MSA Appendix
Cleverbridge Solution-Specific Terms: Digital Marketing Services
Click here to download this document as a PDF.
These Digital Marketing Services (DMS) terms apply to Client’s subscription(s) for Cleverbridge’s reseller services, and incorporate and become a part of the MSA, found either attached or at grow.cleverbridge.com/MSA. Capitalized terms not defined within the DMS Terms shall have the meaning set forth in the MSA, other Solution-Specific Terms, or corresponding subscription schedule.
1. Service Requirements
1.1 Provision of DMS. Cleverbridge shall provide to Client the DMS as agreed upon in the relevant Statement(s) of Work that
incorporate these DMS terms. The parties can add SOWs in writing.
1.2 Separate Service Agreements. Each SOW constitutes a separate agreement on services and may be terminated by Client
under the same conditions as the DMS terms as set forth in the MSA.
1.3 Intellectual Property License. The Intellectual Property License granted in the MSA by Client to Cleverbridge shall apply
equally to any materials needed to perform the DMS services, including Materials provided by Client.
1.4 Expenses. Client agrees to reimburse all expenses incurred by Cleverbridge as a result of work produced for Client during the
term of the DMA. Cleverbridge agrees to acquire written approval from Client before incurring any expenses requiring
reimbursement.
2. Legal Compliance
2.1 Privacy. When processing Customer Information as Controller under these terms, both parties shall comply with applicable
privacy laws including, without limitation, CAN-SPAM and GDPR.
2.2 Materials. If Client provides Materials to Cleverbridge or any third party under these terms, Client will not provide any Material
that (i) infringes any third party’s copyright, patent, trademark, trade secret or other proprietary rights, (ii) violates any law,
statute or regulation, (iii) constitutes defamation, trade libel, invasion of privacy or violation of any right of publicity, (iv) is
pornographic or obscene, or (vi) contains viruses or other similar harmful programming routines.
2.3 DPA. For any DMS where Cleverbridge acts as a data processor of Client, the Data Processing Agreement (DPA), attached
hereto as Exhibit 1 shall apply and are incorporated hereto by reference.
3. Disclaimer
3.1 Cleverbridge will not be responsible for project delays that result from any delays in receiving work product, or feedback on
Cleverbridge work product from Client.
4. Term
4.1 These DMS terms commence on the Effective Date and remain in effect until termination (the “Term”). Either party may
terminate these DMS terms during the Term by providing at least 60 days’ notice to the other party, but as an earliest point six
months after the Effective Date.
Exhibit 1
Data Processing Agreement: Controller to Processor
This DPA relates to and governs the processing of Personal Data by Cleverbridge to the extent required as part of its services under the MSA or any relevant Solution-Specific Terms or Statement(s) of Work (collectively, the “Agreement”), either on behalf of or following the instructions of Client, related to its use of the Cleverbridge Digital Marketing Services. The duration of processing will be until the earliest of (i) the expiration or termination of the Agreement, or (ii) the date on which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement. Terms not defined within this DPA have the meaning defined in the Agreement.
1. Subject matter; nature and purpose of processing; duration of processing; type of Personal Data and categories of data
subjects.
1.1 Data subjects include client’s prospective customers, customers, resellers, referrers, business partners, and vendors who are
natural persons; employees or contact persons of the client’s prospective customers, customers, resellers, referrers,
subprocessors, business partners, and vendors who are natural persons; client’s employees, agents, advisors, and freelancers
of the customer who are natural persons; and any other natural persons authorized by the client to use the Cleverbridge
Digital Marketing Services.
1.2 Personal Data that may be processed includes the full scope of Customer Information in the Agreement. In case of
Performance Marketing the personal data consists of data relating to the tracking of the data subjects, and of the data
subjects’ subsequent subscription to Cleverbridge’s service. Data subjects are not directly identifiable by Cleverbridge and
are indirectly identifiable only by reference to their IP address, cookie identification, and browser details. Cleverbridge would
require access to additional information in order to identify data subjects.
2. Obligations of the Controller
2.1 By entering into the Agreement, including this DPA, the client instructs Cleverbridge to process the Personal Data to the
extent required to provide the Services under the Agreement. The client will not intentionally instruct Cleverbridge to process
Personal Data in a manner that would constitute a breach of applicable data protection laws.
2.2 The client will ensure that any instructions given to Cleverbridge comply with all laws, rules, and regulations applicable in
relation to the Personal Data, and that the processing of Personal Data in accordance with the client’s instructions will not
cause Cleverbridge to be in breach of this DPA, the Standard Contractual Clauses, or the applicable data protection laws.
