Data Processing Addendum
Please read the Data Processing Addendum (“DPA") carefully as they form a contract between You (“Customer”) and Us (“Freshworks”). As referenced in sections 8.4 (a) and 9.4 of the Freshworks Terms of Service available at https://www.freshworks.com/terms (“Terms”), this DPA will apply where We and Our Group Companies are processors of personal data. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
1. Data Protection
1.1 Definitions: In this DPA, the following terms shall have the following meanings:
a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
b) "Applicable Data Protection Law" shall mean: (i) prior to 25 May 2018,the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679) and (iii) any other applicable data protection laws and regulations.
1.2 Relationship of the parties: Customer (the controller) appoints Freshworks as a processor to process the personal data forming part of the Service Data (the "Data") for the purposes described in the Terms (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3 Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Freshworks for processing.
1.4 International transfers: Freshworks shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
1.5 Confidentiality of processing: Freshworks shall ensure that any person it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with Freshworks's confidentiality obligations under the Terms.
1.6 Security: The processor shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
1.7 Subcontracting: Customer consents to Freshworks engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) Freshworks maintains an up-to-date list of its subprocessors at https://freshworks.com/privacy/sub-processor/, which it shall update with details of any change in subprocessors prior to any such change; (ii) Freshworks imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Freshworks remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. Customer may object to Freshworks's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Freshworks will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination).
1.8 Cooperation and data subjects' rights: Freshworks shall provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Freshworks, Freshworks shall promptly inform Customer providing full details of the same.
1.9 Data Protection Impact Assessment: If Freshworks believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
1.10 Security incidents: If it becomes aware of a confirmed Security Incident, Freshworks shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Freshworks shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
1.11 Deletion of Data: Customer may export all personal data prior to the termination of the Customer’s Account. In any event, following the termination of Customer’s Account by either party, subject to (ii) and (iii) below, data on Customer’s Account will be retained for a period of 14 days from such termination within which Customer may contact Provider to export Service Data; (ii) the e-mail feature, if available within the Service(s), automatically archives any e-mails forming part of Service Data for a period of 3 months; and (iii) logs are archived for a period of 1 year (each a “Data Retention Period”). Beyond each such Data Retention Period, Processor reserves the right to delete all Personal Data in the normal course of operation. This requirement shall not apply to the extent that Freshworks is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Freshworks shall securely protect from any further processing except to the extent required by such law.
1.12 Audit: Customer acknowledges that Freshworks is regularly audited against ISO 27001 and SSAE 18 SOC 2 standards by independent third party auditors. Upon request, Freshworks shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Terms.