termination: Upon termination or expiration of the Agreement, ClientManager shall, at the Customer's choice, delete or return all Customer Data (including copies) in its possession or control. However, this requirement does not apply if ClientManager is legally required to retain some or all of the Customer Data, or to data archived on backup systems, which ClientManager shall securely isolate, protect from further processing, and eventually delete in line with ClientManager’s deletion policies, except as required by law. The parties agree that the certification of deletion of Customer Data as described in Clause 7.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by ClientManager to the Customer only upon the Customer’s written request.
Data Subject Rights and Cooperation
7.1 Data Subject Requests: As part of the Service, ClientManager offers the option for a Customer to retrieve, correct, delete, or restrict the use of Customer Data. These features can assist the Customer in fulfilling its obligations (or those of its third-party controller) under Data Protection Laws in responding to data subject requests at no extra cost. Furthermore, considering the nature of processing, ClientManager shall provide reasonable assistance to the Customer (or its third-party controller) to comply with data protection obligations concerning data subject rights under Data Protection Laws. If any such request is made directly to ClientManager, it will not respond to such communication directly, except as appropriate (e.g., to direct the data subject to contact the Customer) or legally required, without prior authorization from the Customer. Should ClientManager be required to respond to such a request, it shall promptly notify the Customer and provide a copy of the request, provided the Customer is identified or identifiable from the request and unless legally prohibited. For clarity, nothing in the Agreement (including this DPA) shall restrict or prevent ClientManager from responding to any data subject or data protection authority requests concerning personal data for which ClientManager is a controller.
7.2 Data Protection Impact Assessment: As required under Data Protection Laws, ClientManager shall provide all reasonably requested information regarding the Service to enable the Customer to conduct data protection impact assessments or consultations with data protection authorities. Compliance with this requirement includes (i) adhering to Section 5 (Security Reports and Audits); (ii) providing information contained in the Agreement, including this DPA; and (iii) if subsections (i) and (ii) are insufficient, offering additional reasonable assistance upon request (at the Customer’s expense).
8. If ClientManager processes Customer Data originating from jurisdictions covered by Data Protection Laws and listed in Annex C, the terms specified in Annex C for the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to this DPA. In case of any conflict or ambiguity between the Jurisdiction-Specific Terms and other terms of this DPA, the applicable Jurisdiction-Specific Terms will prevail, but only to the extent of their applicability.
Limitation of Liability
9.1 Aggregate Liability: Each party’s and all its Affiliates' liability combined arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
9.2 Claims Against ClientManager: Any claims made against ClientManager or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.
9.3 Liability for Data Protection Rights: Under no circumstances shall any party limit its liability regarding any individual’s data protection rights under this DPA or otherwise.
Relationship with the Agreement
10.1 Duration of DPA: This DPA remains effective as long as ClientManager carries out Customer Data processing operations on behalf of the Customer or until the termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 6 above).
10.2 Replacement of Previous Agreements: This DPA supersedes any existing data processing agreement or similar document previously entered into by the parties concerning the Service.
10.4 Effect on the Agreement: Except for changes made by this DPA, the Agreement remains unchanged and in full force and effect.
10.5 Enforcement Rights: No one other than a party to this DPA, its successors, and permitted assignees shall have any right to enforce any of its terms.
10.6 Governing Law: This DPA shall be governed and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by applicable Data Protection Laws.
Annex A – Details of Data Processing
(a) Categories of data subjects:
The categories of data subjects whose personal data is processed include (i) Members (i.e., individual end users with access to a ClientManager account) and (ii) Contacts (i.e., Member’s subscribers and other individuals about whom a Member has given us information or has otherwise interacted with a Member via the Service).
(b) Categories of personal data:
Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
Members: Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility).
Contacts: Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).
(c) Sensitive data processed (if applicable):
ClientManager does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service.
(d) Frequency of processing:
Continuous and as determined by Customer.
(e) Subject matter and nature of the processing:
ClientManager provides a support service which includes sending emails, using automation, artificial intelligence, digital communication or other related services, as more particularly described in the Agreement. The subject matter of the data processing under this DPA is the Customer Data. Customer Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
Storage and other processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement; and/or Disclosures in accordance with the Agreement and/or as compelled by applicable law.
(f) Purpose of the processing:
ClientManager shall only process Customer Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
(g) Duration of processing and period for which personal data will be retained:
ClientManager will process Customer Data as outlined in Section 6 (Return or Deletion of Data) of this DPA.
Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 4.3 of this DPA).
Annex C - Jurisdiction-Specific Terms
Objection to Sub-processors. Customer may object in writing to ClientManager’s appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 3.1 of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, ClientManager will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
Government data access requests. As a general practice, ClientManager does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about ClientManager accounts (including Customer Data). If ClientManager receives a compulsory request (e.g., subpoena, court order) from a government agency for access to a ClientManager account (including Customer Data) where the Customer is located in Europe, ClientManager shall: (i) review the legality of the request; (ii) inform the agency that ClientManager is a processor of the data; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) notify Customer of the request; and (v) provide the minimum amount of information permissible in response to the agency based on a reasonable interpretation of the request. ClientManager may provide Customer’s contact information to the agency. ClientManager is not required to comply with this if legally prohibited or if urgent access is necessary to prevent imminent harm, but where legally prohibited from notifying Customer, ClientManager will attempt to obtain a waiver of the prohibition.
Except as otherwise described, definitions such as “controller,” “processor,” “data subject,” and “personal data” include their respective equivalents under the CCPA.
For this section, “Permitted Purposes” include processing Customer Data as described in this DPA, in compliance with Customer’s lawful instructions, or as permitted or required by law.
ClientManager’s obligations regarding data subject requests extend to CCPA rights requests.
ClientManager will process Customer Data to perform the Service, for the Permitted Purposes, or as required by law.
ClientManager may de-identify or aggregate Customer Data as part of performing the Service.
ClientManager ensures Sub-processors processing Personal Information of Customer contacts are CCPA-compliant Service Providers or exempt from the definition of “sale” under the CCPA.
ClientManager ensures its Sub-processors are third parties under PIPEDA, with whom ClientManager has entered into a contract including terms similar to this DPA.
ClientManager will implement measures as set forth in Section 4 (Security) of the DPA.
If you have any questions about this DPA, you can contact us by email: privacy@clientmanager. io