MSA Appendix
Cleverbridge Solution-Specific Terms: Digital Marketing Services
Click here to download this document as a PDF.
Last Updated Mar. 14, 2024
These Digital Marketing Services (DMS) terms apply to Client’s subscription(s) for Managed Growth, CleverAutomations, and CleverPartners, and incorporate and become a part of the MSA, found at https://grow.cleverbridge.com/msa. Capitalized terms not defined within the DMS terms shall have the meaning set forth in the MSA, other Solution-Specific Terms, or corresponding subscription schedule.
1. Service Requirements
1.1. Provision of DMS. Cleverbridge shall provide to Client the DMS as agreed upon in the relevant Statement(s) of Work that incorporate these DMS terms. The parties can add SOWs in writing.
1.2. Separate Service Agreements. Each SOW constitutes a separate agreement on services and may be terminated by Client under the same conditions as the DMS terms as set forth in the MSA.
1.3. Intellectual Property License. The Intellectual Property License granted in the MSA by Client to Cleverbridge shall apply equally to any materials needed to perform the DMS services, including Materials provided by Client.
1.4 Expenses. Client agrees to reimburse all expenses incurred by Cleverbridge due to work produced for Client during the term of the relevant Solution. Cleverbridge agrees to acquire written approval from Client before incurring any expenses requiring reimbursement.
2. Legal Compliance
1.
1.
2.1. Privacy. When processing Customer Information as Controller under these terms, both parties shall comply with applicable marketing and privacy laws including, without limitation, CAN-SPAM, CCPA, and GDPR.
2.2. Materials. If Client provides Materials to Cleverbridge or any third party under these terms, Client will not provide any Material that (i) infringes any third party’s copyright, patent, trademark, trade secret or other proprietary rights, (ii) violates any law, statute or regulation, (iii) constitutes defamation, trade libel, invasion of privacy or violation of any right of publicity, (iv) is pornographic or obscene, or (vi) contains viruses or other similar harmful programming routines.
2.3. DPA. For any DMS where Cleverbridge acts as a data processor of Client, the Data Processing Agreement (DPA), attached hereto as Exhibit 1 shall apply and is incorporated hereto by reference.
3. Disclaimer
3.
3.1. Cleverbridge will not be responsible for project delays that result from any delays in receiving work product, or feedback on Cleverbridge work product from Client.
4. Term
4.1. These DMS terms commence on the applicable Solution Schedule Effective Date and remain in effect until termination (the “Term”). Either party may terminate these DMS terms during the Term by providing at least 60 days’ notice to the other party, but as an earliest point six months after the Effective Date.
Exhibit 1
Data Processing Agreement: Controller to Processor
This DPA relates to and governs the processing of Personal Data by Cleverbridge to the extent required as part of its services under the MSA or any relevant Solution-Specific Terms or Statement(s) of Work (collectively, the “Agreement”), either on behalf of or following the instructions of Client, related to its use of the Cleverbridge Digital Marketing Services. The duration of processing will be until the earliest of (i) the expiration or termination of the Agreement, or (ii) the date on which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement. Terms not defined within this DPA have the meaning defined in the Agreement.
1. Subject Matter; Nature and Purpose of Processing; Duration of Processing; Type of Personal Data and Categories of Data Subjects
1.1. Data subjects include Client’s prospective customers, customers, resellers, referrers, business partners, and vendors who are natural persons; employees or contact persons of the Client’s prospective customers, customers, resellers, referrers, subprocessors, business partners, and vendors who are natural persons; Client’s employees, agents, advisors, and freelancers of the customer who are natural persons; and any other natural persons authorized by the Client to use the Cleverbridge Digital Marketing Services.
1.2. Personal Data that may be processed includes the full scope of Customer Information in the Agreement. In case of Performance Marketing the personal data consists of data relating to the tracking of the Data Subjects, and of the Data Subjects’ subsequent subscription to Cleverbridge’s service. Data subjects are not directly identifiable by Cleverbridge and are indirectly identifiable only by reference to their IP address, cookie identification, and browser details. Cleverbridge would require access to additional information in order to identify Data Subjects.
2. Obligations of the Controller
2.1. By entering into the Agreement, including this DPA, the Client instructs Cleverbridge to process the Personal Data to the extent required to provide the Services under the Agreement. The Client will not intentionally instruct Cleverbridge to process Personal Data in a manner that would constitute a breach of Applicable Data Protection Laws.
