1 Ometria does not claim ownership in the Client Data.
2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and Ometria is the Data Processor. Appendix I describes the scope, nature and purpose of the processing by Ometria, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation as Personal Data) and categories of Data Subject
3 The Client will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data to Ometria.
4 Ometria shall, in relation to any Personal Data processed in connection with the performance by Ometria of its obligations under this Agreement process that Personal Data only as documented in this Agreement or on the documented instructions of the Client unless Ometria is required by Applicable Laws to process Personal Data.
5 For the purposes of this clause 5, the following is deemed an instruction by the Customer to process Personal Data:
5.1 Processing in accordance with this Agreement and applicable Order Form(s);
5.2 Processing initiated by the Client or Users in using the Ometria Services; and
5.3 Processing to comply with documented instructions provided by the client in accordance with clause 6.
5.4 The client shall communicate Processing instructions via Ometria’s Data Email Address.
6 To the extent that Ometria cannot comply with the Client’s instructions without incurring material additional costs, Ometria shall:
6.1 immediately inform the Client, giving details of the problem; and
6.2 cease all processing of the affected data (other than securely storing those data) until revised instructions are received;
7 Any changes to the pricing structure or commercial relationship between the parties by virtue of a change in written instructions as envisaged by clause 5.3 shall be negotiated in good faith between the parties.
8 Where Ometria is relying on Applicable Laws as the basis for processing Personal Data, Ometria shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Ometria from so notifying the Client.
9 Where Ometria reasonably considers that an instruction of the Client infringes Data Protection Legislation or other Union or Member State data protection provisions, it shall immediately inform the Client of its opinion and cease processing the Personal Data based on that instruction (other than securely storing those data). Ometria shall not be obliged to seek legal advice in opining on the Client’s instruction, but where it does, Ometria shall act reasonably and the Client shall meet the costs of such advice on an indemnity basis, provided such legal costs are reasonably and properly incurred.
10 Ometria shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encryption of Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
11 Ometria shall ensure that its personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
12 Ometria, shall assist the Client in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. Ometria may charge the Client for its assistance under this clause 12, which shall be calculated in accordance with Ometria’s standard daily fees as amended from time to time.
13 Ometria shall notify the Client without undue delay on becoming aware of a Personal Data breach.
13.1 Ometria shall make such notice by phone call, in-person meeting, an announcement on the Ometria Service platform or by email detailing, where known, the type of breach, the extent of the breach and any measures Ometria has taken to mitigate the breach.
13.2 Any notice under this clause 13 by Ometria or a response to a Personal Data breach shall not be construed as an admission of fault or liability by Ometria.
14 At the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement as soon as reasonably practicable and within a maximum period of 180 days, unless required by Applicable Law or as Ometria may deem necessary to prosecute or defend any legal claim (in which case Ometria may retain Client Data for a reasonable period of time pending resolution of such obligation or issue).
15 Ometria shall maintain all necessary information to demonstrate its compliance with Article 28 of the GDPR and, at the cost of the Client, make available such information available to the Client.
16 Ometria shall allow for annual audits by the Client or the Client’s designated auditor, the scope of which shall be limited to off-site checks of Ometria’s policies and procedures and an on-site review of the procedures in practice by conducting interviews of Ometria’s staff that work on processing the Personal Data transferred by the Client and processed by Ometria. Ometria may charge the Client for its assistance under this clause 9.11, which shall be calculated in accordance with Ometria’s standard daily fees as amended from time to time.
17 The Client must send any requests to conduct audits to the Data Email Address.
18 Ometria and the Client shall agree in advance
18.1 dates and times of the audit; and
18.2 personnel conducting the audit.
19 If in the opinion of Ometria, it reasonably considers the auditor not to be suitably qualified, independent or acting for a competitor of Ometria or manifestly unsuitable, the Client shall appoint a different auditor or undertake the audit itself.
20 No audit shall commence without the Client first entering into a non-disclosure agreement with Ometria, on Ometria’s terms, which shall, if applicable, contain direct covenants to be entered into by the Client’s designated auditor.
