DPA EXHIBIT 1
Version 2022-11 – Published 2022-Nov-11
1. NATURE AND PURPOSE OF PROCESSING
1.1 All Software Services: Customer determines the types of data they submit to Optimizely to process on their behalf in the course of using Optimizely’s services. Optimizely has no direct relationship with the individuals whose information it receives from its customers or their business partners. Optimizely does not control such information, does not select or determine the specific types of data that it processes, and does not determine the purpose for which it is processed.
In other instances, Optimizely may collect Personal Data when performing expert services at its customers’ request, to provide customer support, in general support of its customer relationships, which may include but are not limited to marketing activities, fulfilling product orders, to improve product offerings, customer surveys, questionnaires, responses to comments, etc., to download software and/or gain access to and/or enable certain products or services, for internal business processes, such as financial processing, responding to informational requests, and to comply with applicable laws.
1.2 Experimentation/Full Stack: In addition to the above, Optimizely will provide the feature flagging, personalization, analytics and/or other Software Services ordered by Customer according to the Instructions. Optimizely will also provide customer end users with reporting, communications and other features offered by Optimizely.
1.3 Marketing Orchestration/Welcome: In addition to the above, Optimizely will provide analytics and/or other Software Services ordered by Customer according to the Instructions. Optimizely will also provide customer end users with reporting and other features offered by Optimizely.
2. FREQUENCY OF PROCESSING
2.1 All Software Services: Data will be transferred on a continuous basis.
3. CATEGORIES OF DATA SUBJECTS
3.1 All Software Services
The personal data transferred concern the Customer's end users including employees, contractors and the personnel of customers, suppliers, collaborators, and subcontractors.
3.2 Content/Commerce Clouds, Personalization: Data Subjects also includes individuals attempting to communicate with or transfer personal information to Customer’s end users.
3.3 Experimentation/Full Stack: The personal data transferred concern the Customer's end users and visitors to the Customer's website and apps.
3.4 Marketing Orchestration/Welcome: The personal data transferred concern the Customer's end users and visitors to the Customer's website and apps where analytics is installed.
3.5 Optimizely Data Platform/Optimizely Journey Orchestration: Data Subjects also includes individuals attempting to communicate with or transfer personal information to Customer’s end users.
4. CATEGORIES OF PERSONAL DATA TRANSFERRED
4.1 All Software Services: The transfer of special categories of data or Sensitive Information is not permitted. The personal data and data transferred involves the following:
4.1.1 Customer end users: Names, email addresses, passwords, contact details, and similar Personal Data provided by Customer End Users when creating an Optimizely account.
4.2 Content/Commerce Clouds, Personalization: The personal data transferred concern personal data, entity data, navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Software Service(s) and/or Managed Service(s).
4.3 Experimentation/Full Stack: The personal data transferred concern:
4.3.1 Website and app visitors: IP addresses, random unique identifiers such as cookie IDs or similar identifiers, and experiment and event data associated with these identifiers (such as device type, variation and experiment IDs, browser and OS version and the elements of the site being tested) based on Customer’s use and configuration of the Optimizely Service. Customer may take advantage of features of the Optimizely Service such as IP address anonymization to minimize collection of such data and must comply with any prohibitions in the Governing Agreement relating to restrictions on collection and use of Personal Data.
4.4 Marketing Orchestration/Welcome: The personal data transferred concern:
4.4.1 Website and app visitors: IP addresses, random unique identifiers such as cookie IDs or similar identifiers, and event data associated with these identifiers (such as device type, browser and OS version) based on Customer’s use and configuration of the Optimizely Service. Visitor IP address anonymization is done automatically to minimize collection of such data and must comply with any prohibitions in the Governing Agreement relating to restrictions on collection and use of Personal Data.
4.5 Optimizely Data Platform/Optimizely Journey Orchestration: The personal data and non-personal data transferred involves the following:
4.5.1 Website and app visitors: IP addresses, random unique identifiers such as cookie IDs or similar identifiers, event data associated with these identifiers (such as device type, browser and OS version and the elements of the site being tested) based on Customer’s use and configuration of the Optimizely Service. Customer may take advantage of features to minimize collection of such data and must comply with any prohibitions in the Governing Agreement relating to restrictions on collection and use of Personal Data.
5. PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING
5.1 All Software Services: Personal data may be processed for the following purposes: (a) to provide the Software Service (which may include the detection, prevention and resolution of security and technical issues);(b) to respond to customer support requests; and (c) otherwise to fulfill the obligations under the Optimizely Software Service Use Terms and Service Level Agreement or the Optimizely Managed Services General Terms and Conditions and Service Level Agreement (for Managed Services Customers). The Customer instructs Optimizely to process personal data in countries in which Optimizely or its subprocessors maintain facilities as necessary for it to provide the Software Service(s).
6. TERM OF DATA PROCESSING
6.1 All Software Services: Data processing will be for the term specified in the Optimizely Software Service Use Terms or the Optimizely Managed Services General Terms and Conditions (for Managed Services Customers). For the term of the Software Service Use Terms or the Optimizely Managed Services General Terms and Conditions (for Managed Services Customers), and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide Customer with access to, and the ability to export, Customer’s personal data processed pursuant to the Agreement.
7. DATA DELETION
7.1 All Software Services: For the term of the Agreement, Optimizely will provide Customer with the ability to delete data as detailed in the Agreement.
8. ACCESS TO DATA
8.1 All Software Services: For the term of the Agreement, Optimizely will provide Customer with the ability to correct, block, export and delete Customer’s personal data from the Software Service(s) and/or Managed Service(s) in accordance with the Agreement. As described in Data Subject Rights section of the DPA, Customer is to provide Optimizely a data map of categories of personal data and data subjects. Such data map, and their subsequent updates are to be appended as part of Exhibit 1.
9. DATA MAP
9.1 As described in Data Subject Rights section of the DPA, Customer is to provide Optimizely a data map of categories of personal data and data subjects. Such data map, and their subsequent updates are to be appended as part of Exhibit 1.
10. SUB-PROCESSORS
10. 1 Optimizely may engage Sub-processors to provide parts of the Software Service. Optimizely will ensure Sub-processors only access and use the Customer’s personal data to provide Optimizely’s products and services and not for any other purpose. See Annex III to the Appendix to the Standard Contractual Clauses in Exhibit 2 and https://www.optimizely.com/legal/sub-processors.