Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Master Terms of Service Agreement available at the Terms of Service ("Agreement"), entered into by and between Data Processor and Data Controller, in accordance with the personal data processed using Clearout’s Services as outlined in the applicable Agreement. The main goal of this DPA is to demonstrate agreement between the two parties in terms of the processing of Personal Data in compliance with the requirements of Data Protection Legislation as provided below.
If the Data Controller signing this DPA is a party to the Agreement, this DPA forms part of the Agreement. In such a case, Clearout that is a party to the Agreement becomes a party to this DPA.
In the course of providing the Services to Data Controller pursuant to the Agreement, Data Processor may Process Personal Data on behalf of Data Controller and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
If the Data Controller signing this DPA is a party to the Agreement, this DPA forms part of the Agreement. In such a case, Clearout that is a party to the Agreement becomes a party to this DPA.
In the course of providing the Services to Data Controller pursuant to the Agreement, Data Processor may Process Personal Data on behalf of Data Controller and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
1.Definitions
Data Processor or Clearout : Clearout, 2035 Sunset Lake Road Suite B-2, 19702, Newark, Delaware.
Data Controller: a person or company that controls the personal data processed using Clearout's Service.
Service or Services : all content, services, and products available at, or through the Website, including, but not limited to, verifying email addresses using Clearout's Website or API.
API: Automated application programming interface to connect Clearout's Services with other websites, servers or applications.
Data Processing : processing of data on behalf of the Data Controller.
Data Protection Law : EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including (with effect from May 25, 2018) by the GDPR and laws implementing, replacing or supplementing the GDPR.
GDPR : The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
Data Subject : means the identified or identifiable natural person to whom the Personal Data relates.
Personal Data : means any data which relates to an identified or identifiable natural person ("Data Subject").
Personal Data Breach : means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Sub-processor : means any person (including any third party, but excluding Clearout employees) appointed by or on behalf of Clearout to process data in connection with the Agreement.
Data Controller: a person or company that controls the personal data processed using Clearout's Service.
Service or Services : all content, services, and products available at, or through the Website, including, but not limited to, verifying email addresses using Clearout's Website or API.
API: Automated application programming interface to connect Clearout's Services with other websites, servers or applications.
Data Processing : processing of data on behalf of the Data Controller.
Data Protection Law : EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including (with effect from May 25, 2018) by the GDPR and laws implementing, replacing or supplementing the GDPR.
GDPR : The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
Data Subject : means the identified or identifiable natural person to whom the Personal Data relates.
Personal Data : means any data which relates to an identified or identifiable natural person ("Data Subject").
Personal Data Breach : means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Sub-processor : means any person (including any third party, but excluding Clearout employees) appointed by or on behalf of Clearout to process data in connection with the Agreement.
2. Data Processing
2.1. Data Subjects
Data Subjects include the information of the Data controller who signed up for the email verification plan of Data Processor.
2.2. Types of Information
In the course of using the Services, Data Processor asks Data Controller to provide certain personally identifiable information of Data Controller that can be used to contact or identify the Data Controller and to administer the Data Controller‘s account (“Personally Identifiable Information”). Personal Information such as the Data Controller’s name and email address are used to create the account for the Site and Services, as well as for email newsletters and invoicing.
Data Controller’s credit card information is used by third parties such as PayPal or Stripe to process the payment(s) of Data Controller for the Services. Data Controller's consent will be required if the Personal Information of the Data Controller is being collected, used and stored by Data Processor in accordance with the Terms and Conditions of Use and the Privacy Policy of the Data Processor.
2.3. Purpose of the Processing
The purpose of processing is to identify whether an email address exists and whether it is possible to deliver an email to this address. This verification happens in an online, fully automated system. The subject matter of the contract is email verification. In no event will Data Processor process any Personal or Navigational Data for its own purpose or those of any third party.
2.4. Duration of the Processing
Personal Data will be processed for the duration of the Agreement, subject to Section 4 of this DPA. Information uploaded to the Site or otherwise submitted to Data Processor in conjunction with the Services, including but not limited to CSV or XLSX files, may be stored for a period of thirty (30) days. If the Data Controller initiates payment for the Services, Data Processor may collect and store Personal Information, as well as any other information provided to us. This Personal Information may be shared with third parties in order to process the payment of the Data Controller. Data Processor encrypts credit card numbers using industry standard technology.
Data Subjects include the information of the Data controller who signed up for the email verification plan of Data Processor.
