- Other versions of this document
This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Master Subscription and Services Agreement or such other agreement entered into between the parties (“Main Agreement”), under which Contentful provides services (“Contentful Services”) to Customer. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Main Agreement.
a) “Affiliates” has the same meaning set forth in the Main Agreement.
b) “Authorized Affiliates” are Customer Affiliates who have entered into Provisioning Documents or to which Customer has granted a sublicense to the Contentful Services.
c) “California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended, supplemented or replaced from time to time, including the California Privacy Rights Act of 2020.
d) “Customer Content” has the same meaning set forth in the Main Agreement.
e) “Customer Personal Data” means the Personal Data contained within Customer Content.
f) “Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Main Agreement, including without limitation, European Data Protection Laws and the CCPA.
g) “European Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and the Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection of 19 June 1992 and; (iv) any successor legislation to those laws and regulations identified in subsections (i)-(iii) of this paragraph.
h) “Personal Data” means any information relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including “personal data” under GDPR and “personal information” under the CCPA.
i) “Service Data” means any data relating to Customer’s use, support and/or operation of Contentful Services and Contentful websites, including activity logs, use patterns, cookie data or other information regarding use of Contentful Services and Contentful websites.
j) “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following: (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and/or; (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
k) “Sub-processor” means any other Processors engaged by Contentful to Process Customer Personal Data.
l) The terms “Controller”, “Data Subject”, “Personal Data Breach”, “Processor” and “Processing” (including Process, Processed, and Processes) shall have the respective meanings ascribed to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in European Data Protection Laws will apply.
2. Scope of Application
a) While providing Contentful Services, it may be necessary for Contentful to Process Customer Personal Data (see Schedule 1). Contentful is the Processor of such Customer Personal Data and Customer is the Controller and, with respect to CCPA, Contentful is the “service provider” as defined therein.
b) Except as provided by this DPA, the Main Agreement remains unchanged and in full force and effect. In case of contradictions between this DPA and the provisions of other agreements, in particular the Main Agreement, the provisions of this DPA prevail with regards to the Processing of Customer Personal Data. The provisions of the Standard Contractual Clauses attached in Schedule 3 prevail, where applicable, over this DPA to the extent of any discrepancy between the two.
c) This DPA does not apply to Service Data. To the extent any Service Data is considered Personal Data under Data Protection Laws, Contentful is responsible as a Controller, and Processes such data in accordance with its privacy notice available at contentful.com/legal and Data Protection Laws.
3. Subject, Scope and Duration of Processing
a) Schedule 1 to this DPA contains a comprehensive list of the types of Customer Personal Data that Contentful may Process, in which manner, for what purposes, and to which categories of Data Subjects such data relate.
b) This DPA becomes effective from the date last signed by the parties below (“Effective Date”) and remains in effect for as long as Contentful Processes Customer Personal Data pursuant to the Main Agreement
4. Scope of Customer’s Authority to Issue Instructions
a) Contentful Processes Customer Personal Data exclusively on behalf of Customer and on Customer instructions, which must be lawful and documented. Customer’s instructions are exclusively included in the Main Agreement and this DPA and any additional requested instructions require the prior written agreement of the parties.
b) Customer shall not issue Processing instructions that would cause Contentful to Process Customer Personal Data in violation of Data Protection Laws. Contentful shall promptly inform Customer if in Contentful’s reasonable opinion Customer’s instructions conflict with this DPA, an earlier instruction or applicable Data Protection Laws.
c) Customer hereby instructs Contentful to Process Customer Personal Data and, in particular, to transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of Contentful Services in accordance with the Main Agreement and this DPA.
d) Contentful’s obligations in this DPA shall also extend to Authorized Affiliates, provided that (i) only Customer can communicate any additional Processing instructions pursuant to this section 4; (ii) all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer; and (iii) any claims by an Authorized Affiliate against Contenful in relation to this DPA must be brought by Customer directly against Contentful on behalf of such Authorized Affiliate.