21 By entering into this Agreement, the Client instructs Ometria to transfer Personal Data to its current third party sub-processors, including third parties providing hosting, infrastructure, maintenance and other services to Ometria as required in order to provide the Ometria Service (whether within or outside the EEA) as described in Appendix II. Before adding or replacing sub-processors to its portfolio of sub-processors, Ometria shall give the Client at least twenty-one (21) days’ notice in advance of any intended change (Change Date).
21.1 If the Client objects to the intended addition or replacement of a sub-processor, the Client shall notify Ometria at least fourteen (14) days’ notice before the Change Date. Ometria shall not implement the change and cease all Processing of the Client’s data (other than securely storing those data) from the Change Date.
21.2 Provided that at least fourteen (14) days’ notice has been given by the Client as required by clause 21.1, the Client may terminate this Agreement.
22 When engaging sub-processors to process Person Data, Ometria shall not enter into contracts that do not impose data protection obligations set out in Article 28(3) of the GDPR on such sub-processors, as those imposed on Ometria under this data protection addendum.
23 If the sub-processor is based outside the EEA any such contract may, where applicable, include Standard Contractual Clauses (SCCs) (for which until processor-to-processor SCCs are issued by the EU Commission, the Client appoints Ometria as agent to enter into SCCs on its behalf) or another legally recognised transfer method.
24 Ometria shall remain liable for all obligations subcontracted to, and all acts and omissions, of the sub-processor.
25 Ometria shall use reasonable efforts to permit the Client to download any Personal Data from the Ometria Service for a period of fifteen (15) days after the expiry or termination (howsoever caused) of the Agreement.
26 If written notice has not been received under clause 14 or fifteen (15) days have passed as envisaged by clause 25, the Client agrees that Ometria may delete any Client Data at any time on or after the effective date of termination or expiry of the Agreement without liability to the Client.
26 The Client shall provide Ometria with such information as it requires for it to comply with Article 30 of the GDPR and shall make such information available to the supervisory authorities.
27 The Client warrants to Ometria that it will collect and Process the Personal Data in compliance with all applicable Data Protection Laws and any enactments, orders, standards and other similar instruments, and that it has obtained all necessary permissions from the Data Subjects to whom the Personal Data relates to allow Ometria to lawfully store, transfer and Process the Personal Data in the course of providing the Ometria Service. Ometria will not assess whether the Client has lawful grounds to process Personal Data using the Ometria Service.
28 The Client agrees to indemnify and keep indemnified and defend at its own expense Ometria against all costs, claims, damages and expenses incurred by Ometria or for which Ometria may become liable due to any failure by the Client or the Users to comply with clause 27.
29 The Client acknowledges that Ometria is reliant on the Client for direction as to the extent to which Ometria is entitled to use and Process the Personal Data. Consequently, Ometria will not be liable for any claim brought by a Data Subject arising from any action or omission by Ometria to the extent that such act or omission resulted from the Client’s instructions or Client’s use of the Ometria Service.
30 If the transitional period under the Withdrawal Agreement expires before the European Commission has adopted an adequacy decision for the UK then:
The parties hereby enter into SSCs and agree, where no other appropriate safeguard or exemption applies, that the personal data subject to this agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with the SCCs exclusive of any optional clauses as of that date. The parties agree to use best endeavours to complete the annexes to the SCCs promptly and in any event within seven (7) days for the purpose of giving full effect to the clauses. If there is any conflict between this agreement and the SCCs the terms of the SCCs shall apply.