2.2. Types of Information
In the course of using the Services, Data Processor asks Data Controller to provide certain personally identifiable information of Data Controller that can be used to contact or identify the Data Controller and to administer the Data Controller‘s account (“Personally Identifiable Information”). Personal Information such as the Data Controller’s name and email address are used to create the account for the Site and Services, as well as for email newsletters and invoicing.
Data Controller’s credit card information is used by third parties such as PayPal or Stripe to process the payment(s) of Data Controller for the Services. Data Controller's consent will be required if the Personal Information of the Data Controller is being collected, used and stored by Data Processor in accordance with the Terms and Conditions of Use and the Privacy Policy of the Data Processor.
2.3. Purpose of the Processing
The purpose of processing is to identify whether an email address exists and whether it is possible to deliver an email to this address. This verification happens in an online, fully automated system. The subject matter of the contract is email verification. In no event will Data Processor process any Personal or Navigational Data for its own purpose or those of any third party.
2.4. Duration of the Processing
Personal Data will be processed for the duration of the Agreement, subject to Section 4 of this DPA. Information uploaded to the Site or otherwise submitted to Data Processor in conjunction with the Services, including but not limited to CSV or XLSX files, may be stored for a period of thirty (30) days. If the Data Controller initiates payment for the Services, Data Processor may collect and store Personal Information, as well as any other information provided to us. This Personal Information may be shared with third parties in order to process the payment of the Data Controller. Data Processor encrypts credit card numbers using industry standard technology.
3. Obligations of Processor
3.1. Security
Data Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3.2. Confidentiality
Data Processor shall ensure that any personnel whom the Data Processor authorizes to process Personal Data on Data Processor’s behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking of confidentiality shall continue after the termination of the above-entitled activities. Data Processor ensures that its personnel who access Personal Data are subject to confidentiality obligations that restrict their ability to disclose Data Controller Personal Data.
3.3. Personal Data Breaches
Data Processor is obliged to notify the Data Controller about a Personal Data Breach not later than 72 hours after having become aware of it unless Data Processor can prove that the breach is not likely to result in a risk to the rights and freedoms of natural persons.
3.4. Data Subject Requests
Data Processor shall respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion, or portability of Personal Data), to the extent permitted by the law.
3.5. Sub-processors
Data Processor may hire other companies to provide limited services on its behalf. Any such sub-processors will be permitted to process Personal Data only to deliver the services Data Processor has retained them to provide, and they shall be prohibited from using Personal Data for any other purpose. Data Processor remains responsible for its sub-processors compliance with the obligations of this DPA. Any subcontractors to whom Data Processor transfers Personal Data will have entered into written agreements with Data Processor requiring that they abide by terms substantially similar to this DPA. If Data Controller requires prior notification of any updates to the list of sub-processors, Data Controller may request such notification in writing by emailing at [email protected] Data Processor will update the list within seventy-two (72) hours of any such notification if Data Controller does not legitimately object within that time frame. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If in Data Processor’s reasonable opinion, such objections are not legitimate, the Data Controller may, by providing written notice to Data Processor, terminate the Agreement.
3.6. Data Transfers
Data Controller acknowledges and agrees that, in connection with the performance of the services under the Agreement, Personal Data may be transferred outside of the European Union (EU) and the European Economic Area (EEA). While transferring the data, the Data Processor takes the necessary measures to safeguard the activity in general, and the data subjects in particular to ensure an appropriate level of protection for their fundamental rights. This Privacy Policy shall apply even if Personal Information is transferred or accessed from other countries.
3.7. Deletion or Retrieval of Personal Data
Upon termination or expiration of the Agreement or upon the request, the Data Processor will delete or return to Data Controller all individual- and account-related Personal Data that is in its possession or control (including any Data subcontracted to a third party for processing). This requirement will not apply to the extent that Data Processor is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Data Processor will isolate and protect the Data from any further processing except to the extent required by such law.
Data Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3.2. Confidentiality
Data Processor shall ensure that any personnel whom the Data Processor authorizes to process Personal Data on Data Processor’s behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking of confidentiality shall continue after the termination of the above-entitled activities. Data Processor ensures that its personnel who access Personal Data are subject to confidentiality obligations that restrict their ability to disclose Data Controller Personal Data.
3.3. Personal Data Breaches
Data Processor is obliged to notify the Data Controller about a Personal Data Breach not later than 72 hours after having become aware of it unless Data Processor can prove that the breach is not likely to result in a risk to the rights and freedoms of natural persons.
3.4. Data Subject Requests
Data Processor shall respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion, or portability of Personal Data), to the extent permitted by the law.