5. Obligations and Legal Status of Customer as Controller
a) Customer is responsible for obtaining all consents, permissions and rights necessary under Data Protection Laws for Contentful to lawfully Process Customer Personal Data to provide the Contentful Services.
b) As between the parties, Customer is and remains the owner of Customer Personal Data and the holder of all rights relating to Customer Personal Data.
6. Security of Processing
a) Contentful takes appropriate technical and organizational measures to ensure an adequate level of protection for Customer Personal Data corresponding to the risk of the respective Processing. Such measures are in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the Processing as well as the varying likelihood and severity of risk to the rights and freedoms of Data Subjects.
b) Customer has assessed the security measures offered by Contentful to meet the standards required by Data Protection Laws as of the Effective Date. Such technical and organizational measures are specified in Schedule 2 to this DPA and/or in the Main Agreement and Contentful will maintain those (or effectively similar) measures during the term of the Main Agreement.
c) Contentful shall ensure that any person who is authorized by Contentful to Process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
a) Customer hereby authorizes Contentful to appoint Sub-processors in accordance with this section.
b) Contentful can continue using those Sub-processors already engaged by Contentful as of the Effective Date and that are listed at https://www.contentful.com/legal/privacy-at-contentful/sub-processors/ (“Sub-processor Site”), subject to Contentful meeting the obligations set out in this section.
c) Contentful shall make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors and prior to engaging new Sub-processors, Contentful will notify Customer through such mechanism. Customer is entitled to provide reasonable objections to any change notified by Contentful within 21 days and for materially important reasons. If Customer fails to object to such change within such reasonable time, Customer is deemed to have consented to such change. Where a reasonable materially important basis for such objection exists and an amicable resolution fails, Customer, as its sole and exclusive remedy, may provide written notice to Contentful terminating the Provisioning Documents with respect only to those aspects which cannot be provided by Contentful without the use of the new Sub-processor. Contenful will refund Customer any prepaid unused fees of such Provisioning Documents following the effective date of termination.
d) Contentful (i) remains liable under this DPA for the acts and omissions of Sub-processors and (ii) will enter into written agreements with such Sub-processors containing data protection obligations not less protective than those in this DPA, and including Standard Contractual Clauses, to the extent applicable to the nature of the services provided by such Sub-processor.
8. Data Subject Requests
a) If a Data Subject contacts Contentful to exercise the Data Subject’s rights regarding Customer Personal Data as permitted under Data Protection Laws (“Data Subject Request(s)”) and that the requestor identifies as originating from Customer, Contentful will not respond to such request but will instead forward such request to Customer without undue delay. The Contentful Services include functionality that allow Customers to respond to Data Subject Requests and, to the extent Customer is unable to independently respond to a Data Subject Request, Contentful will provide reasonable assistance upon Customer’s written request.
b) If a Data Subject has a right to data portability with respect to Customer Personal Data, Contentful will ensure that Customer can obtain such data in a structured, common and machine-readable format.
9. Data Breach
a) Contentful will inform Customer of any Personal Data Breach without undue delay and, in any event, so as to facilitate the parties’ compliance with Data Protection Laws (such as notification timelines set by GDPR Article 33 (1)). Contentful shall notify Customer, to the extent known, about the nature of the Personal Data Breach, the identities, categories and the number of Data Subjects affected, and the number of data sets affected.
b) Contentful will without undue delay take all necessary and reasonable measures to mitigate or contain the Personal Data Breach. Contentful will inform Customer as soon as reasonably possible about such measures and keep Customer informed as reasonably practicable.
10. Return and deletion of Customer Personal Data
a) Contentful is prohibited from actively Processing Customer Personal Data after termination of the Main Agreement.
b) At the choice and request of Customer, all Customer Personal Data must be either deleted (or otherwise obliterated such that it cannot be recovered or reconstructed) or returned to Customer within a reasonable time after Customer request.
c) Contentful may retain Customer Personal Data to the extent required by Data Protection Laws and only to the extent and for such period as required by such Data Protection Laws.