31 For the purposes of this part of this Data Protection Addendum
31.1 the terms “Personal Data”, “Data Processor”, “Data Controller”, “Data Subject”, “Processing” and “Process” shall have the same meaning as set out in the GDPR;
31.2 “Applicable Laws” means the GDPR or Data Protection Act 2018 or the data privacy laws of any member of the European Union, as amended, to which Ometria is subject;
31.3 “Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;
31.4 “Standard Contractual Clauses” and “SCCs” means the standard contractual clauses in the EU Commission’s decision 2010/87/EC or updated clauses issued by the EU Commission/Parliament before 31 December 2020; and
31.5 “Withdrawal Agreement” means an agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (2019/C 384 I/01)
1 Where the Client’s goods or services are being offered to customers in the United States clauses 2 to 6 of this part of the this Data Protection Addendum shall apply to the processing of Personal Information of such customers (the “Customer Information”)
2 Ometria will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the Customer Information. Those safeguards will include, but will not be limited to, measures designed to prevent unauthorised access to or disclosure of Customer Information (other than by the Client or Users).
3 The parties acknowledge that for the purposes of the CCPA:
3.1 the Client does not sell Personal Information to Ometria in connection with the Agreement.
3.2 Ometria is a service provider. As such Ometria shall not:
3.2.1 retain the Customer Information for any purpose other than for the specific purpose of performing the services offered by Ometria to the Client;
3.2.2 use the Customer Information for any purpose other than for the specific purpose of performing the services offered by Ometria to the Client;
3.2.3 disclose the Customer Information for any purpose other than for the specific purpose of performing the services offered by Ometria to the Client, save that Ometria may disclose Customer Information to a civil, criminal, or regulatory inquiry or investigation; or arising from any subpoena, or summons by federal, state, or local authorities.
4 Ometria shall take reasonable efforts to implement measures within the Ometria Service to allow the Client to meet its obligations under the CCPA and other applicable United States laws and regulations to correct, delete or block Customer Information through the Ometria Service or where this is not possible Ometria shall correct, delete or block such data according to the written instructions provided by the Client.
5 If Ometria is unable to cooperate or Ometria is unable to comply with applicable United States laws and regulations relating to the processing of Customer Information, the Client shall have the right to terminate this Agreement immediately upon written notice to Ometria.
6 Subject to clause 15 of Ometria’s Terms of Service, Ometria shall indemnify and defend the Client from and against any and all losses, damages, claims, liabilities or expenses (including reasonable lawyer’s fees) arising out of a claim brought by a third party relating to Ometria’s breach of any of its obligations contained in this part of the Ometria’s Data Protection Addendum.
Subject matter
Ometria’s provision of the Ometria Service to the Client.
Duration of the processing
The Term plus the period of expiry from the Term until deletion of all Personal Data by Ometria in accordance with the Terms of Service.
Nature and purpose of the processing
Ometria will Process Personal Data for the purpose of providing the Ometria Services to the Client in accordance with the Terms of Service.
Type of personal data
The Client may submit Personal Data (as part of the Client’s Data) using the Code, the extent of which is determined and controlled by the Customer in its sole discretion, which may include, but is not limited to:
Categories of Data Subject
The Client may submit Personal Data (as part of the Client’s Data) using the Code, the extent of which is determined and controlled by the Customer in its sole discretion, which may include:
Subprocessors
Sub-processor | Service | Governing Document | Principal location of processing |
Aiven Ltd (Finland) | Database hosting | GDPR Data Processing Agreement | EEA |
Amazon Web Services Inc* | Server hosting and other associated services within the Amazon portfolio of products | AWS GDPR Addendum | EU Data Centres |
Google Commerce Limited (Ireland) | Google cloud services including cloud sub/pub | Data Processing and Security Terms v 2.0 | EU Data Centres |
Kickbox Inc* | Email verification | Privacy and Information Security Addendum | USA Data Centres |
Message Systems Inc t/a Sparkpost* | Email delivery | Elite Edition SaaS Agreement | EU Data Centres |
Scaylr Inc* | Logging, monitoring and debugging | GDPR Addendum | USA Data Centres |
Functional Software Inc t/a Sentry* | Error monitoring and debugging. | GDPR Addendum | USA Data Centres |
Snowflake Inc* | Data warehousing storing user and Ometria’s users activity logs | Data processing Addendum | USA Data Centres |
* Standard Contractual Clauses
See Ometria’s AI-driven customer insights and cross-channel marketing platform in action.
Book a demoTake the first step toward smarter customer marketing