3.5. Sub-processors
Data Processor may hire other companies to provide limited services on its behalf. Any such sub-processors will be permitted to process Personal Data only to deliver the services Data Processor has retained them to provide, and they shall be prohibited from using Personal Data for any other purpose. Data Processor remains responsible for its sub-processors compliance with the obligations of this DPA. Any subcontractors to whom Data Processor transfers Personal Data will have entered into written agreements with Data Processor requiring that they abide by terms substantially similar to this DPA. If Data Controller requires prior notification of any updates to the list of sub-processors, Data Controller may request such notification in writing by emailing at [email protected] Data Processor will update the list within seventy-two (72) hours of any such notification if Data Controller does not legitimately object within that time frame. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If in Data Processor’s reasonable opinion, such objections are not legitimate, the Data Controller may, by providing written notice to Data Processor, terminate the Agreement.
3.6. Data Transfers
Data Controller acknowledges and agrees that, in connection with the performance of the services under the Agreement, Personal Data may be transferred outside of the European Union (EU) and the European Economic Area (EEA). While transferring the data, the Data Processor takes the necessary measures to safeguard the activity in general, and the data subjects in particular to ensure an appropriate level of protection for their fundamental rights. This Privacy Policy shall apply even if Personal Information is transferred or accessed from other countries.
3.7. Deletion or Retrieval of Personal Data
Upon termination or expiration of the Agreement or upon the request, the Data Processor will delete or return to Data Controller all individual- and account-related Personal Data that is in its possession or control (including any Data subcontracted to a third party for processing). This requirement will not apply to the extent that Data Processor is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Data Processor will isolate and protect the Data from any further processing except to the extent required by such law.
4. Assistance to Data Controller
4.1 The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, in so far as this is possible, for the fulfillment of the Data Controller’s obligation to respond to a request for exercising the data subject’s rights under the GDPR.
4.2 The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to security and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor.
4.3 The Data Processor shall make available all necessary information to Data Controller to demonstrate compliance with the Data Processor’s obligations and to allow for and contribute to audits, including inspections conducted by the Data Controller or another auditor mandated by the Data Controller.
4.2 The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to security and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor.
4.3 The Data Processor shall make available all necessary information to Data Controller to demonstrate compliance with the Data Processor’s obligations and to allow for and contribute to audits, including inspections conducted by the Data Controller or another auditor mandated by the Data Controller.
5. Liability and Indemnity
The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages, and expenses incurred by the Data Controller and arising directly or indirectly out of or in connection with a breach of this Data Processing Agreement and/or the Applicable Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third party claims, losses, damages, and expenses incurred by the Data Processor and arising directly or indirectly out of or in connection with a breach of this Data Processing Agreement and/or the Applicable Data Law by the Data Controller.
6. Duration and Termination
6.1 This Data Processing Agreement shall come into effect on the date the Data Controller electronically signs this Data Processing Agreement.
6.2 Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.
6.3 The Data Processor shall process Personal Data until the date of termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on the instruction of the Data Controller.
6.2 Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.
6.3 The Data Processor shall process Personal Data until the date of termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on the instruction of the Data Controller.
7. Data Center and Location
Clearout Service is available across the globe with multiple data centres. The service is also available in the European region for European users to comply with GDPR so that no data processed outside of the European region.
8. Miscellaneous
For the avoidance of doubt and to the extent allowed by applicable law, any and all liability, including limitations thereof, will be governed by the relevant provisions of the Agreement. The Data Controller acknowledges and agrees that Data Processor may amend this Agreement from time to time by posting the relevant amended and restated conditions on Data Processor’s website, available at the webpage and such amendments to the Agreement is effective as of the date of posting.
When we change this Agreement, we will update the 'effective' date, which will be indicated through email, to the day when the latest amendments were published on the Data Processor’s site. That is why we encourage Data Controller to review this DPA periodically.
If Data Controller does not agree with a modification to this Agreement, Data Controller must notify the Data Processor in writing within thirty (30) days after the ‘effective’ date of the current DPA published on the Data Processor’s website.
If Data Controller does not agree to any changes to the Agreement, do not continue to use the Clearout application.
When we change this Agreement, we will update the 'effective' date, which will be indicated through email, to the day when the latest amendments were published on the Data Processor’s site. That is why we encourage Data Controller to review this DPA periodically.
If Data Controller does not agree with a modification to this Agreement, Data Controller must notify the Data Processor in writing within thirty (30) days after the ‘effective’ date of the current DPA published on the Data Processor’s website.
If Data Controller does not agree to any changes to the Agreement, do not continue to use the Clearout application.
For a signed copy, please write to us at [email protected]