- In these Terms, the words 'processor', 'controller', 'data subject', 'personal data', 'processing' and ‘supervisory authority' shall have the meanings set out in the GDPR (as defined below).
- “Company Personal Data” means any personal data contained within the data provided to or accessed by Fuze by or on behalf of Company or Company end users in connection with the Services.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “Fuze” means the contracting Fuze entity under the Agreement.
- “Personal Data Breach” means a breach of Fuze’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data in Fuze’s possession, custody or control. A personal data breach may, if not addressed in an appropriate and timely manner, result in damages that include, without limitation, physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. “Personal Data Breaches” will not include unsuccessful attempts or activities that do not compromise the security of Company Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Services” means any Fuze service used by Company pursuant to the Agreement, including through NFR Licences.
2. By entering into the Agreement as supplemented by these Terms, Company instructs Fuze to process Company Personal Data only in accordance with applicable law (a) to provide the Services; (b) as authorized by the Agreement, including these Terms; and (c) as further documented in any other written instructions given by Company and acknowledged in writing by Fuze as constituting instructions for purposes of these Terms.
3. The provision of certain Services implies that Fuze, during the Term, processes Company Personal Data on Company's behalf as a data processor as indicated in Appendix 1 attached hereto. In this context, Fuze shall:
- process Company Personal Data only in accordance with Company's instructions given under Section 2 of these Terms unless applicable data protection law to which Fuze is subject requires other processing of personal data, in which case Fuze will notify Company of such processing (unless such applicable data protection law prohibits Fuze from doing so on important grounds of public interest);
- implement appropriate technical and organizational security measures as indicated in Appendix 2 attached hereto to protect Company Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (the “Security Measures”); provided that Fuze may update or modify the Security Measures from time to time so long as such updates and modifications do not materially decrease the overall security of the Services;
- taking into account the nature of the processing of Company Personal Data and the information available to Fuze, provide Company with reasonable assistance necessary for Company to comply with its obligations in respect of Company Personal Data under applicable data protection law, including Articles 32 to 34 (inclusive) of the GDPR, by (i) implementing and maintaining the Security Measures; (ii) complying with the terms of Section 4 of these Terms; and (iii) providing Company with the Security Documentation in accordance with Section 6 of these Terms and in accordance with the Agreement;
- during the Term, direct to Company any requests from data subjects in relation to Company Personal Data, and Company will be responsible for responding to any such request;
- taking into account the nature of the processing of Company Personal Data, provide Company with self-service functionality through the Services or other reasonable assistance as necessary for Company to fulfil its obligation under applicable data protection law to respond to requests by data subjects, including if applicable, Company’s obligation to respond to requests for exercising the data subject’s rights set out in Chapter III of the GDPR, provided that Company shall reimburse Fuze for any such assistance beyond providing self-service features included as part of the Services at Fuze’s then-current professional services rates, which shall be made available to Company upon request;
- taking into account the nature of the processing and the information available to Fuze, reasonably assist Company in complying with its obligations under applicable data protection law in respect of data protection impact assessments and prior consultation, including, if applicable, Company’s obligations pursuant to Articles 35 and 36 of the GDPR, by (i) making available for review copies of the Audit Reports (as defined in Section 6 of these Terms) or other documentation describing relevant aspects of Fuze’s information security program and the security measures applied in connection therewith; and (ii) providing the information contained in the Agreement, including these Terms;
- to the extent permitted by law, notify Company of any requests from data protection or law enforcement authorities in relation to the personal data; and
- on expiry of the Term, delete all Company Personal Data from Fuze’s systems, unless retention of such data is required by any applicable law; provided, however, that Fuze shall delete backup data and operational log data in the ordinary course of business. In the event applicable law does not permit Fuze to delete Company Personal Data, Fuze warrants that it shall ensure the confidentiality of the Company Personal Data and that it shall not use or disclose any Company Personal Data after termination of the Agreement, except as required by law.
4. If Fuze becomes aware of a Personal Data Breach, Fuze will (a) notify Company of the Personal Data Breach without undue delay after becoming aware of the Personal Data Breach, and include in such notification a description, to the extent possible, of the details of the Personal Data Breach, including steps taken to mitigate the potential risks and steps Fuze recommends Company take to address the Personal Data Breach; and (b) take reasonable steps to identify the cause of such Personal Data Breach, minimize harm, and prevent a recurrence. Company is solely responsible for complying with incident notification laws applicable to Company and fulfilling any third party notification obligations related to any Personal Data Breach(es). Fuze’s notification of or response to a Personal Data Breach under this Section 4 will not be construed as an acknowledgement by Fuze of any fault or liability with respect to the Personal Data Breach.