11. Cross Border Data Transfers Mechanism.
If any Customer Personal Data transfer between Customer and Contentful requires execution of Standard Contractual Clauses in order to comply with European Data Protection Laws (where Customer is the Data Exporter), the terms and conditions of Schedule 3 will apply.
a) To the extent that the Main Agreement does not otherwise give the information and audit rights pertaining to the processing of Customer Personal Data and meeting the relevant requirements of Data Protection Law (including, where applicable, GDPR Article 28(3)(h)), Contentful will upon reasonable request make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Customer or an auditor designated by Customer in relation to the Processing of Customer Personal Data. Contentful will not unreasonably withhold or delay agreement to an auditor selected by Customer.
b) The audits and inspections referred to in section 12.a are primarily carried out by Customer auditing and inspecting audit reports resulting from an audit performed by an independent third-party information security expert at Contentful’s expense and choice in accordance with Contentful’s ISO 27001 compliant information security management system. Customer hereby instructs Contentful to perform audits for purposes of privacy compliance under this DPA as described in this section 12.b.
c) If Customer wishes to alter its above instructions concerning audits, Customer will issue a suggestion for altered audit instructions to Contentful in writing reasonably in advance of the requested audit. If the parties fail to reach an amicable resolution on altered audit instructions, Contentful may terminate the Main Agreement.
d) Audits will be subject to customary confidentiality undertakings or professional duty of confidentiality. Customer will give Contentful reasonable notice of any audit or inspection and will take (and ensure that auditors take) all reasonable endeavors to minimize disruption to Contentful’s business, including e.g. carrying out the audits during normal business hours. The audit and any information arising therefrom shall be considered Contentful’s Confidential Information and may only be shared with a third-party with Contentful’s prior written agreement.
e) Customer will not carry out more than one audit per year of the Main Agreement term unless (i) Customer reasonably considers it necessary because of genuine and demonstrable concerns as to Contentful’s compliance with this DPA or Data Protection Laws; or (ii) Customer is required to carry out an audit by Data Protection Laws, a supervisory authority or any similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier audit has identified non-conformity with this DPA or Data Protection Law.
f) All costs and expenses arising from audits are borne by Customer.
g) Nothing herein limits any rights mandated by law, such as supervisory authority and Data Subject rights, including in accordance with the Standard Contractual Clauses.
13. Other Contentful Obligations
a) If Customer is required to provide information to a data protection authority or to otherwise cooperate with a public authority, relating to Processing of Customer Personal Data, Contentful will support Customer by providing such information reasonably available to it or otherwise reasonably cooperating with Customer, including as such information relates to technical and organizational measures taken in line with Article 32 GDPR.
b) To the extent necessary and reasonable, Contentful will support Customer by providing reasonably requested information regarding the Contentful Services to enable Customer to carry out data protection impact assessments or consultation (if applicable) with data protection authorities as required by Data Protection Laws.
14. Relationship to Main Agreement
a) This DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Contentful and Customer may have previously entered into in connection with the Contentful Services. This DPA is subject to the governing law and jurisdiction provisions in the Main Agreement unless and to the extent required otherwise by Data Protection Laws.
b) Each party and each of its Affiliates’ liability, taken in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses where applicable), whether in contract, tort or under any other theory of liability, are subject to the limitations and exclusions of liability set out in the Main Agreement. In no event will either party’s liability be limited with respect to any Data Subject’s data protection rights under this DPA (including the Standard Contractual Clauses).
|Schedule 1: Details of Processing|
For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 1 serves as Annex I, Part B.
|Categories of Customer Personal Data||The types of Customer Personal Data are determined and controlled by Customer in its sole discretion. Such Customer Personal Data typically consists of editorial material intended for websites and may include, but is not limited to, IP address of the end user of the Customer Applications – if Customer Applications are integrated with Contentful Services in a way that discloses such personal data. No “special categories of personal data” or similarly sensitive Personal Data are transferred.|
|Retention Period||Customer Personal Data deleted or returned at the termination of Main Agreement|
|Duration of Processing||Duration of the Main Agreement|
|Frequency of Processing||Continuous basis for the duration of the Main Agreement|
|Nature of Processing||Any operation necessary for the performance of the Main Agreement and to comply with Customer’s Processing instructions.|
|Purposes of Processing||Performance of the Main Agreement and provision of Contentful Services and related support services; hosting Customer Content and serving it via application programming interfaces to Customer Applications.|
|Categories of Data Subjects||Customer Content may include Personal Data, the Data Subjects of which are controlled and determined by Customer at its sole discretion.
