Last updated: July 17, 2022
This Data Processing Agreement (“Agreement”) is incorporated into and forms an integral part of the Terms of Service (“Terms”) as concluded by and between User (as defined in the Terms) and Clerk, Inc. and is effective upon its incorporation into the Terms, which may be specified in the Terms or a service order. This Agreement on the processing of personal data (as defined below) on behalf of a controller in accordance with Article 28 (3) of the EU General Data Protection Regulation (GDPR) will apply to any and all processing of personal data by Clerk in its capacity as processor of personal data on behalf of User.
To the extent that a User is a “business” subject to California Civil Code § 1798.100 et seq. of the California Consumer Privacy Act of 2018 (“CCPA”), § 8 of this Addendum also details additional obligations under the CCPA (as defined below).
(1) in this Addendum:
“CCPA” means the California Consumer Privacy Act of 2018;
“Data” means the personal data processed by Clerk on behalf of the User in connection with the Services as more specifically set out in Exhibit 1;
“Data Protection Acts” means the Data Protection Acts 1988-2018 of Ireland;
“Data Protection Law” means all legislation and regulations relating to the protection of personal data including (without limitation) the Data Protection Acts, the GDPR and all other statutory instruments, statutory industry guidelines or codes of practice or guidance issued by the Data Protection Commission relating to the processing of personal data or privacy;
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679);
“List of Subprocessors” means the list of subprocessors with whom Clerk engages in the context of the provision of the Services, for access to a full list of subcontractors, please reach out to the contact information at the bottom of this document. The List of Subprocessors may be amended, supplemented or substituted by Clerk in its absolute discretion from time to time;
“Permitted Third Party Service Provider” means a third party service provider listed in the List of Subprocessors or otherwise approved by the User from time to time;
“Personnel” means those servants, officers, employees, agents, or contractors of Clerk to whom disclosure of Data is necessary for the provision of the Services and who are appropriately trained in and committed to data security and confidentiality;
“Service” or “Services” means the services to be provided by Clerk to the User as defined in the Terms; and “Terms” means the Clerk Terms at https://clerk.com/terms/ as may be amended from time to time.
(2) Construction: In this Addendum, unless the contrary intention is stated, a reference to:
(1) The User and Clerk agree and acknowledge that for the purpose of Data Protection Law and in relation to the Data:
(1) The User’s written instructions in relation to the processing of the Data will, initially, be as required for the provision of the Services and set out in the Terms. The user may, subsequently, request the modification, amendment, or substitution of such written instructions by issuing a written request to the Clerk Data Protection Officer. For the avoidance of doubt, such written requests will relate strictly to the processing (within the meaning of Data Protection Law) of the Data only and will not include customer or Service support requests or similar.
(1) Clerk undertakes and agrees with the User that:
(2) Clerk will maintain the confidentiality of the Data and will not disclose the Data to third parties unless the User, this Addendum, or the Terms specifically authorise the disclosure, or as required by Data Protection Law, other applicable law, court, or regulator (including but not limited to the Data Protection Commission of Ireland, Federal Commissioner for Data Protection and Freedom of Information and Berliner Beauftragter für Datenschutz und Informationsfreiheit). If applicable law, court, or regulator (including but not limited to the Data Protection Commission of Ireland, Federal Commissioner for Data Protection and Freedom of Information and Berliner Beauftragter für Datenschutz und Informationsfreiheit) requires Clerk to process or disclose the Data to a third-party, Clerk will, where appropriate, endeavour to inform the User of such legal or regulatory requirement and give the User an opportunity to object or challenge the requirement, unless the applicable law prohibits the giving of such notice.
(3) Clerk will reasonably assist the User, at the User’s expense, with meeting the User’s compliance obligations under the Data Protection Law, taking into account the nature of Clerk's processing and the information available to Clerk, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with the Data Protection Commission of Ireland under Data Protection Law.
(4) Clerk will implement appropriate security measures to prevent accidental or unauthorised loss, destruction, damage, alteration, disclosure, or unlawful or unauthorised access to any Data in the custody of Clerk, and Clerk will ensure that its Personnel are aware of and comply with those measures.
(5) Clerk will promptly after becoming aware of it notify the User of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of Clerk (each a “data breach”). In the event of any data breach, Clerk will:
(6) Clerk will promptly notify the User of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject. Clerk will not accede to any such request or deal with any complaint except on the written instructions of the User. Clerk will, upon the User’s request and at the User’s expense, and taking into account the nature of the processing, assist the User by appropriate technical and organisational measures, for the fulfilment of the User’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law.
(7) Clerk will make available to User, upon request and on at least 14 calendar days’ written notice such information as may be reasonably necessary to demonstrate compliance with its obligations hereunder and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The above notice period will apply in all instances, except where the User reasonably believes that a personal data breach occurred or is occurring, in which case a 72 hours’ notice period will apply.
(8) Upon termination of the Services, Clerk will, upon the request of the User, immediately destroy all Data (except for one copy that it may retain and use for backup, disaster recovery, and business continuity purposes) and will certify such destruction in writing to the User on request from time to time.
(1) Clerk will be permitted to subcontract processing of Data to Permitted Third Party Service Providers provided that Clerk will remain responsible for all acts and omissions of a Permitted Third Party Service Provider and the acts and omissions of those employed or engaged by it as if they were its own. An obligation on Clerk to do, or to refrain from doing, any act or thing will include an obligation on Clerk to procure that its Personnel and the personnel of each Permitted Third Party Service Provider also do, or refrain from doing, such act or thing.
