This Data Processing Agreement (including any terms set forth in a schedule, appendix or addendum hereto, “DPA”), dated as of the effective date of the Agreement (“Effective Date”), is by and between the customer identified in the Agreement (“Customer”), and Campsite Software Co., a Delaware corporation (“Vendor”). Customer and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. To the extent that the Parties have entered into a prior agreement governing the processing of personal data (the “Prior Agreement”), the Parties understand and agree that this DPA shall supersede and replace such Prior Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Customer and Vendor hereby agree as follows:
1.1. “Applicable Laws” means, collectively, all now existing or hereinafter enacted or amended laws, rules, regulations (including, without limitation, self-regulatory obligations), and/or sanctions programs applicable to a Party’s performance hereunder and/or obligations with respect to data protection.
1.2. “CCPA” means the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder (in each case, as amended from time to time).
1.3. “Customer Data” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services.
1.4. “Customer Personal Data” means Customer Data that is Personal Data processed by Vendor on behalf of Customer in the provision of the Services under the Service Agreement(s).
1.5. “Controller” means (i) under and in the context of European Data Protection Law, the data “controller” (as defined by GDPR), (ii) under and in the context of CCPA, the “business” (or third party) (each, as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “controller”, “business”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
1.6. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and each successor regulation, directive or other text of the foregoing, in each case as amended from time to time).
1.7. “European Data Protection Law” means each of EU GDPR, UK GDPR, and the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time).
1.8. “GDPR” means, as applicable, (i) the EU GDPR and/or (ii) the UK GDPR.
1.9. “Personal Data” means any information that constitutes (a) “personal information” (as defined by, and in the context of, CCPA), (b) “personal data” (as defined by, and in the context of, European Data Protection Law), and/or (c) “personal data,” “personal information,” or other term denoting a substantially similar definition and obligations under, and in the context of, any other Applicable Laws, in each case that is (i) made available or otherwise provided by Customer to Vendor in connection with the Services and/or (ii) collected or accessed by Vendor under a Service Agreement(s) via a pixel, cookie, tag, or similar technology on any of Customer’s digital properties.
1.10. “Process” means any operation or set of computer operations performed on Personal Data, including, but not limited to, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, transfer, transmit, sale, rental, disclosure, dissemination, making available, alignment, combination, deletion, erasure, or destruction.
1.11. “Processor” means (i) under and in the context of European Data Protection Law, the data “processor” (as defined by GDPR), (ii) under and in the context of CCPA, a “service provider” (as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “processor”, “service provider”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
1.12. “Security Incident” means (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data or (ii) any other event that constitutes a “security breach”, “personal data breach”, or substantially similar term with respect to Personal Data under an Applicable Law(s).
1.13. “Service Agreements” or “Agreement” means, collectively, the agreements and/or terms of service (including, as applicable, each of the Statements of Work/SOWs/Orders/Order Forms and exhibits thereunder) between Customer and Vendor.
1.14. “Services” means, collectively, the products and/or services provided by Vendor to Customer under the Service Agreements.
1.15. “Sub-Processor” means a contractor, subcontractor, consultant, third-party service provider, or agent engaged by Vendor for further Processing of Personal Data.
1.16. “UK GDPR” has the meaning ascribed thereto in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018 (as amended from time to time).
2. Data Processing Obligations
(a) Each Party shall comply with its obligations relating to Personal Data under this DPA and under Applicable Laws at its own cost. With respect to Personal Data, (i) Customer is a Controller and (ii) Vendor is a Processor that acts upon the instructions of Customer, including, without limitation, in accordance with the applicable Service Agreement, this DPA, and any other documented instructions provided by Customer.
(b) With regard to Vendor employees engaged in Processing Personal Data, Vendor shall ensure that such employees are informed of the confidential nature of the Personal Data and are subject to appropriate confidentiality obligations sufficient to comply with the terms of the applicable Service Agreement(s) and this DPA, which confidentiality obligations shall survive following termination of this DPA for at least as long as the period(s) required by the applicable Service Agreement(s) and this DPA.
(c) Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data, including, without limitation, obtaining appropriate consent to collect the Customer Personal Data and share such data with Vendor in accordance with Applicable Laws.
2.2 Standard Contractual Clauses
If Vendor Processes Personal Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Personal Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule I to this Agreement, with Customer as data exporter and Vendor as data importer (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Personal Data SCCs”), which is incorporated by reference into this DPA solely with respect to Personal Data relating to EEA, United Kingdom and/or Switzerland data subjects. If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the Personal Data SCCs, on the other hand, then, with respect to Personal Data relating to an EEA, United Kingdom and/or Switzerland data subject(s), the terms and conditions of the Personal Data SCCs will prevail and control. Vendor may only transfer Personal Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Personal Data SCCs.