2.2. The Client will ensure that any instructions given to Cleverbridge comply with all laws, rules, and regulations applicable in relation to the Personal Data, and that the processing of Personal Data in accordance with the Client’s instructions will not cause Cleverbridge to be in breach of this DPA, the Standard Contractual Clauses, or Applicable Data Protection Laws.
2.3. The Client remains the controller of its own Personal Data within the meaning of Applicable Data Protection Laws and will act in compliance with Applicable Data Protection Laws. This also includes responding to Data Subject requests and contacting Cleverbridge to respond as required by Applicable Data Protection Laws.
2.4. The Client will notify Cleverbridge without undue delay of any errors, security incidents or irregularities (if any) Client gains knowledge of in connection with the processing of the Personal Data by Cleverbridge.
3. Additional Obligations of Cleverbridge as Processor
3.1. In addition to the obligations set out elsewhere in this DPA, Cleverbridge as Processor will process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Cleverbridge is subject; in such a case, Cleverbridge will inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2. Cleverbridge will ensure that any subprocessor authorised to process the Personal Data have committed themselves to the same confidentiality required under this DPA or are under an appropriate statutory obligation of confidentiality.3.3. Cleverbridge will assist the Client by appropriate technical and organisational measures in order for the Client to fulfill its obligation to respond to requests for exercising the Data Subject's rights set forth in the GDPR and for the Client to ensure compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
4. Processing Locations and Standard Contractual Clauses
4.1. The countries where Cleverbridge will process Personal Data are: Germany, United States of America, Japan, and/or Taiwan. Specifically, data processing will take place at the following sites of Cleverbridge affiliates: Cleverbridge GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge Inc., 350 N Clark, Suite 700, Chicago, Illinois, 60654, USA; Cleverbridge Financial Services GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge KK, Wakamatsu Bldg. 7F, 3-3-6, Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023, Japan; Cleverbridge Co., Ltd., Level 4, Neihu New Century Building, 55 Zhouzi Street, Neihu District, Taipei, Taiwan.
4.2. The Client authorizes Cleverbridge to process Personal Data in the above-listed countries, any other EU or EEA country, and any Third Country where the European Commission has decided that the Third Country in question ensures an adequate level of protection.
4.3. Cleverbridge will not transfer the Personal Data to any other Third Country unless the appropriate safeguards and Data Subject’s rights enforceabilty and effective legal remedies are secured, in particular by Cleverbridge entering into the Standard Contractual Clauses with the subprocessor.
4.4. In the event of a change in any Applicable Data Protection Laws relating to the countries where an adequate level of data protection exists, the Parties will dicuss and agree on an alternative solution permitting Cleverbridge continuing to process the Personal Data in said countries.
5. Technical and Organisational Measures
5.1. Cleverbridge will maintain a record of all categories of processing activities carried out on Client’s behalf to the extent required to enable the Client to comply with its obligations under Applicable Data Protection Laws, and require any subprocessors to do the same.
5.2. Cleverbridge will also take reasonable steps to ensure the reliability and obligation to confidentiality of any person authorized to process the Personal Data, and will implement and maintain appropriate technical and organisational data protection and security measures to ensure the security and accountibility of the Personal Data as required under Article 32 of the GDPR.
6. Right to Audit
6.1. Cleverbridge will make available to Client all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow the Client to resonably inspect or audit, at Client’s own expense, Cleverbridge’s (and our Subprocessors) compliance with this DPA and Applicable Data Protection Laws. For this purpose, Cleverbridge will grant the Client, or a designated third party, access to our business premises during Cleverbridge’s regular business hours and without undue delay make available all information necessary to demonstrate compliance with this DPA as reasonably requested.
6.2. The Client will notify Cleverbridge in writing of any such audit or inspection at least 15 business days in advance and at the same time provide a concise audit plan detailing the subject of such audit, the audit timeline, and any information or resources requested. Cleverbridge will ensure that similar provisions are included in our written contracts with Subprocessors. The Client agrees that if Cleverbridge can provide an ISAE 3402 Type 1, (SOC1 Type 2), or similar audit report prepared by an independent third party auditor, the rights set forth here will only apply insofar as the subject to be audited is not already covered by such audit report and is required for the Client to demonstrate its compliance with Client’s obligations related to this DPA.
