This US Data Protection Agreement (the “DPA”) is incorporated into the agreement under which OneSignal, Inc. (“Service Provider”) has agreed to provide software messaging services to the customer (“Customer”). This US Data Protection Agreement amends the existing commercial agreement between Service Provider and Customer (the “Agreement”) regarding the services provided by Service Provider to Customer (the “Services”). OneSignal may reasonably revise and update this DPA from time to time as required by Applicable Law (as defined below). All changes are effective within 30 days after being posted online and will apply to all access to and use of the Services thereafter. The parties agree as follows:
1. Definitions.
“Customer Personal Data” means the personal information or personal data provided or made available or accessible by Customer to Service Provider in connection with the Agreement.
“Data Protection Laws” means all applicable data privacy and security laws, including, as applicable, (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”); (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; and (e) when effective, the Utah Consumer Privacy Act; with respect to each of the foregoing, collectively with all amendments and implementing rules and regulations.
The terms “business”, “business purpose”, “commercial purpose”, “consumer”, “controller”, “personal data”, “personal information”, “process”, “processing”, “processor”, “sell”, “service provider”, and “share” as used in this DPA have the meanings given under Data Protection Laws.
2. Processing.
2.1. Responsibilities. The parties acknowledge and agree that:
2.1.1. Service Provider is a service provider and processor of Customer Personal Data under Data Protection Laws;
2.1.2. Customer is a business and controller of Customer Personal Data under Data Protection Laws;
2.1.3. Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Customer Personal Data; and
2.1.4. Schedule 1 describes the following: the nature and purpose of processing, the type of personal information that is subject to processing, the type of consumer whose personal information is being processed, and the duration of processing.
2.2. Consent; Notice. Customer is responsible for the means by which it and its customers obtained the Customer Personal Data. Customer will ensure that it and its customers have obtained all consents and lawful rights and have provided all notices and disclosures, in each case as required by Data Protection Laws, as necessary for Service Provider and its sub-processors to process Customer Personal Data in accordance with this DPA. Customer is responsible for ensuring that its customers who provide Customer Personal Data hereunder comply with this DPA and Data Protection Laws. Customer will not (and will cause its customers not to) disclose or transfer to Service Provider any sensitive data or sensitive personal information.
2.3. Instructions. By entering into this DPA, Customer instructs Service Provider to process Customer Personal Data in accordance with the following, and Service Provider will comply to the extent not prohibited under Data Protection Laws: (a) to provide the Services; (b) as set forth in the Agreement and this DPA, including as specifically set forth on Schedule 1; (c) as set forth in any other written instructions given by Customer; and (d) to process Customer Personal Data as permitted under Data Protection Laws for service providers and processors. Customer will ensure that its instructions for the processing of Customer Personal Data comply with Data Protection Laws.
2.4. Confidentiality. Service Provider will ensure that all persons authorized to process Customer Personal Data are subject to a duty of confidentiality with respect to the Customer Personal Data.
2.5. Data Deletion. Customer instructs Service Provider to delete all Customer Personal Data from Service Provider’s systems upon termination of the Agreement, except to the extent retention of Customer Personal Data is required by applicable law.
2.6. Demonstration of Compliance. Upon Customer’s reasonable request, Service Provider will make available to Customer all information in its possession necessary to demonstrate Service Provider’s compliance with its obligations under Data Protection Laws.
2.7. Security; Data Incidents.
2.7.1. Service Provider will implement and maintain reasonable and appropriate administrative, technical, physical, and organizational measures on systems managed by or otherwise controlled by Service Provider, to protect against unauthorized or illegal access to or acquisition of Customer Personal Data, and accidental loss, destruction or damage to Customer Personal Data, and to protect the confidentiality, integrity, and accessibility of Customer Personal Data.
2.7.2. Taking into account the nature of processing and the information available to Service Provider, Service Provider will reasonably assist Customer in meeting its obligations in relation to the security of processing the Customer Personal Data and in relation to the notification of a Data Incident pursuant to Data Protection Laws. If Service Provider becomes aware of a Data Incident, Service Provider will notify Customer without unreasonable delay and take reasonable steps to minimize harm and secure Customer Personal Data. “Data Incident” means a breach of the security of the system (as defined under Data Protection Laws) of Service Provider, including a breach of security leading to the unauthorized access to or acquisition of (or reasonable belief of such unauthorized access to or acquisition of) Customer Personal Data on systems managed by or otherwise controlled by Service Provider, excluding unsuccessful attempts that do not compromise the security of Customer Personal Data such as unsuccessful pings, log-in attempts, and other network attacks on firewalls or networked systems. Service Provider’s notification of or response to a Data Incident will not be construed as an acknowledgement by Service Provider of any fault or liability with respect to the Data Incident. For the avoidance of doubt, Service Provider is not responsible or liable for any personal data breach or incident to the extent the breach or incident arose from the actions, omissions, personnel, users, service providers, or systems of Customer or its customers. Customer is responsible for complying with breach and incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
2.8. Consumer Requests.
2.8.1. As between the parties, Customer is responsible for responding to consumer requests or informing Service Provider of consumer requests that Service Provider must comply with.
2.8.2. Service Provider will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Data Protection Laws to respond to consumer requests, taking into account the nature of processing and the information available to Service Provider.