5. COMPANY’S RESPONSIBILITIES AND ASSESSMENT
- Company agrees that, without prejudice to Fuze’s obligations under Sections 3(c)-(d) of these
Terms and Section 4 of these Terms:
- Company is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Company Personal Data; (b) securing the account authentication credentials, systems and devices Companys uses to access the Services; (c) securing Company’s systems and devices Fuze uses to provide the Services; and (d) backing up its Company Personal Data; and
- Fuze has no obligation to protect Company Personal Data that Company elects to store or transfer outside of Fuze’s and its (sub)processors’ systems (for example, offline or on-premises storage).
- Company is solely responsible for reviewing any documents provided in connection with Section 6 of these Terms and evaluating for itself whether the Services and Fuze’s data security-related commitments under these Terms will meet Company’s needs, including with respect to any security obligations of Company under applicable data protection law.
- Company represents and warrants that it has provided notice to and obtained consent from data subjects as required by applicable data protection law, including, if applicable, in compliance with Company’s obligations pursuant to Article 7, Article 13 and Article 14 of the GDPR. Fuze will assist Companys in providing such notice by making available the Product Privacy Statement, available at https://www.fuze.com/product-privacy-statement.
- With reasonable advanced written notice and subject to third-party confidentiality obligations, Company may, at its expense, conduct or mandate a third party to conduct audits, including inspections to confirm Fuze’s compliance with these Terms, such audits to be conducted no more frequently than once in any rolling twelve (12) month period. In addition, to the extent required by applicable data protection law, including where mandated by Company’s supervisory authority, Company or Company’s supervisory authority may, at its expense, perform more frequent audits (including inspections). Fuze will contribute to such audits by providing Company or Company’s supervisory authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services.
- If a third party is to conduct the audit, Fuze may object to the auditor if the auditor is, in Fuze’s reasonable opinion, not suitably qualified or independent, a competitor of Fuze, or otherwise manifestly unsuitable. Such objection by Fuze will require Company to appoint another auditor or conduct the audit itself.
- To request an audit, Company must submit a detailed proposed audit plan to Fuze at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Fuze will review the proposed audit plan and provide Company with any concerns or questions (for example, any request for information that could compromise Fuze security, privacy, employment or other relevant policies). Fuze will work cooperatively with Company to agree on a final audit plan. Nothing in this Section 6 shall require Fuze to breach any duties of confidentiality.
- If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor (“Audit Reports”) within twelve (12) months of Company’s audit request and Fuze confirms there are no known material changes in the controls audited, Company agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
- Company will promptly notify Fuze of any non-compliance discovered during the course of an audit and provide Fuze any audit reports generated in connection with any audit under this Section 6, unless prohibited by applicable data protection law or otherwise instructed by a supervisory authority. Company may use the audit reports only for the purposes of meeting Company’s regulatory audit requirements and/or confirming compliance with the requirements of these Terms. The audit reports are Confidential Information of the Parties under the terms of the Agreement.
- Audits under this Section 6 will be reasonable in scope, will occur at mutually agreeable times, and will not interfere with Fuze’s business operations.
7. Company agrees that Fuze and/or its affiliates may engage Fuze affiliates and/or third party (sub)processors without (prior) written consent. Fuze and/or its affiliates shall pass down to their (sub)processors data protection obligations not less protective than those in these Terms with respect to the protection of Company Personal Data to the extent applicable to the nature of the services provided by such (sub)processor, and shall remain responsible towards Company for their (sub)processors’ compliance with such obligations. A list of current (sub)processors is available at https://www.fuze.com/fuze-platform-subprocessor-list. Fuze shall notify Company of any new (sub)processors engaged at least thirty (30) days before the new (sub)processor processes any Company Personal Data. In the event that Company has reasonable objections to the engagement of a new (sub)processor, it will notify Fuze in writing of such objections within ten (10) business days of Fuze's notification. If Company's objections are reasonable, Fuze shall make reasonable endeavors to resolve such objections. If Fuze is unable to resolve such objections within a reasonable time frame, Company may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Fuze.
8. Company hereby agrees that Fuze can process and transfer personal data outside the European Economic Area (“EEA”), including in and to the United States. Fuze shall provide for appropriate safeguards to ensure that such processing and transferring outside the EEA takes place in accordance with the Standard Contractual Clauses (as approved by the European Commission) or another solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).
9. Company acknowledges that Fuze is required under the GDPR to (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Fuze is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Company Personal Data, Company will, where requested, provide such information to Fuze, and will ensure that all information provided is kept accurate and up-to-date.
10. The total combined liability of either Party and its affiliates towards the other Party and its affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, including these Terms and the Model Contract Clauses (if entered into), will be limited to limitations on liability and the greater of (a) any liability caps agreed to by the Parties in the Agreement or (b) USD 25,000; provided that nothing in this Section 10 will affect any Party’s liability to data subjects under the third party beneficiary provisions of the Model Contract Clauses to the extent limitation of such rights is prohibited by applicable data protection law.