7. Data Breach Notifications
7.1. Cleverbridge will promptly notify the Client, if possible, if it discovers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Personal Data transmitted, stored, or otherwise processed by Cleverbridge or any of its subprocessors if the incident is likely to involve a risk to the Data Subjects’ rights and freedoms.
7.2. Cleverbridge will take reasonable steps to restore any Personal Data lost as a result of such data breach where it is the result of the acts or omissions of Cleverbridge or its subprocessors.
7.3. Cleverbridge will provide assistance with any of the Client’s obligations under Applicable Data Protection Laws, including making any notifications to the Data Subjects, supervisory authorities or the public in respect of such breach as reasonably requested by Client.
8. Rights of the Data Subjects
8.1. The Client has sole responsibility to provide Data Subjects with the information required under Applicable Data Protection Laws when Personal Data are obtained.
8.2. The Client also has sole discretion in responding to the rights asserted by the Data Subjects.
9. Cleverbridge Right to Engage Subprocessors
9.1. Client provides a general authorization to Cleverbridge to engage subprocessors ("Subprocessors") subject to compliance with requirements at least as strict as the obligations of Cleverbridge set out in this DPA.
9.2. The Client authorizes Cleverbridge to engage the following Subprocessors:
|
Subprocessor |
Nature of services |
|
WhatCounts 3445 Peachtree Rd NE, Atlanta, GA 30326 |
Email Marketing Services |
|
Performance Horizon Group Limited, dba Partnerize 8th Floor, West One, Forth Banks, Newcastle upon Tyne, NE1 3PA |
Performance Marketing Services |
|
PartnerStack Inc. 111 Peter St Floor 9, Toronto, ON M5V 2G9, Canada |
Performance Marketing Services |
9.4. Cleverbridge will enter into the Standard Contractual Clauses with all Subprocessors or otherwise ensure that applicable safeguards for the transfer of Personal Data to Third Countries are adopted by contract.
10. Termination
10.1. Upon termination of the DPA, Cleverbridge will return to the Client or destroy any files containing Personal Data and certify that this has been done, unless prevented from doing so by applicable laws.
10.2. The following clauses shall survive termination of this DPA: 8, 10, 11.
10.3. Termination of the DPA shall mean termination of the Agreement.
11. Miscellaneous
11.1. In case of introduction of new or change of existing Applicable Data Protection Laws, including GDPR or local, at the request of any party, the parties will promptly review this DPA and begin good faith negotiations to agree on any changes necessary to bring this DPA to line with the law.
11.2. In case of any discrepancies between this DPA and the Standard Contractual Clauses, the relevant provisions of the Standard Contractual Clauses prevail.
12. Additional DPA Definitions
12.1. “Applicable Data Protection Laws” means any current and coming data protection legislation, rules and regulations applicable to the Services, including but not limited to the GDPR;
12.2. “Data Subject” shall have the same meaning as given in the Applicable Data Protection Laws, i.e., a natural person whose Personal Data is processed under this DPA;
12.3. “EEA” means the European Economic Area;
12.4. "GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data;
12.5. “Personal Data” shall have the same meaning as given in the Applicable Data Protection Laws, i.e., any information relating to a Data Subject;
12.6. “processing”, “processed” shall have the same meaning as given in the Applicable Data Protection Laws, including but not limited to collection, use, recording, organisation, structuring, adaptation, retrieval, consultation, modification, storage, disclosure, alignment or combination, restriction, erasure or destruction, and any other activity with respect to personal data;
12.7. “Standard Contractual Clauses” means the standard contractual clauses adopted by the EU Commission Decision 2021-914 pursuant to Regulation (EU) 2016/679 which can be found at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32021D0914;
12.8. “Third Country”, “Third Countries” means any country outside of EEA;
12.9. “Controller” means the Client; and
12.10. “Processor” means Cleverbridge GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge Inc., 350 N Clark, Suite 700, Chicago, Illinois, 60654, USA; Cleverbridge Financial Services GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge KK, Wakamatsu Bldg. 7F, 3-3-6, Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023, Japan; Cleverbridge Co., Ltd., Level 4, Neihu New Century Building, 55 Zhouzi Street, Neihu District, Taipei, Taiwan.