(2) Clerk may authorise additional or substitute third parties (subcontractors) to process the Data as Permitted Third Party Service Providers and amend the List of Subprocessors if the User is provided with an opportunity to object to the appointment of each new Permitted Third Party Service Provider within 14 calendar days after Clerk supplies the User with details regarding such new Permitted Third Party Service Provider. For the avoidance of doubt, User’s only remedy in case of objection to the appointment of a new Permitted Third Party Service Provider is to cancel its subscription with effect from the day before the day on which the additional or substitute Permitted Third Party Service Provider is appointed by notice in writing to Clerk as set out in the Terms.
(3) Where access to the Data by a Permitted Third Party Service Provider constitutes an international data transfer, User authorises Clerk to put in place such transfer mechanisms as may be required for the lawful execution of the transfer of Data in the User’s name and on its behalf, including entering into standard contractual clauses. Clerk will make the executed transfer instrument available to the User on request.
(1) The User represents and warrants to Clerk, on a continuing basis for the duration of the Services that:
(1) The limitation of liability provisions contained in the Terms will apply to any liability on the part of Clerk arising out of or in relation to the processing of Data as set out in this Addendum.
(1) Where User is a “business” subject to California Civil Code, § 1798.100 et seq. of the CCPA, the provisions in this § 8 of this Addendum will apply in addition to the provisions in §§ 1 – 7 of this Addendum and the Terms with respect to the processing of Personal Data of any Data Subjects who are “consumers” or “households” under the CCPA.
(2) Any references to “Personal Data” in this Addendum or the Terms will also mean any information describing, capable of being associated with, or reasonably linkable, directly or indirectly, to Data Subjects, including “personal information” as that term is defined in the CCPA; in the context of this Addendum, Personal Data also includes information relating to or describing an identified or identifiable household, when required by Applicable Data Protection Law.
(3) Any references to “Data Processor” in this Addendum will also mean Clerk in its role as “service provider” as that term is defined in the CCPA, with respect to the processing of Personal Data of Data Subjects.
(4) Any references to “Applicable Data Protection Law” in this Addendum will also include California Civil Code § 1798.100 et seq. of the CCPA.
(5) As a service provider, Clerk will not retain, use, or disclose Personal Data for any purpose other than as set out in the Terms or as otherwise permitted by the CCPA.
(6) User will not instruct Clerk to process or disclose Personal Data for any purpose other than as set out in the Terms, this Addendum (as applicable, and where executed by both parties), or as otherwise agreed in writing between Clerk and User, or as otherwise permitted by the CCPA and other Applicable Data Protection Law.
(7) Clerk will not sell Personal Data provided by User through the use of the Services.
(8) Clerk will not release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data provided in Data provided by User through the use of Clerk's services to any third party. However, Clerk may disclose the Personal Data to its own Subcontractors (which are service providers as defined in the CCPA) where Clerk has (i) carried out due diligence on each service provider and; (ii) included terms in the contract between Clerk and each service provider that are substantially consistent with those set out in this Addendum.
(1) If the whole or any part of a provision of this Addendum is or becomes illegal, invalid or unenforceable under the law of any jurisdiction, that will not affect the legality, validity, or enforceability under the law of that jurisdiction of the remainder of the provision in question or any other provision of this Addendum and the legality, validity, or enforceability under the law of any other jurisdiction of that or any other provision of this Addendum.
(2) This Addendum and all of its provisions will be binding upon and inure to the benefit of the parties and their respective heirs, executors, administrators, successors, and permitted assigns.
(3) The expiry or termination of this Addendum however caused will not affect any provision of this Addendum which is expressly or by implication to come into effect on or to continue in effect after such termination, each of which will survive any such termination.
(4) Clerk will not be liable in contract, tort or otherwise howsoever for any of the following losses or damage (whether or not such loss or damage was foreseen, foreseeable, known or otherwise): (i) loss of revenue, (ii) loss of actual or anticipated profits, (iii) loss of contracts, (iv) loss of the use of money, (v) loss of anticipated savings, (vi) loss of business, (vii) loss of opportunity, (viii) loss of goodwill, (ix) loss of reputation, (x) loss of, damage to, or corruption of data, or (xi) any indirect or consequential loss howsoever caused (including, for the avoidance of doubt, whether such loss or damage is of a type specified in sub-clauses (i) to (x) above) whether arising out of, or in connection with this Addendum provided that nothing in this Addendum will exclude or limit Clerk's liability under the tort of deceit or for death or personal injury, or any other liability to the extent that, under applicable law, it cannot be excluded or limited.
(5) The express terms of this Addendum and the Terms constitute the sole and entire agreement between the parties in relation to the processing of Data by Clerk as a processor on behalf of the User and supersedes all prior written and oral arrangements, understandings, representations, warranties and agreements between them in that regard (if any). In case of conflict between the terms of this Addendum and the Terms in relation to Clerk's processing of Data, the terms of this Addendum will prevail.
(6) Clerk reserves the right to make any updates or changes to this Addendum at any time in its sole discretion, provided that such updates or changes do not violate applicable Data Protection Law or adversely impact the security of Data or other fundamental rights of the User.
(7) By agreeing to the Terms, the parties are deemed to have duly executed this Addendum as of the Effective Date of the Terms.
This Exhibit 1 includes certain details of the Data as required by Article 28(3) GDPR.
(1) This does not include sensitive payment information such as credit card numbers, expiry dates, CVC codes or bank account details.
(2) Clerk provides the capability for its Users to associate any data they wish with a data subject, utilizing our API. Clerk does not and cannot ascertain what the content or purpose of this data actually is. The User is forbidden from providing special categories of data.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
If you have any questions or comments about this Data Processing Agreement, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at: firstname.lastname@example.org.
If you are located in the European Union, you may use the following information to contact our European Union-Based Member Representative:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road