Last Updated: May 18, 2018
THIS ADDENDUM is made between:
Goverlan, Inc. (“Goverlan”), a company registered in Delaware state with its principal place of business at 2655 S. Le Jeune Road, Suite 1001, Coral Gables, FL 33134.
The Goverlan customer from the European Economic Area subscribing for Goverlan services pursuant to Goverlan’s Terms of Service (“Customer”), together the “parties”.
WHEREAS:
(A) Goverlan and the Customer have entered or desire to enter into Terms of Service for the provision, by Goverlan to the Customer, of systems management and remote administration services of users and their devices (the “Terms”); and
(B) Goverlan and the Customer have agreed to enter into this Addendum to the Terms in relation to data processing.
It is now agreed as follows:
1. Definitions and Interpretation
1.1. The parties agree that this Addendum will be incorporated as an addendum to the Terms. To the extent of any conflict between this Addendum and the remaining sections of the Terms, this Addendum will prevail.
1.2. In this Addendum, the following words and expressions will have the following meanings:
“Addendum” - shall mean this addendum, including its appendix;
“Terms” - shall have the meaning given in recital (A) above;
“Customer Personal Information” - shall mean all Personal Information controlled by the Customer which is processed by Goverlan in connection with the Service;
“Data Protection Legislation” - shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU Information Protection Directive (95/46/EC) as implemented in each jurisdiction, the EU General Data Protection Regulation (2016/679) (“GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time;
“Personal Information” - means any information relating to an identified or identifiable natural person; and
“Service” - shall mean any of the services provided by Goverlan to the Customer pursuant to the Terms.
1.3. In this Addendum, the terms "process", “data controller”, “data processor” and "data subject" shall have the meanings set out in the Data Protection Legislation.
2. Nature of the Information
2.1. The categories of Customer Personal Information to be processed by Goverlan and the processing activities to be performed under this Addendum are set out in Appendix A.
2.2. The parties record their intention that the Customer shall be the data controller and Goverlan shall be a data processor in relation to all Customer Personal Information.
3. Obligations of the Customer
3.1. The parties shall each comply with their respective obligations under the Data Protection Legislation in respect of Customer Personal Information.
3.2. The Customer shall ensure that its instructions and disclosures of Customer Personal Information to Goverlan are lawful and acknowledges that Goverlan is entitled to rely on the Customer’s instructions in respect of the processing of Customer Personal Information.
4. Obligations of Goverlan
4.1. Goverlan agrees to:
4.1.1. only process Customer Personal Information for and on behalf of the Customer, in accordance with the instructions set out under the Terms or as otherwise given by the Customer from time to time. Goverlan shall notify the Customer if it is required by applicable law to process Customer Personal Information other than in accordance with those instructions, and shall inform the Customer of the relevant legal requirement before undertaking such processing (unless the relevant legal requirement prohibits the provision of such information on important grounds of public interest);
4.1.2. ensure that those of its personnel who are involved in processing Customer Personal Information are bound by appropriate obligations of confidentiality;
4.1.3. implement and maintain appropriate technical and organizational security measures to safeguard Customer Personal Information from unauthorized or unlawful processing or accidental loss, damage or destruction;
4.1.4. taking into account the nature of the processing and the information available to Goverlan, provide reasonable assistance to the Customer in ensuring compliance with its obligations under the Data Protection Legislation in relation to security, data breach notification, data protection impact assessments and prior consultation with a supervisory authority and the fulfilment of data subject’s rights, where applicable from time to time; and
4.1.5. upon written request, make available to the Customer such records as the Customer may reasonably require from time to time to demonstrate compliance by Goverlan with its obligations under this Addendum. In addition, Goverlan agrees to permit an audit to be conducted of its facilities no more than once per year, by the Customer or the Customer’s representatives (bound by appropriate obligations of confidentiality), provided such an audit is carried out: (i) upon ten (10) business days’ prior, written notice to Goverlan and during Goverlan’s normal business hours; (ii) in a manner that causes minimal disruption to Goverlan’s business and excludes from its scope any internal pricing information, information relating to other customers of Goverlan or other Goverlan’s own internal reports; and (iii) at the Customer’s own cost.