2.3 The client remains the controller of its own Personal Data within the meaning of applicable data protection laws and will act in
compliance with applicable data protection laws. This also includes responding to data subject requests and contacting
Cleverbridge to respond as required by applicable data protection laws.
2.4 The client will notify Cleverbridge without undue delay of any errors, security incidents or irregularities (if any) client gains
knowledge of in connection with the proceesing of the Personal Data by Cleverbridge.
3. Additional obligations of Cleverbridge as Processor
3.1 In addition to the obligations set out elsewhere in this DPA, Cleverbridge as Processor will process Personal Data only on
documented instructions from the client, including with regard to transfers of Personal Data to a third country or an
international organisation, unless required to do so by Union or Member State law to which Cleverbridge is subject; in such a
case, Cleverbridge will inform the client of that legal requirement before processing, unless that law prohibits such
information on important grounds of public interest;
3.2 Cleverbridge will ensure that any subprocessor authorised to process the Personal Data have committed themselves to the
same confidentiality required under this DPA or are under an appropriate statutory obligation of confidentiality;
3.3 Cleverbridge will assist the client by appropriate technical and organisational measures in order for the clientto fulfill its
obligation to respond to requests for exercising the data subject's rights set forth in the GDPR and for the client to ensure
compliance with the obligations pursuant to Articles 32 to 36 of the GDPR;
4. Processing Locations and Standard Contractual Clauses
4.1 The countries where Cleverbridge will process Personal Data are: Germany, United States of America, Japan, and/or Taiwan.
Specifically, data processing will take place at the following sites of Cleverbridge affiliates: Cleverbridge GmbH, Gereonstr.
43-65, 50670 Cologne, Germany; Cleverbridge Inc., 350 N Clark, Suite 700, Chicago, Illinois, 60654, USA; Cleverbridge
Financial Services GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge KK, Wakamatsu Bldg. 7F, 3-3-6,
Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023, Japan; Cleverbridge Co., Ltd., Level 4, Neihu New Century Building, 55 Zhouzi
Street, Neihu District, Taipei, Taiwan.
4.2 The client authorizes Cleverbridge to process Personal Data in the above-listed countries, any other EU or EEA country, and
any Third Country where the European Commission has decided that the Third Country in question ensures an adequate
level of protection.
4.3 Cleverbridge will not transfer the Personal Data to any other Third Country unless the appriopriate safeguards and Data
Subject’s rights enforceabilty and effective legal remedies are secured, in particular by Cleverbridge entering into the
Standard Contractual Clauses with the subprocessor.
4.4 In the event of a change in any applicable data protection laws relating to the countries where an adequate level of data
protection exists, the Parties will dicuss and agree on an alternative solution permitting Cleverbridge continuing to process
the Personal Data in said countries.
5. Technical and organisational measures
5.1 Cleverbridge will maintain a record of all categories of processing activities carried out on Client’s behalf to the extent
required to enable the client to comply with its obligations under applicable data protection laws, and require any
subprocessors to do the same.
5.2 Cleverbridge will also take reasonable steps to ensure the reliability and obligation to confidentiality of any person authorized
to process the Personal Data, and will implement and maintain appropriate technical and organisational data protection and
security measures to ensure the security and accountibility of the Personal Data as required under Article 32 of the GDPR.
6. Right to Audit,
6.1 Cleverbridge will make available to Client all information necessary to demonstrate compliance with the obligations set forth
in Article 28 of the GDPR and allow the client to resonably inspect or audit, at client’s own expense, Cleverbridge’s (and our
Subprocessors) compliance with this DPA and applicable data protection laws. For this purpose, Cleverbridge will grant the
client, or a designated third party, access to our business premises during Cleverbridge’s regular business hours and without
undue delay make available all information necessary to demonstrate compliance with this DPA as resonably requested.
6.2 The client will notify Cleverbridge in writing of any such audit or inspection at least 15 business days in advance and at the
same time provide a consise audit plan detailling the subject of such audit, the audit timeline, and any information or
resources requested. Cleverbridge will ensure that similar provisions are included in our written contracts with
Subprocessors. The client agrees that if Cleverbridge can provide an ISAE 3402 Type 1, (SOC1 Type 2), or similar audit report
prepared by an independent third party auditor, the rights set forth here will only apply insofar as the subject to be audited is
not already covered by such audit report and is required for the client to demonstrate its compliance with client’s obligations
related to this DPA.