11. Notwithstanding anything to the contrary herein, any notices required or permitted to be given by Fuze to Company may be given (a) in accordance with the notice clause of the Agreement; (b) to Fuze’s primary points of contact with Company; and/or (c) to any email address provided by Company for the purpose of providing Company or its user at such email address with Service-related communications or alerts. Company is solely responsible for ensuring that such email addresses are valid.
12. These terms will take effect on the Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, Fuze’s deletion of all Company Personal Data as described in these Terms.
13. In the event of a conflict between the terms of these Terms and the terms of the Agreement, these Terms shall control. Except as modified by these Terms, the Agreement shall remain in full force and effect.
Scope, Nature, and Purpose of the Processing
The personal data processed and transferred shall be subject to the following basic processing activities:
The personal data is processed and transferred in the context of the provision of contracted services to Company and Company's end users by Fuze and its affiliates. Depending on the characteristics of the specific Services provided, processing operations may consist in:
- data storage and processing in Fuze’s data centers, related to the provision of the Services;
- hosting secured internet portals for presentation of Service related information;
- creating invoices and related billing information;
- providing technical support; and
- other processing operations as will generally be performed in the process of providing Unified Communications as a Service.
Duration of the Processing
Fuze shall stop processing and transferring Company’s personal data after the end of the provision of the relevant Services within a reasonable period to implement this termination of processing and transferring.
Categories of Data Subjects
Fuze will process and transfer personal data of Company’s contact persons and end users who are using Fuze’s Services.
Types of Personal Data
The personal data processed or transferred concerns the following categories of data:
- With regard to Company’s contact persons, categories may include: name, title, gender and business contact details (business address, telephone number, email address, etc.);
With regard to end users using the Services, depending on the characteristics of the specific
Services provided and to the extent relating to an identified or identifiable natural person,
categories may include:
- Names, gender, department, business contact details (email, phone, mobile, fax), primary office location and other contact details to the extent provided by the end user;
- Account name, user names and other login details;
- Call detail records and other communication details related to outbound and inbound communication (telephone numbers, IP addresses and other communication identifiers, date, time and duration of the communication and other data generally processed for the provision of communication services);
- uploaded files, messages and notes;
- Voicemail and call recordings; and
- Video recordings, and Conference attendee details (names, phone number and email address when provided, IP address of attendee computer).
Description of the technical and organizational security measures implemented by the data importer:
Fuze operates a Comprehensive Information Security Program (“CISP”). Fuze’s strategic business plan and risk management framework provide the context for identifying, assessing, evaluating, and controlling information related risks through the establishment and maintenance of the CISP. In particular, business continuity and contingency plans, data back-up procedures, avoidance of viruses and hackers, access control to systems and personal data breach reporting are fundamental to the CISP. Control objectives for each of these areas are supported by specific, documented policies and procedures. The CISP is subject to continuous, systematic review and improvement.
Under the CISP, Fuze implements the technical and organizational security measures indicated below.
- Access control to premises and facilities
Unauthorized access (in the physical sense) to premises and facilities where systems used for personal data processing are located must be prevented. Fuze has implemented technical and organizational measures to control access to premises and facilities, and in particular, to check authorization, including access control systems (identification reader, magnetic card, chip card), (issuance of) keys, door locking (electric door openers, etc.), security staff, and surveillance facilities (alarm system, video/CCTV monitor).
- Access control to systems
Unauthorized access to IT systems must be prevented. Fuze has implemented technical and organizational measures for user identification and authentication, including password procedures (e.g. special characters, minimum length, change of password), automatic blocking (e.g. password or timeout), creation of one master record per user and encryption of data in transit.
- Access control to data
Activities in IT systems not covered by the allocated access rights must be prevented. Fuze has implemented requirements-driven definitions of authorization schemes and access rights, and monitoring and logging of accesses, including differentiated access rights (profiles, roles, transactions and objects) and reporting.
- Disclosure control
Aspects of the disclosure of personal data must be controlled (electronic transfer, data transport, transmission control, etc.). Fuze has implemented measures regarding transport, transmission and communication or storage of data on data media (manual or electronic) and for subsequent checking, including encryption/tunneling, logging and transport security.
- Input control
Full documentation of data management and maintenance must be maintained. Fuze has implemented measures for checking whether data has been entered, changed or removed (deleted), and by whom, including logging and reporting systems.
- Job control
Fuze has taken measures to ensure that data processing is carried out in accordance with the data exporter's instructions.
- Availability control
Data must be protected against accidental destruction or loss. Fuze has implemented measures to assure data security, including backup procedures, uninterruptible power supply, remote storage, data replication and storage across multiple sites, anti-virus/firewall systems and a disaster recovery plan.
- Segregation control
Data collected for different purposes must also be processed separately. Fuze has implemented measures to provide for separate processing (storage, amendment, deletion, transmission) of data for different purposes, including measures to ensure Company data is logically segregated on a per Company basis.