DPA EXHIBIT 1
1. NATURE AND PURPOSE OF PROCESSING
1.1 All Software Services: Customer determines the types of data they submit to Company to process on their behalf in the course of using Company’s services. The Company has no direct relationship with the individuals whose information it receives from its customers or their business partners. The Company does not control such information, does not select or determine the specific types of data that it processes, and does not determine the purpose for which it is processed.
In other instances, Company may collect Personal Data when performing expert services at its customers’ request, to provide customer support, in general support of its customer relationships, which may include but are not limited to marketing activities, fulfilling product orders, to improve product offerings, customer surveys, questionnaires, responses to comments, etc., to download software and/or gain access to and/or enable certain products or services, for internal business processes, such as financial processing, responding to informational requests, and to comply with applicable laws.
1.2 Experimentation/Full Stack: In addition to the above, Company will provide the feature flagging, personalization, analytics and/or other Software Services ordered by Customer according to the Instructions. Company will also provide customer end users with reporting, communications and other features offered by the Company.
1.3 Marketing Orchestration/Welcome: In addition to the above, Company will provide analytics and/or other Software Services ordered by Customer according to the Instructions. Company will also provide customer end users with reporting and other features offered by the Company.
2. FREQUENCY OF PROCESSING
2.1 All Software Services: Data will be transferred on a continuous basis.
3. CATEGORIES OF DATA SUBJECTS
3.1 All Software Services
The personal data transferred concern the Customer's end users including employees, contractors and the personnel of customers, suppliers, collaborators, and subcontractors.
3.2 Content/Commerce Clouds, Personalization: Data Subjects also includes individuals attempting to communicate with or transfer personal information to Customer’s end users.
3.3 Experimentation/Full Stack: The personal data transferred concern the Customer's end users and visitors to the Customer's website and apps.
3.4 Marketing Orchestration/Welcome: The personal data transferred concern the Customer's end users and visitors to the Customer's website and apps where analytics is installed.
3.5 Optimizely Data Platform/Optimizely Journey Orchestration: Data Subjects also includes individuals attempting to communicate with or transfer personal information to Customer’s end users.
4. CATEGORIES OF PERSONAL DATA TRANSFERRED
4.1 All Software Services: The transfer of special categories of data or Sensitive Information is not permitted. The personal data and data transferred involves the following:
4.1.1 Customer end users: Names, email addresses, passwords, contact details, and similar Personal Data provided by Customer End Users when creating an Optimizely account.
4.2 Content/Commerce Clouds, Personalization: The personal data transferred concern personal data, entity data, navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Software Service(s) and/or Managed Service(s).
4.3 Experimentation/Full Stack: The personal data transferred concern:
4.3.1 Website and app visitors: IP addresses, random unique identifiers such as cookie IDs or similar identifiers, and experiment and event data associated with these identifiers (such as device type, variation and experiment IDs, browser and OS version and the elements of the site being tested) based on Customer’s use and configuration of the Optimizely Service. Customer may take advantage of features of the Optimizely Service such as IP address anonymization to minimize collection of such data and must comply with any prohibitions in the Governing Agreement relating to restrictions on collection and use of Personal Data.
4.4 Marketing Orchestration/Welcome: The personal data transferred concern:
4.4.1 Website and app visitors: IP addresses, random unique identifiers such as cookie IDs or similar identifiers, and event data associated with these identifiers (such as device type, browser and OS version) based on Customer’s use and configuration of the Optimizely Service. Visitor IP address anonymization is done automatically to minimize collection of such data and must comply with any prohibitions in the Governing Agreement relating to restrictions on collection and use of Personal Data.
4.5 Optimizely Data Platform/Optimizely Journey Orchestration: The personal data and non-personal data transferred involves the following:
4.5.1 Website and app visitors: IP addresses, random unique identifiers such as cookie IDs or similar identifiers, event data associated with these identifiers (such as device type, browser and OS version and the elements of the site being tested) based on Customer’s use and configuration of the Optimizely Service. Customer may take advantage of features to minimize collection of such data and must comply with any prohibitions in the Governing Agreement relating to restrictions on collection and use of Personal Data.
5. PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING
5.1 All Software Services: Personal data may be processed for the following purposes: (a) to provide the Software Service (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfill the obligations under the Company End-User Services Agreement and Service Level Agreement or the Company Managed Services General Terms and Conditions and Service Level Agreement (for Managed Services Customers). The Customer instructs Company to process personal data in countries in which Company or its subprocessors maintain facilities as necessary for it to provide the Software Service(s).
6. TERM OF DATA PROCESSING
6.1 All Software Services: Data processing will be for the term specified in the Company End-User Services Agreement or the Company Managed Services General Terms and Conditions (for Managed Services Customers). For the term of the End-User Services Agreement or the Company Managed Services General Terms and Conditions (for Managed Services Customers), and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide Customer with access to, and the ability to export, Customer’s personal data processed pursuant to the Agreement.
7. DATA DELETION
7.1 All Software Services: For the term of the Agreement, Company will provide Customer with the ability to delete data as detailed in the Agreement.
8. ACCESS TO DATA
8.1 All Software Services: For the term of the Agreement, Company will provide Customer with the ability to correct, block, export and delete Customer’s personal data from the Software Service(s) and/or Managed Service(s) in accordance with the Agreement. As described in Data Subject Rights section of the DPA, Customer is to provide Company a data map of categories of personal data and data subjects. Such data map, and their subsequent updates are to be appended as part of Exhibit 1.
9. DATA MAP
As described in Data Subject Rights section of the DPA, Customer is to provide Company a data map of categories of personal data and data subjects. Such data map, and their subsequent updates are to be appended as part of Exhibit 1.
10. SUB-PROCESSORS
Company may engage Sub-processors to provide parts of the Software Service. Company will ensure Sub-processors only access and use the Customer’s personal data to provide the Company’s products and services and not for any other purpose. See Annex III to the Appendix to the Standard Contractual Clauses in Exhibit 2 and https://www.optimizely.com/legal/sub-processors/.