4.2. Goverlan shall notify the Customer without undue delay and in any event within 72 (seventy-two) hours of becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Information ("Security Breach"). Goverlan shall provide Customer with reasonable assistance in relation to the Security Breach, including the provision of such information as is known to Goverlan regarding the nature of the breach, the categories and approximate number of data subjects and records concerned.
4.3. Nothing in this Addendum shall prevent either party from complying with any legal obligation imposed by a regulator or court. Each party shall however, where possible, discuss with the other party the appropriate response to any request from a regulator or court for disclosure of information.
5. Sub-Contracting
5.1. The Customer consents to Goverlan engaging subcontractors listed in the Addendum in Appendix B, to process the Customer Personal Information on its behalf ("Sub-processors"). Goverlan shall ensure that Sub-processors are subject to contractual obligations which are the same as or equivalent to those imposed on Goverlan under this Addendum. Goverlan shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. In the event of the Customer objecting to such change, Goverlan shall make reasonable efforts to address the Customer's concerns (including making reasonable efforts to find an alternative Sub-processor).
5.2. The Customer acknowledges and agrees that Customer Personal Information may be processed by Sub-processors outside the European Economic Area or the country where the Customer is located in order to carry out the Service and Goverlan's other obligations under the Terms. Goverlan shall implement a data transfer solution to ensure any such transfers are compliant with the Data Protection Legislation.
5.3. For the avoidance of doubt, where a Sub-processor fails to fulfil its obligations under any sub-contract, Goverlan shall remain fully liable to the Customer for the fulfilment of its obligations under this Addendum.
6. Term and Termination
6.1. This Addendum shall commence on May 25th, 2018 and shall continue in full force and effect until the later of:
6.1.1. the termination or expiration of the Terms; or
6.1.2. the termination of the last of the Services to be performed pursuant to the Terms.
6.2 Within six (6) months of the termination of this Addendum and upon written request of Customer, Goverlan shall delete the Customer Personal Information and delete any existing copies in its possession unless; (i) required to retain such Customer Personal Information under applicable law; or, (ii) the Customer requests that Goverlan return the Customer Personal Information to it.
7. Governing Law
7.1. This Addendum and any dispute arising out of or in relation to it (whether contractual or non-contractual) shall be governed by, and construed in accordance with the law of the State of Delaware without giving effect to principles governing conflicts of law.
APPENDIX A: Description of Information Processing
The data processing activities carried out by Goverlan under this Addendum are as follows:
Data Collected in Relation Customer’s Authentication and Sign-on to the Goverlan Reach Services and Client Portal
The Goverlan Client Portal
Customer must provide identifiable information to use the Goverlan services. This includes an account identifier (for instance an email address), a password, and company information.
The information provided is used to sign-in and authenticate to the Goverlan Client Portal (my.goverlan.com) and to the Goverlan Reach software.
The sign-on process to the Goverlan Reach software results in the transfer of a unique session identifier. This identifier is necessary to keep track of license consumption and to allow the Customer to manage their subscriptions.
The identifier may include the following personal identifiable information:
- Goverlan account ID
- Network ID of the computer on which the Goverlan Reach software is running
- Network ID of the user logged-in on the computer on which the Goverlan Reach software is running
To view the information stored on our server, log-in to my.goverlan.com, select a product license and click on the View Details link under Current Usage Count.
How to Prevent PII to be Transferred
You can prevent personal identifiable information to be transferred and stored on our servers using one of the following methods:
- Enable the Do Not Use Real Identity Policy
Login to the Goverlan client portal, click on the Global License Policies control and enable the Do Not Use Real Identity policy. Once enabled, session identifiers will be anonymized before they are transferred and stored on our server.
- Implement a Goverlan On-site Licensing Server
Alternatively, you can implement a Goverlan Licensing Server on your premises which will be used to distribute licenses. Doing so will prevent any authentication communication outside of your organization.
The Goverlan Reach Services
The Goverlan Reach services allow the remote administration and management of Customers’ users and their computers within a private network or over the public internet.
Goverlan Reach is an on-premises solution, therefore, personal identifiable information about the Customer’s users and their computers stays within the customer’s organization and is not stored on our servers.
