Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
8. Data Transfers
Transfers Mechanism. To the extent that the Processing of Personal Data involves the transmission of such Personal Data to a country or territory outside the country from which such Personal Data was provided to the Party receiving the data (the "data importer"), the Parties will comply with any requirements under Data Protection Laws regarding such transfers. To the extent required by Data Protection Laws, the data importer shall ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Personal Data from one country to another.
9. Limitation of Liability
Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s entire liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements or security addendum signed by the parties ("Ancillary Agreement") in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, this DPA and any Ancillary Agreement (if any) together.
Controller/Exporter (Customer) to Processor/Importer (Klarifi)
Name: The Customer identified in the Agreement or Order Form.
Address: As set forth in the Agreement or Order Form.
Contact person’s name, position and contact details: As set forth in the Agreement and Order Form, or as otherwise agreed to by the parties.
Activities relevant to the data transferred under these Clauses: Processing in connection with the receipt of the Services provided by the data importer in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller.
Data importer:Name: Klarifi ApS
Address: Rådhuspladsen 16, 1550 Copenhagen V, Denmark
Contact person’s name, position, and contact details: Legal Department; privacy@klarifi.io or such other person designated by Klarifi.
Activities relevant to the data transferred under these Clauses: Processing in connection with providing, maintaining and improving the Services in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Processor.
Categories of data subjects whose personal data is transferred: Data subjects may include data exporter’s employees (or other end-users of the Services), prospects, customers, business partners and vendors.
Categories of personal data transferred: Customer Personal Data which may include, but is not limited to the following categories:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuously for the duration of the Agreement.
Nature of the processing: Data importer Processes Customer Personal Data to provide the Services pursuant to the Agreement, which includes, without limitation, receiving, storing, analyzing, and deleting Customer Personal Data.
Purpose(s) of the data transfer and further processing: Data importer’s provision of Services to the data exporter pursuant to the Agreement between data exporter and data importer.
Purpose(s) of the data transfer and further processing: Data importer’s provision of Services to the data exporter pursuant to the Agreement between data exporter and data importer.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above.
Controller/Exporter (Customer) to Controller/Importer (Klarifi)
Name: The Customer identified in the Agreement or Order Form.
Address: As set forth in the Agreement or Order Form.
Contact person’s name, position and contact details: As set forth in the Agreement and Order Form, or as otherwise agreed to by the parties.
Activities relevant to the data transferred under these Clauses: Processing in connection with the receipt of the Services provided by the data importer in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller.
Data importer:Name: Klarifi ApS
Address: Rådhuspladsen 16, 1550 Copenhagen V, Denmark
Contact person’s name, position, and contact details: Legal Department; privacy@klarifi.io or such other person designated by Klarifi.
Activities relevant to the data transferred under these Clauses: Processing in connection with providing, maintaining and improving the Services in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller.
Categories of data subjects whose personal data is transferred: Data subjects may include data exporter’s employees (or other end-users of the Services), prospects, customers, business partners and vendors.
Categories of personal data transferred: Customer Personal Data which may include, but is not limited to the following categories:
In each case where and to the extent such Personal Data is included in the Account Information, Service Metadata or Submitted Data Processed by data importer in its role as a data controller.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuously for the duration of the Agreement.
Nature of the processing: Data importer Processes Personal Data as further set forth under the Agreement and in data importer’s privacy policy, including Processing to verify, enrich and grow Output Data and the Contributor Database, which includes, without limitation, receiving, storing, analyzing, and deleting Personal Data.
Purpose(s) of the data transfer and further processing: Such purposes as further set forth under the Agreement and in data importer’s privacy policy, including Processing by data importer’s to verify, enrich and grow Output Data and the Contributor Database.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Where data importer is a Controller: As further set forth under the data importer’s privacy policy.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above.
Controller/Exporter (Klarifi) to Controller/Importer (Customer)
Name: Klarifi ApS
Address: Rådhuspladsen 16, 1550 Copenhagen V, Denmark
Contact person’s name, position and contact details: Legal Department; privacy@klarifi.io or such other person designated by Klarifi
Activities relevant to the data transferred under these Clauses: Providing the Services (including Output Data) to the data importer in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller.
Data importer:Name: The Customer identified in the Agreement.
Address: As set forth in the Agreement.
Contact person’s name, position, and contact details: As set forth in the Agreement and Order Form or otherwise agreed to by the parties.
Activities relevant to the data transferred under these Clauses: Receiving the Services (including Output Data) provided by the data exporter in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller.
Categories of data subjects whose personal data is transferred: Data subjects include individuals whose data has been contributed to the Contributor Database.
Categories of personal data transferred: Output Data which includes (without limitation) the following categories of Personal Data:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuously for the duration of the Agreement.
Nature of the processing: For the data importer’s use subject to the terms and license restrictions of the Agreement.
Purpose(s) of the data transfer and further processing: Data importer’s receipt of Services (including Output Data) provided by data exporter under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain the Output Data in accordance with the Agreement.
For transfers to (sub-) processors, also specify the subject matter, nature,and duration of the processing: Same as above.
Data importer will implement and maintain the Technical and Organisational Measures described in Annex II. Notwithstanding any provision to the contrary otherwise agreed to by Data exporter, Data importer may modify or update these Technical and Organisational Measures at its discretion provided that such modifications and updates do not result in the degradation of the overall security of the Services. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
Outsourced processing: Klarifi hosts its Service with outsourced data center providers. Additionally, Klarifi maintains contractual relationships with vendors in order to provide the Service. Klarifi relies on contractual agreements, privacy policies, and vendor compliance programs in order to assure the protection of data processed or stored by these vendors.
Physical and environmental security: Klarifi hosts its product infrastructure with multi-tenant, outsourced data center providers. The physical and environmental security controls are audited for SOC 2 Type I compliance.
Authentication: Klarifi implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Klarifi’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Auth0 authorization.
Klarifi implements industry-standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.
Static code analysis: Security reviews of code stored in Klarifi’s source code repositories are performed, checking for coding best practices and identifiable software flaws.
Product access: A subset of Klarifi’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems, and detect and respond to security incidents. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
In-transit: Klarifi makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Klarifi products. Klarifi’s HTTPS implementation uses industry-standard algorithms and certificates.
At-rest: Klarifi stores user passwords following policies that follow at least industry standard practices for security.
Detection: Klarifi designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Klarifi personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Klarifi maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Klarifi will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Klarifi becomes aware of unlawful access to Customer data stored within its products, Klarifi will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Klarifi is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Klarifi deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Klarifi selects, which may include via email or telephone.
The Klarifi Product provides a solution for Customers to conduct their marketing and sales activities. Customers control the data types collected by and stored within their portals. Klarifi never sells personal data to any third party.
Terminating Customers: Customer Data in active (i.e., primary) databases are purged upon a customer’s written request, or for our web-based application available at https://www.klarifi.io, 90 days after a customer terminates all agreements for such products with Klarifi. Marketing information stored in backups, replicas, and snapshots is not automatically purged but instead ages out of the system as part of the data lifecycle. Klarifi reserves the right to alter the data purging period in order to address technical, compliance, or statutory requirements.
Infrastructure availability: The data center providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple data centers and availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry-standard methods.
Klarifi’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal of preventing single points of failure. This design assists Klarifi operations in maintaining and updating the product applications and backend while limiting downtime.
Klarifi’s collection of personal data from its Customers is to provide and improve our products. Klarifi does not use that data for other purposes that would require separate processing.