2.9. Assessments; Audits. Service Provider will provide Customer with reasonably necessary information to enable Customer to conduct and document data protection assessments required by Data Protection Laws. Pursuant to Data Protection Laws, Service Provider will allow and cooperate with reasonable assessments, audits or inspections by Customer (or Customer’s designated third party, subject to execution of a confidentiality agreement with Service Provider), not to exceed once per year; provided, that Service Provider may, in the alternative, arrange for a qualified and independent assessor or auditor to conduct an assessment or audit of Service Provider’s policies and technical and organizational measures in support of the obligations under Data Protection Laws using an appropriate and accepted control standard or framework and assessment and audit procedure for such assessments and audits. If Service Provider arranges for such independent assessment or audit, Service Provider shall provide Customer a report of the assessment or audit upon Customer’s request.
2.10. Service providers/Sub-processors. If Service Provider engages any service provider/sub-processor to process Customer Personal Data on Service Provider’s behalf, Service Provider will enter into a written contract with such service provider that requires the service provider to meet the obligations of Service Provider under Data Protection Laws with respect to the Customer Personal Data. Service Provider’s current list of service providers/sub-processors is located on this web page: https://media.onesignal.com/cms/Files/Annex_III_Sub-processors.pdf. Service Provider will notify Customer if Service Provider engages any other service providers/sub-processors to assist it in processing Customer Personal Data on behalf of Customer. Updating the online page is deemed sufficient notice to Customer. Where required by Data Protection Laws, Service Provider will provide Customer an opportunity to reasonably object to the engagement of a new service provider/sub-processor. In such event, Customer must notify Service Provider of its reasonable objection no later than 10 days after notice is provided hereunder.
2.11. Deidentified Data. "Deidentified Data" is defined under Data Protection Laws and, under the CCPA, is data that is "deidentified" as defined under the CCPA, when disclosed by one party to the other party hereunder. Each party will comply with the requirements for processing Deidentified Data as set out in the Data Protection Laws, including taking reasonable measures to ensure the information cannot be associated with a consumer, publicly committing to processing the Deidentified Data solely in deidentified form and not attempting to reidentify the information, and contractually obligating any recipients of Deidentified Data to comply with such requirements and Data Protection Laws.
3. Additional CCPA Obligations. To the extent that CCPA applies to the processing of Customer Personal Data, Service Provider will act as Customer’s service provider, and as such, unless otherwise permitted for service providers under CCPA:
3.1. Service Provider will not sell or share any Customer Personal Data;
3.2. Service Provider will not retain, use or disclose Customer Personal Data for any purpose other than for the business purposes specified in the Agreement and this DPA or as permitted under the CCPA;
3.3. Service Provider will not retain, use or disclose Customer Personal Data for any commercial purpose other than the business purposes specified in the Agreement and this DPA or as permitted under the CCPA;
3.4. Service Provider will not retain, use or disclose Customer Personal Data outside of the direct business relationship between Service Provider and Customer, unless permitted by the CCPA;
3.5. Service Provider will not combine (or update) Customer Personal Data that Service Provider receives from, or on behalf of, Customer with (i) personal information that Service Provider receives from, or on behalf of, another person or persons or (ii) personal information collected from Service Provider’s own interaction with a consumer;
3.6. Service Provider will comply with applicable obligations under CCPA and will provide the same level of privacy protection as is required by CCPA;
3.7. Service Provider grants Customer the right to take reasonable and appropriate steps to ensure that Service Provider uses the Customer Personal Data in a manner consistent with Customer’s obligations under CCPA, including ongoing manual reviews and automated scans (subject to notification and mutual agreement of the parties with respect to the method) of Service Provider’s system and regular assessments, audits, or other technical and operating testing (not to exceed once per year);
3.8. Service Provider will promptly notify Customer if Service Provider makes a determination that it can no longer meet its obligations under the CCPA; and
3.9. Service Provider grants Customer the right, upon written notice, to take reasonable and appropriate steps to stop and remediate Service Provider’s use of Customer Personal Data.
4. Additional Customer Obligations. As required by Data Protection Laws, Customer agrees to comply with the following controller obligations:
4.1. Customer will limit the collection of Customer Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
4.2. Customer will not request Service Provider to process Customer Personal Data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such Customer Personal Data is processed, as disclosed to the consumer, unless Customer obtains the consumer's consent.
4.3. Customer will establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Customer Personal Data. Such data security practices will be appropriate to the volume and nature of the personal data at issue.
4.4. Customer will not process Customer Personal Data in violation of Data Protection Laws that prohibit unlawful discrimination against consumers.
4.5. Customer will provide consumers with a reasonably accessible, clear and meaningful privacy notice with all disclosures required by Data Protection Laws and the means for consumers to submit requests and to opt out and opt in to certain data practices, as required by Data Protection Laws.
Schedule 1
a) Nature of the processing:
collecting, organizing, structuring, storing, altering, using, disclosing, combining, deleting and destroying
b) Purpose of the processing:
The purpose is for OneSignal to provide the Services to Customer, including, specifically, delivering push notifications, in-app messaging, email messaging, and SMS messaging to the Customer’s intended recipients; and supporting and communicating with Customer’s employees who use the Services.
c) Type of personal information that is subject to the processing:
The types and extent of personal data processed are determined and controlled by the Customer in its sole discretion; provided that no Sensitive Information will be shared with OneSignal. Personal data may include name, email, and IP address.
d) Type of consumer whose personal information is being processed:
Customer’s employees and contractors
Users of Customer’s website and/or mobile apps
e) Duration of processing:
The term of the Agreement until Customer Personal Data is deleted.