The Goverlan Reach services can optionally be purchased as a hosted solution, in which case some personal identifiable information may be stored on a server managed by Goverlan.
Data Collected in Relation to Goverlan’s Mobile Device Management (Goverlan MDM) Services
The Goverlan MDM services provide the Customer with Mobile Devices Management of supported smartphones and tablets. The Goverlan MDM solution is a fully hosted service which collects and manages Customer, user and device information, including (but not limited to):
- Customer account information
- First name / Last Name
- Company information
- Address
- Contact information
- Customer’s user’s information
- Email address
- Telephone number
- Customer’s device’s information
- Make and model
- IP information
- Geolocation
- Configuration
User and device registrations is controlled by Customer and can be removed if Customer chooses to do so.
APPENDIX B: List of Sub-Contractors used by Goverlan
Analytics
We may use third-party Service Providers to monitor and analyze the use of our Service.
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page:
http://www.google.com/intl/en/policies/privacy/
Marketo
Marketo is a sales / marketing automation platform that helps process digital marketing to analyze and engage customers and prospects.
For more information on the privacy practices of Marketo, please visit the Marketo Privacy Terms web page:
https://documents.marketo.com/legal/privacy/
FullStory
FullStory utilizes a script that allows website owners to understand the usability of their websites. Website owners who use FullStory Services can watch a DVR-like video playback of user sessions on their website, enabling meaningful insight into their users' experience, as an effective way to identify usability problems and other areas for improvement.
For more information on the privacy practices of FullStory, please visit the FullStory Privacy Terms web page:
https://www.fullstory.com/legal/privacy/
Behavioral Remarketing
Goverlan, Inc. uses remarketing services to advertise on third party websites to you after you visited our Service. We and our third-party vendors use cookies to inform, optimize and serve ads based on your past visits to our Service.
Google AdWords
Google AdWords remarketing service is provided by Google Inc.
You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads
Google also recommends installing the Google Analytics Opt-out Browser Add-on - https://tools.google.com/dlpage/gaoptout - for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy/
Twitter
Twitter remarketing service is provided by Twitter Inc.
You can opt-out from Twitter's interest-based ads by following their instructions:
https://support.twitter.com/articles/20170405
You can learn more about the privacy practices and policies of Twitter by visiting their Privacy Policy page:
https://twitter.com/privacy
Facebook
Facebook remarketing service is provided by Facebook Inc.
You can learn more about interest-based advertising from Facebook by visiting this page:
https://www.facebook.com/help/164968693837950
To opt-out from Facebook's interest-based ads follow these instructions from Facebook:
https://www.facebook.com/help/568137493302217
Facebook adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance.
For more information on the privacy practices of Facebook, please visit Facebook's Data Policy:
https://www.facebook.com/privacy/explanation
You can also opt-out from Facebook and other participating companies through the Digital Advertising Alliance in the USA http://www.aboutads.info/choices/, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/ or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/, or opt-out using your mobile device settings.
Support & Services
SalesForce
Salesforce is a customer relationship management (CRM) platform used to store prospects and customer information and activity.
For more information on the privacy practices of Salesforce, please visit Salesforce’s Privacy Policy:
https://www.salesforce.com/company/privacy/
SnapEngage
SnapEngage is a live chat software that enables us to communicate live with Site visitors, answer questions and provide technical support.
For more information on the privacy practices of SnapEngage, please visit SnapEngage’s Privacy Policy:
https://snapengage.com/privacy-policy/
AcuityScheduling
Acuitity Scheduling is an online-assistant to create a scheduled meeting or demo with a Site visitor.
For more information on the privacy practices of AcuityScheduling, please visit AcuityScheduling’s Privacy Policy:
https://acuityscheduling.com/privacy.php
FancyFon
FancyFon is a mobile device management platform used by the Goverlan MDM services.
For more information on the privacy practices of FancyFon, please visit FancyFon’s Privacy Policy:
https://www.fancyfon.com/21/privacy_policy
Payments
We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We do not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are:
Stripe
Their Privacy Policy can be viewed at https://stripe.com/us/privacy
