Aceyus Data Processing Addendum

Last Updated: November 2023 

United States and Canada Only 

This Data Processing Addendum (this “Addendum”) is by and between Aceyus, Inc. (“Aceyus”) and the Aceyus customer that is accepting this Addendum (“Customer”) and describes Aceyus’ and Customer’s obligations with respect to Aceyus’ use and processing of Personal Data (as defined below).  This Addendum forms part of the agreement to which it is attached or into which it is incorporated, under which Aceyus provides services to Customer (the “Agreement”).  Capitalized terms used in this Addendum but not defined herein have the meaning given to them in the Agreement.  

This Addendum is not intended to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and should not be used in connection with customers located in the European Economic Area.   

For clarity, this Addendum applies only to the processing of Personal Data in environments controlled by Aceyus and Aceyus Subprocessors. This Addendum does not apply to Personal Data that remains on Customer’s premises or in any Customer-selected third-party operating environments. 

The parties agree to the foregoing and as follows: 

1. Definitions. As used herein, the following terms shall have the following definitions:

• “Data Subjects” means Customer’s Authorized Users; Customer’s employees and contractors who manage and operate Customer’s contact centers; the Customer’s contact center agents; and Customer’s customers who are natural persons, to the extent their information is stored in Customer’s databases associated with the Software.

• “Personal Data” means information relating to an identified or identifiable Data Subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

• “Privacy Laws” means all applicable United States and Canadian state or federal statutes and regulations pertaining to privacy and information security, including but not limited to: the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (the “CCPA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (the “VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (the “CPA”); the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (the ‘“UCPA”); the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. Gen. Stat. 42-515 et seq. (the “PDPOM”); the Indiana Consumer Data Protection Act, S.B. 5 (the “INCDPA”); the Iowa Consumer Data Protection Act, S.J. 708, (the “ICDPA”); the Montana Consumer Data Privacy Act, S.B. 384 (the “MCDPA”); the Tennessee Information Protection Act, H.B. 1181 (the “TIPA”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); Personal Information Protection Act (Alberta) (“PIPA Alberta”); Personal Information Protection Act (British Columbia) (“PIPA BC”); An Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Privacy Act”); or any regulations or guidance issued pursuant thereto, and any other applicable United States and Canadian laws or regulations regarding privacy and information security that are in effect or come into effect during the term of the Agreement.

• “Services” means the services provided by Aceyus to Customer under the Agreement.

• The terms “business,” “collect,” “consent,” “consumer,” “controller,” “process” or “processing,” “processor,” “sell,” “sensitive data,” “sensitive personal information,”  “service provider” and “share” shall have the meanings given to those terms in the applicable Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect upon the execution of this Addendum. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Law(s) will apply.
  
  2.  Roles of the Parties; Authorized use of Personal Data.   

For the purposes of the Agreement and this Addendum, Customer is the sole party that determines the purposes and means of processing Personal Data as the business or controller, and Aceyus processes Personal Data on behalf of Customer as the service provider or processor. The duration, nature, purpose and other details of the processing are provided in this Addendum. 

 Aceyus shall use and disclose Personal Data only in accordance with the Agreement and this Addendum, and as applicable based on Customer’s and its Authorized Users’ use and configuration of the features of the Services.   

Customer shall be responsible for ensuring that its provision of Personal Data to Aceyus for processing complies with applicable Privacy Laws and, in particular, that any necessary consent to the processing of sensitive information and sensitive data has been obtained before providing such Personal Data to Aceyus. 

 Aceyus may use Personal Data to: (a) manage its billing and accounting functions for Customer; (b) enforce its Agreement; (c) enhance and test its products and services; (d) support and maintain its products and services; and (e) to comply with legal process or law, or to respond to a subpoena, court order, or government request for information.  Unless prohibited by applicable law or a legally binding request of law enforcement, Aceyus will promptly notify Customer of any request or demand by a government agency or law enforcement authority for access to or copy of Personal Data. 

 Aceyus may use anonymous aggregate statistics relating to Customer’s use of the Services.  This statistical data may include aggregated information based on Personal Data, provided that no such statistics could be used to re-identify any Data Subject. Examples include but are not limited to, depending on the Services:  

• Number of agents, queues, and skills on which are being reported 
• Aggregate quantity of data stored in the cloud 
• Number of active reporting or dashboard users

      3.  Aceyus Personnel.  Aceyus shall require its personnel who have access to Personal Data: (a) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data, and (b) to agree to keep Personal Data confidential both during and after their employment. 