7. Data breach notifications
7.1 Cleverbridge will promptly notify the client, if possible, if it discovers a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Personal Data transmitted, stored, or
otherwise processed by Cleverbridge or any of its subprocessors if the incident is likely to involve a risk to the Data Subjects’
rights and freedoms.
7.2 Cleverbridge will take reasonable steps to restore any Personal Data lost as a result of such data breach where it is the result
of the acts or omissions of Cleverbridge or its subprocessors.
7.3 Cleverbridge will provide assistance with any of the client’s obligations under applicable data protection laws, including
making any notifications to the Data Subjects, supervisory authorities or the public in respect of such breach as reasonably
requested by client.
8. Rights of the Data Subjects
8.1 The client has sole responsibility to provide Data Subjects with the information required under applicable data protection laws
when Personal Data are obtained.
8.2 The client also has sole discretion in responding to the rights asserted by the Data Subjects.
9. Cleverbridge right to engage subprocessors
9.1 Client provides a general authorization to Cleverbridge to engage subprocessors ("Subprocessors") subject to compliance
with requirements at least as strict as the obligations of Cleverbridge set out in this DPA.
9.2 The client authorizes Cleverbridge to engage the following Subprocessors:
|
Subprocessor |
Nature of services |
|
WhatCounts 3445 Peachtree Rd NE, Atlanta, GA 30326 |
Email Marketing Services |
|
Performance Horizon Group Limited, dba Partnerize 8th Floor, West One, Forth Banks, Newcastle upon Tyne, NE1 3PA |
Performance Marketing Services |
9.3 Cleverbridge will inform the client of any intended changes to this list of Subprocessors thirty (30) days before a new
Subprocessor receives access to Personal Data, thereby giving the client the opportunity to object to such changes. If client
objects, Cleverbridge will attempt to make reasonable accommodations but if the subcontractor is required for
subprocessing , then the client’s objection will be considered an immediate termination of the Agreement and this DPA.
9.4 Cleverbridge will enter into the Standard Contractual Clauses with all Subprocessors or otherwise ensure that applicable
safeguards for the transfer of Personal Data to Third Countries are adopted by contract.
10. Termination
10.1 Upon termination of the DPA, Cleverbridge will return to the client or destroy any files containing Personal Data and certify
that this has been done, unless prevented from doing so by applicable laws.
10.2 The following clauses shall survive termination of this DPA: 8, 10, 11.
10.3 Termination of the DPA shall mean termination of the Agreement.
11. Miscellaneous
11.1 In case of introduction of new or change of existing applicable data protection laws, including GDPR or local, at the request of
any party, the parties will promptly review this DPA and begin good faith negotiations to agree on any changes necessary to
bring this DPA to line with the law.
11.2 In case of any discrepancies between this DPA and the Standard Contractual Clause, the relevant provisions of the Standard
Contractual Clauses prevail.
12. Additional DPA Definitions
12.1 “applicable data protection laws” means any current and coming data protection legislation, rules and regulations
applicable to the Services, including but not limited to the GDPR.
12.2 “Data Subject” shall have the same meaning as given in the applicable data protection laws, i.e., a natural person whose
Personal Data is processed under this DPA;
12.3 “EEA” means the European Economic Area;
12.4 "GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal
Data and on the free movement of such data;
12.5 “Personal Data” shall have the same meaning as given in the applicable data protection laws, i.e., any information relating to
a Data Subject;
12.6 “processing”, “processed” shall have the same meaning as given in the applicable data protection laws, including but not
limited to collection, use, recording, organisation, structuring, adaptation, retrieval, consultation, modification, storage,
disclosure, alignment or combination, restriction, erasure or destruction, and any other activity with respect to personal
data;
12.7 “Standard Contractual Clauses” means the standard contractual clauses adopted by the EU Commission Decision
2010/87/EU (repealing Decision 2002/16/EC) which can be found at
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
12.8 “Third Country”, “Third Countries” means any country outside of EEA.
12.9 “Controller” means the Client.
12.10 “Processor” Cleverbridge GmbH, 43-65, 50670 Cologne, Germany; Cleverbridge Inc., 350 N Clark, Suite 700, Chicago,
Illinois, 60654, USA; Cleverbridge Financial Services GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge
KK, Wakamatsu Bldg. 7F, 3-3-6, Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023, Japan; Cleverbridge Co., Ltd., Level 4,
Neihu New Century Building, 55 Zhouzi Street, Neihu District, Taipei, Taiwan.
Last updated November 1, 2023