This Data Processing Agreement (“DPA”) forms an integral part of and is subject to the Como Business License Agreement referencing this DPA (“Agreement”). You acknowledge that you, on behalf of your organization or business, (“Business” or “you”) have read, understood, and agree to comply with this DPA, and are entering into a binding legal agreement with the Como entity that is party to the Agreement (“Como” or “we”) concerning the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below). Capitalized terms not otherwise defined herein shall have the definitions given to them in the Agreement.
WHEREAS, in the course of providing the Como Solution, Mobile App(s) and the services available thereon, as set forth in the Agreement (collectively, the “Services”) to Business, Como may process Personal Data on your behalf; and
WHEREAS, the parties wish to set forth the arrangements concerning the processing of Personal Data of Business’s end users by Como;
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties, intending to be legally bound, agree as follows:
1. DEFINITIONS
1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. “Authorized Affiliate” means any of Business’s Affiliates that is subject to the Data Protection Laws and is permitted to use the Services pursuant to the Agreement but has not signed its own agreement with Como. Any reference in this DPA to Business shall include any Authorized Affiliate, to the extent applicable.
1.3. “Como Group” means Como and its Affiliates that are engaged in the Processing of Personal Data of Business’s end users.
1.4. “Data Protection Laws” means laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”) and their member states, Switzerland and the United Kingdom, and the California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5 and the regulations thereunder (collectively, “CCPA”).
1.5. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.6. “Sub-processor” means any Processor engaged by Como and/or Como’s Affiliates.
1.7. “Controller,” “Processor,” “Data Subject”, “Personal Data”, and “Processing” shall have the definitions given to them in the GDPR.
1.8. “Consumer,” “Personal Information,” “Processing,” “Sell,” “Share”, and “Service Provider” shall have the definitions given to them in the CCPA, as applicable.
2. PROCESSING OF PERSONAL DATA.
2.1. Roles of the Parties.
2.1.1. For Processing subject to the GDPR: The parties acknowledge and agree that with regard to the Processing of Personal Data of Business’s end users, Business is the Controller and Como is the Processor and shall process Business’s Personal Data on behalf of Business. In such case, the GDPR shall constitute the applicable Data Protection Law.
2.1.2. For Processing subject to the CCPA: The parties acknowledge and agree that with regard to the Processing of Personal Information of Business’s end users, the Business is the “Business” (as defined under CCPA) and Como is the Service Provider and shall process Business’s Personal Information on behalf of Business. In such case, the CCPA shall constitute the applicable Data Protection Law.
2.2. Processing of Business’s Personal Data.
2.2.1. Subject to the Agreement, Como shall Process Business’s Personal Data in accordance with Business’s documented instructions, for the purposes set forth in Schedule 1 (Details of the Processing) attached hereto, and for any other documented reasonable instructions provided by Business (including via email) where such instructions are consistent with the terms of the Agreement. Business’s decisions and choices regarding features, services, products or components in the Como Solution and/or Mobile Apps shall be deemed instructions to Como. To the extent Como is otherwise required to Process Business’s Personal Data by any Data Protection Laws, Como shall inform Business of the legal requirement before processing, unless such law prohibits such information on important grounds of public interest.
2.2.2. Como shall inform Business if, in its opinion, an instruction received under this DPA infringes applicable Data Protection Laws.
2.2.3. To the maximum extent permitted by law, Como will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Como, to the extent that such is a result of Business’s instructions.
2.2.4. To the extent that Como cannot comply with an instruction from Business relating to Processing of Personal Data of Business’s end users, (i) Como shall inform Business, providing relevant details of the problem, (ii) Como may, without any liability towards Business, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the parties do not agree on a resolution to the issue in question, either party may, as its sole remedy, terminate the Agreement and/or this DPA. Business will have no further claims against Como due to the termination of the Agreement and/or the DPA in such case, including, without limitation, requesting refunds for Services and excluding the obligations relating to the termination of the DPA set forth below.
2.2.5. For Processing subject to the CCPA: Como undertakes that it shall not Sell or Share Personal Information when processing Personal Data as a Service Provider and shall not retain, use, or disclose Personal Information for any commercial purpose other than providing the Services to Business under the Agreement or as otherwise permitted under the Agreement.