      4.  Security Measures. Customer and Aceyus each shall maintain appropriate technical and organizational measures to protect against loss, alteration, unauthorized disclosure of, or access to Personal Data. Measures shall include as appropriate:  

• the pseudonymization and encryption of Personal Data; 
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services;  
• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 
• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing. 

Depending on the Services, additional Aceyus security measures may be summarized at https://www.aceyus.com/terms-of-use/cloudsecurity/.  Customer is solely responsible for making an independent determination as to whether the technical and organizational security measures for the Services meet Customer’s requirements, including any of its security obligations under applicable Privacy Laws.  

     5.  Compliance with Privacy Laws. Aceyus will comply with all Privacy Laws applicable to the delivery of the Services.  Customer will comply with all Privacy Laws applicable to Customer’s use of the Services.  As between the parties, Customer shall be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer obtains Personal Data.  Customer represents and warrants that it has provided and/or obtained, to the extent required by applicable Privacy Laws, all necessary notices, opt-out rights and/or consent to Personal Data being used and shared for the purposes described herein. 

     6.  Requests from Data Subjects.  Unless prohibited by law, Aceyus will inform Customer of requests made to Aceyus by Data Subjects to exercise their rights under the Privacy Laws with respect to Personal Data.  Customer shall be solely responsible to respond to such requests from Data Subjects.  If the Services do not provide Customer the ability to respond to requests from Data Subjects, then, upon Customer’s request, Aceyus will provide reasonable assistance to Customer to respond to such requests.  Depending on the nature of such assistance, Aceyus reserves the right to charge Customer for assistance with such requests. 

     7.  Security Incidents. Aceyus shall, unless prohibited by law, notify Customer without undue delay (not to exceed five (5) business days) after confirming a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data under Aceyus’ control (“Security Incident”).  Aceyus shall promptly: (a) investigate the Security Incident; (b) provide detailed information to Customer about the Security Incident, including the Personal Data used or disclosed, and (c) take reasonable steps to mitigate the effects and minimize the damage resulting from the Security Incident and prevent future similar Security Incidents.   

Aceyus shall provide reasonably requested assistance to Customer in dealing with any Security Incident.  Aceyus shall not make any public announcement about a Security Incident without the prior written consent of Customer unless required by applicable law. 

In accordance with applicable Privacy Laws, Customer has the right, upon reasonable written notice to Aceyus, to take reasonable and appropriate steps to stop and remediate Aceyus’ unauthorized use of Personal Information.   

Customer agrees to notify Aceyus promptly about any possible misuse of its accounts or account credentials or any security incident Customer becomes aware of relating to the Services. 

Aceyus’ notification of or a response to a Security Incident is not an acknowledgement by Aceyus of any fault or liability with respect to the Security Incident. 

     8.  Personal Data Deletion and Retention.  Personal Data stored by Aceyus will be stored for the duration of the Services (“Retention Period”). Unless otherwise requested by Customer, Aceyus will use commercially reasonable efforts to securely delete Personal Data after the Retention Period.   

     9.  Audits. Subject to reasonable notice, and at Customer’s expense (including fees and expenses to compensate Aceyus for its personnel’s time and out of pocket costs involved in responding to any audit request), Aceyus shall provide Customer an opportunity to conduct a remote privacy and security audit of Aceyus’ security program and systems and procedures that are applicable to the Services, as necessary to demonstrate Aceyus’ compliance with Privacy Laws.  Audits will occur at most annually or following notice of a Security Incident, will be performed by a qualified independent, accredited, third-party audit firm, and will be subject to reasonable confidentiality procedures.  If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Aceyus, and Aceyus shall promptly cure any material non-compliance. Notwithstanding the foregoing, if Aceyus conducts its own audit or controls report of its security program, then upon request Aceyus will provide Customer with a copy of any such report and Customer will have the right to audit Aceyus’ security program and systems and procedures that are applicable to the Services under this Section 8 only to the extent that Customer’s audit requirements cannot reasonably be satisfied by such report.  Aceyus’ audit reports and the results of any audits hereunder shall be Aceyus Confidential Information.   