Possibly Customer personnel and contractors using Contentful Services and communicating with Contentful.
Possibly end users of the Customer Applications.
|Schedule 2: Technical and organizational measures|
This Schedule 2 may be replaced by the Contentful security policy by appending or referencing and incorporating such policy herein: https://www.contentful.com/legal/de/2017-01-31/security/
|Schedule 3: Standard Contractual Clauses|
For data transfers by Customer from the European Economic Area, Switzerland or the United Kingdom to Contentful in a country that does not ensure an adequate level of protection within the meaning of applicable Data Protection Laws, the EU SCCs and/or UK Addendum, as applicable, shall govern such transfers.
The below shall apply to the Standard Contractual Clauses and any optional clauses not expressly selected are not incorporated. The Module Two terms apply to the EU SCCs and the foregoing designation applies to Table 2 of the UK Addendum. For transfers from Switzerland and other countries that adopt the EU SCCs, terms in the EU SCCs shall be interpreted to include applicable terminology for those jurisdictions (e.g., ‘Member State’ shall be interpreted to mean ‘Switzerland’).
(i) in Clause 7, the docking clause will apply.
(ii) in Clause 9, Option 2 (‘General written authorization’) will apply, and the time period for prior notice of sub-processor changes will be as set forth in section 7 (Sub-processors) of this DPA. The foregoing shall apply with respect to Table 2 of the UK Addendum;
(iii) in Clause 17 and Clause 18, the Member State for the purposes of governing law and jurisdiction shall be the governing law and jurisdiction set forth in the Main Agreement. If the jurisdiction and governing law in the Main Agreement are not from a Member State, then Germany will be the designated Member State for purposes of Clause 17 and Clause 18. Part 2, Section 15(m) and Part 2, Section 15(n) of the UK Addendum shall apply with respect to Clause 17 and Clause 18 of the EU SCCs.
(iv) In Annex I, Part A:
Data Exporter: Customer and authorized affiliates of Customer.
Contact Details: Customer’s account owner email address.
Data Exporter Role: Controller
Signature & Date: By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Contentful Inc; Contentful GmbH
Contact Details: Contentful Privacy Team - firstname.lastname@example.org
Data Importer Role: Processor
Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
The foregoing shall apply with respect to Table 3 of the UK Addendum.
(v) In Annex I, Part B: the details are provided in Schedule 1 of this DPA. For transfers to sub-processors, the subject matter and nature of the Processing are outlined at https://www.contentful.com/legal/privacy-at-contentful/sub-processors/ and the duration of the Processing is the duration of the Main Agreement. The foregoing shall apply with respect to Table 3 of the UK Addendum.
(vi) In Annex I, Part C: The supervisory authority is that of the Member State in which the data exporter or the data exporter’s representative, as applicable, is established.
(vii) Schedule 2 of this DPA serves as Annex II of the Standard Contractual Clauses. The foregoing shall apply with respect to Table 3 of the UK Addendum.
(viii) The list of sub-processors for Annex III are located at https://www.contentful.com/legal/privacy-at-contentful/sub-processors/. The foregoing shall apply with respect to Table 3 of the UK Addendum.
(ix) With respect to Table 4 of the UK Addendum, either party may terminate the UK Addendum in accordance with Section 19 of the UK Addendum if the parties are unable to come to a mutual agreement after a good faith effort to amend this DPA to account for changes arising from a revised Approved Addendum issued by the ICO.