2.3. Details of the Processing. The subject matter of Processing of Personal Data by Como, the, nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects are further specified in Schedule 1 (Details of the Processing) attached hereto.
3. COMO PERSONNEL. Como shall ensure that its personnel engaged in the Processing of Personal Data of Business’s end users have committed themselves to confidentiality obligations regarding and non-disclosure of Business’s Personal Data. Como shall take reasonable steps to ensure that access to the Personal Data of Business’s end users is limited on a need to know and/or access basis.
4. SUB-PROCESSORS.
4.1. Appointment of Sub-processors. Business acknowledges and agrees that (a) Como’s Affiliates may be used as Sub-processors; and (b) Como and/or Como’s Affiliates may engage third-party Sub-processors in connection with the provision of the Services.
4.2. Current Sub-processors and Notification of New Sub-processors. The Business confirms that it has read and assessed the list of Sub-processors currently used by Como and available at https://legal.como.com/como-sub-processor-list/ (“Sub-processor List”) and authorized the use of the listed Sub-processors. Business may contact Como’s support team (ComoSupport@como.com) and ask to be added to a notification list concerning new Sub-processors, and if Business does so, Como shall provide notification to the Business of any new Sub-processor(s).
4.3. Objection to New Sub-processors. Business may reasonably object to Como’s use of a new Sub-processor by notifying Como’s support team (ComoSupport@como.com) promptly in writing within seven (7) business days after receipt of Como’s notice in accordance with the mechanism set out in this Section 4.3. Such written objection shall include the reasons for the objection. Failure to object to any new Sub-processor in writing within seven (7) business days following notice shall be deemed as approval of the new Sub-processor.
4.4. In the event Business reasonably objects to an existing Sub-processor or a new Sub-processor per Section 4.2 and 4.3, , Business may, as a sole and exclusive remedy, terminate the Agreement and this DPA by providing written notice to Como. All amounts due under the Agreement before the termination date shall be duly paid and Business will have no further claims against Como due to termination of the Agreement.
5. SECURITY; SECURITY INCIDENT NOTIFICATION.
5.1. Como shall maintain industry-standard technical and organizational measures required, pursuant to Article 32 of the GDPR, to protect the security of Business’s Personal Data. Details of the technical and organizational measures employed by Como are available upon request. Como regularly monitors compliance with these measures.
5.2. Como maintains security incident management policies and procedures applicable to the Services used by Business, which shall reasonably be made available by Como to Business upon written request. To the extent required under applicable Data Protection Laws, Como shall notify Business without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Business’s Personal Data (a “Security Incident”). Como shall make reasonable efforts to identify the cause of such Security Incident and take those steps as Como deems necessary and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within Como’s reasonable control, and provide reasonable information to Business as needed. In any event, Business will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
6. AUDITS. Upon Business’s written request, but in any event, not more than once per year (or more frequently if required following a Security Incident), Business may conduct an audit of Como’s compliance with this DPA and Como shall make available to Business or an independent, third-party auditor on behalf of Business and agreeable to Como, such information reasonably necessary for such purpose. Information provided for such purpose may only be used to assess compliance with this DPA. Any audit or inspection shall be at Business’s sole expense and subject to Como’s reasonable security policies and obligations to third parties, including with respect to confidentiality. The results of any audit or inspection shall be considered Como’s confidential information and subject to the confidentiality provisions under the Agreement. Business and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to Como’s premises, equipment, employees and business and shall not interfere with Como’s day-to-day business. Como and Business shall mutually agree upon the scope, timing and duration of the audit or inspection and the reimbursement rate payable by Business. Alternatively, at Como’s sole discretion, Como may provide a third-party audit report attesting to Como’s compliance with this DPA.
7. DATA SUBJECTS RIGHTS. Business shall be solely responsible for compliance with its obligations concerning requests to exercise Data Subject rights under Data Protection Laws. Como shall promptly notify Business if Como receives a request from a Data Subject to exercise any of the Data Subject’s rights (“Data Subject Request”). Como shall provide reasonable assistance to Business, by appropriate technical and organizational measures, for the fulfillment of Business’s obligation to respond to Data Subject Requests. If requested by Business in writing, Como shall use commercially reasonable efforts to assist Business to respond to such Data Subject Request. Business shall be responsible for any costs arising from Como’s provision of any assistance in accordance with this Section 7.
8. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, Como shall either delete, return, or anonymize Personal Data of Business’s end users to Business following the Term and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or permitted by applicable law, Como may retain (i) one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations; (ii) data stored in logs or back-up media that is not readily accessible; and (iii) data that has been fully anonymized.
9. AUTHORIZED AFFILIATES. The parties acknowledge and agree that Business enters into the DPA on its own behalf and on behalf of any Authorized Affiliates. Business represents that it is authorized to enter into this DPA on behalf of its Authorized Affiliates and it shall remain responsible for any breach hereof by Authorized Affiliates. Business shall remain responsible for coordinating all communication with Como under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
10. TRANSFERS OF DATA.
10.1. Transfers subject to Adequacy Decision. For Personal Data subject to the GDPR, Personal Data of Business’s end users may be transferred from any EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate levels of data protection under or pursuant to the adequacy decisions published by the European Commission (“Adequacy Decisions”), without any further safeguard.
10.2. Transfers to Other Countries. For Personal Data subject to the GDPR, if the Processing of Personal Data of Business’s end users includes transfers from to countries which are not in the EEA and are not subject to an Adequacy Decision, Como shall conduct such transfers subject to Article 46 of the GDPR, including, if necessary, executing the standard contractual clauses approved by the European Commission.
11. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement.
12. LIMITATION OF LIABILITY. Notwithstanding anything to the contrary in the Agreement, Como and its Affiliates’ maximum cumulative aggregate liability for breach of this DPA and/or Data Protection Laws, including any indemnification obligation regarding data protection or privacy, shall be limited to the amounts paid to Como under the Agreement within twelve (12) months preceding the claim. In no event will Como, its Affiliates, or any Sub-processors be liable in connection with this DPA for any indirect, exemplary, special, consequential, incidental or punitive damages, loss of profits, business, or anticipated savings, loss of, or damage to reputation, revenue or goodwill, and/or cost of procuring any substitute goods or services, whether or not they have been advised of the possibility of losses or damages and regardless of whether any available remedy fails of its essential purpose.
13. MISCELLANEOUS. This DPA may be amended at any time by mutual written agreement. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail to the extent of the conflict. This DPA shall be governed by the governing law set out in the Agreement and disputes shall be resolved in the courts designated in the Agreement.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Subject Matter
The subject matter of the Processing of Business’s Personal Data is set out in the Agreement.
Duration
Personal Data of Business’s end users shall be processed throughout the Term in accordance with Business’s instructions.
Nature and Purpose of Processing
- Providing the Como Solution and the features available thereon to Business as set out in the Agreement, including:
- Providing support and technical maintenance
- Generating insights, recommendations, targeting, and adaptation of the Como Solution
- Sending communication to Business’s End Users or other customers
- Integration with third-party services, plugins and extensions
- Management of contracts between the parties, including:
- Payment
- Account administration
- Tax management
- Any litigation issues that may arise, and other processing required for compliance with applicable law.
Categories of Data Subjects
Como may Process Personal Data relating to Business’s customers or end users (who are natural persons), including End Users using the Como Solution through the Mobile App, at the Business’s physical Location, or otherwise.
In addition, Como may Process Personal Data relating to Business’s employees or other personnel when such personnel use the Como Solution on behalf of the Business.
Types of Personal Data
Business may provide Personal Data through the Como Solution and/or Mobile App and may authorize Como to collect Personal Data from other sources, such as in the case of fraud detection. The types of Personal Data provided or collected about End Users are determined by Business at its sole discretion and may include the following types of data and any other information determined by Business:
– Full name
– Phone number
– Email address
– Physical address
– Payment information
The types of Personal Data that Como collects from and about Business’s employees or other personnel include:
– Full name
– Username
– Email address
– Password
– IP address
Obligations and Rights of Controller
The obligations and rights of Controller and Authorized Affiliates are as set out in the Agreement and this DPA.
Last Update: 15 Nov, 2021