    10.  Subprocessors. Customer acknowledges and agrees that Aceyus may use third parties, including data hosting providers, in connection with the provision of the Services and perform Aceyus’ internal business operations related to its performance of the Services (such third parties, “Subprocessors”). Aceyus maintains a list of Subprocessors on its website at https://www.aceyus.com/terms-of-use/sla/subprocessors.  Customer hereby consents to Aceyus’ use of these subprocessors.  Aceyus will add the names of new and replacement Subprocessors to the list prior to providing such Subprocessors with Personal Data. Aceyus will ensure that any Subprocessor it engages on its behalf in connection with this Addendum agrees in a written contract to terms substantially as protective of Personal Data as those in this Addendum, to the extent applicable to the nature of the Services provided by such Subprocessor (the “Subprocessor Agreement“).  Aceyus shall be liable to Customer for any breach by a Subprocessor of the Agreement.  

If Customer reasonably objects to Aceyus’ use of a new Subprocessor which would result in Aceyus’ breach of this Addendum in relation to the protection of Personal Data, Customer shall promptly notify Aceyus in writing no later than within thirty (30) days of receipt of Aceyus’ notice. If Customer so objects to a new Subprocessor, and the parties cannot resolve the objection within a reasonable period of time, which shall not exceed sixty (60) days, then Customer may terminate the applicable Agreement with respect to those Services which cannot be provided by Aceyus without the use of the objected-to new Subprocessor by providing written notice to Aceyus. Aceyus will refund Customer any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer. 

     11.  Data Transfers. Unless the parties separately agree otherwise, Personal Data that Aceyus processes on Customer’s behalf may be transferred to and stored and processed in the United States, and Customer appoints Aceyus to perform any such transfer of Personal Data to the United States and to store and process Personal Data to provide the Services. 

     12.  Additional Terms. Capitalized terms used in this Section 11, and not otherwise defined, have the meaning given to them in the applicable Privacy Laws.  For the purpose of this Section 12, the term “Services” also includes operational tasks reasonably related to the Services, including quality improvement, error corrections, and auditing.   

           a. Customer hereby instructs Aceyus to process Personal Data as reasonably necessary to provide Customer with the Services. 

           b. Customer will provide Personal Data to Aceyus solely for the purpose of Aceyus performing the Services. 

           c. Aceyus shall provide the Services and Process any Personal Data in accordance with the Agreement, as a Service Provider to Customer.  Aceyus will not retain, use, or disclose Personal Data for any purpose, including any commercial purpose, other than for providing the Services under this Agreement, or as otherwise permitted by applicable Privacy Laws. 

           d. Aceyus will Process Personal Data only as necessary to perform the Services and will not sell or share  the  Personal Data.  To the extent prohibited by applicable Privacy Laws, Aceyus will not combine Personal Data received from Customer with Personal Data that Aceyus receives from, or on behalf of, another person or persons, or collects from its own interactions with consumers. 

           e. Aceyus will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data designed to prevent unauthorized access to and disclosure of Personal Data. 

           f. Aceyus will retain Personal Data only for as long as necessary for the permitted purpose or as required by applicable law.  At the termination of the Agreement, or upon Customer’s written request, Aceyus will either destroy or return Personal Data to Customer, unless legal obligations require storage of the Personal Data. 

           g. If Aceyus receives a request submitted by a Consumer to exercise a right the Consumer has under applicable Privacy Laws in relation to that Consumer’s Personal Data, it will provide a copy of the request to Customer.  Customer will be responsible for handling and communicating with Consumers in relation to such requests. 

           h. If Aceyus determines that it can no longer meet its obligations under applicable Privacy Laws, then it shall promptly inform Customer. 

Aceyus certifies that it understands the restrictions contained in this Section 11 and will comply with them. 

 13.  Updates.  Aceyus may, from time to time, update this Data Processing Addendum and the terms and other documents incorporated by reference herein, so long as those updates do not materially reduce any of Aceyus’ commitments therein.  Aceyus will provide Customer with notice of material changes to such terms or documents, which notice may be email or through the Services. 

 14.  Entire Addendum; Conflict: This Addendum supersedes and replaces all prior and contemporaneous statements, understandings, and communications, oral and written, with regard to the subject matter of this Addendum.  If there is any conflict between this Addendum and the Agreement, this Addendum shall control.  Except as expressly set forth in this Addendum, the Agreement shall remain in place.  For the avoidance of doubt, the parties intend that the limitations on liability clauses in the Agreement shall apply to this Addendum.