Without limiting any of the restrictions on or obligations of Vendor under this DPA, under any of the Service Agreements, or under Applicable Laws, with respect to Personal Data relating to a California “consumer” (as defined by CCPA) or household (“CCPA Personal Data”):
(a) Customer shall be disclosing such CCPA Personal Data under the applicable Service Agreement(s) to Vendor for a “business purpose” (as defined by CCPA), and Vendor shall Process such CCPA Personal Data solely on behalf of Customer and only as necessary to perform such business purpose for Customer; and
(b) Vendor shall not: (i) “sell” (as defined by CCPA) CCPA Personal Data; or (ii) retain, use, or disclose CCPA Personal Data (x) for any purpose (including a “commercial purpose” (as defined by CCPA)) other than for the specific purpose of performing for Customer the services specified in the particular Service Agreement(s) or (y) outside of the direct business relationship between Vendor and Customer; Vendor certifies that it understands the restrictions set forth in this Section 2.3(b) and shall comply with them; and
(c) Notwithstanding anything to the contrary in this DPA (including, for purposes of clarification and without limitation, clauses (a) and (b) of this Section 2.3), in no event shall Vendor process any CCPA Personal Data in such a manner as would constitute (i) a sale (as defined by CCPA) of CCPA Personal Data by Customer to Vendor or (ii) on or after January 1, 2023, the sharing (as defined under CCPA (as amended by the California Privacy Rights Act of 2020)) of CCPA Personal Data by Customer with Vendor; and
(d) If directed by Customer with regard to a particular California consumer or household, Vendor shall delete the CCPA Personal Data of such consumer or household.
2.4. Changes in Applicable Laws
If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide a Service(s) in whole or in part (e.g., with respect to a particular jurisdiction) and/or Customer ceases to be able to use a Service(s) in whole or in part under the then-current terms and conditions of the applicable Service Agreement(s) and this DPA, each Party may terminate the applicable Service Agreement(s) (in whole or, if reasonably practicable, in part).
3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Personal Data and Customer confidential information that the Service Agreements do not expressly authorize, including maintaining a comprehensive information security program that safeguards Personal Data and Customer confidential information. These security measures include, but are not limited to: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
3.2. When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
4. Supplementary Measures and Safeguards
4.1. Assistance; Risk Assessment
(a) Vendor shall assist Customer to ensure compliance with Applicable Laws in connection with the Processing of Personal Data.
Vendor shall notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and/or on behalf of Vendor. Customer may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Customer in such defense.
5.1. Security Incidents
Vendor has and will maintain a security incident response plan that includes procedures to be followed in the event of a Security Incident. Vendor will provide Customer with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any information that Customer is required by law to provide to an applicable regulatory agency or to the individuals whose personal data was involved in the Security Incident.
5.2. Data Subject Requests
Vendor shall (i) promptly notify Customer about any request under Applicable Law(s) with respect to Personal Data received from or on behalf of the applicable data subject and (ii) reasonably cooperate with Customer’s reasonable requests in connection with data subject requests with respect to Personal Data. Vendor shall assist Customer, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Personal Data.
6.1. Vendor shall not have Personal Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the applicable Service Agreement(s) and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Customer for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws.
6.2. Vendor provides a of lists all Sub-Processors who access Personal Data, available at: https://campsite.design/security/subprocessors (the “Website”). Customer specifically authorizes and instructs Vendor to engage the Sub-Processors listed on the Website as of the Effective Date. Vendor will notify Customer of any changes to the Sub-Processors listed on the Website and grant Customer the opportunity to object to such change. Upon Customer’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. In the case Customer objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate this DPA with thirty (30) days’ prior written notice.
6.3. Third-party providers that maintain IT systems whereby access to Personal Data is not needed but can technically also not be excluded do not qualify as Sub-Processors within the meaning of this Section 6. They can be engaged based on regular confidentiality undertakings and subject to Vendor’s reasonable monitoring.
Vendor shall, at the choice of Customer: (i) delete or return all Customer Data to Customer after such Customer Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Customer Data.
8.1. Vendor shall, upon Customer’s request, provide Customer (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) and all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws.
9. Term; Termination.
This DPA shall remain in effect until (a) all Service Agreements have terminated and (b) all obligations that Vendor has under the Service Agreements and under Applicable Laws with respect to Personal Data, and all rights that Customer has under the Service Agreements and under Applicable Laws with respect to Personal Data, have terminated. Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.
10.1. Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to Customer at the address or email address on record with Vendor, or addressed to Vendor at the address or email address designated below, or to such other address or email address as may be hereafter designated by either Party:
Brian Lovin, CEO
3374 22nd Street, San Francisco CA 94110
10.2. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Service Agreements, unless required otherwise by Applicable Laws.
10.3. Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with all Service Agreements, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business. Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns. Any attempted assignment in violation of this Section 12.3 shall be void and of no effect.
10.4. This DPA is the Parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject; provided, however, that, notwithstanding the foregoing but subject to the last sentence of this Section 10.4, nothing in this DPA shall be deemed to supersede any of the Service Agreements. Vendor may modify the terms of this DPA if, as reasonably determined by Vendor, such modification is (i) reasonably necessary to comply with Applicable Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency; and (ii) does not: (a) result in a degradation of the overall security of the Services, (b) expand the scope of, or remove any restrictions on, Vendor’s processing of Personal Data, and (c) otherwise have a material adverse impact on Customer’s rights under this DPA. Any other amendments must be executed by both of the Parties and expressly state that they are amending this DPA. Failure to enforce any provision of this DPA shall not constitute a waiver. If any provision of this DPA is found unenforceable, it and any related provisions shall be interpreted to best accomplish the unenforceable provision’s essential purpose. The headings contained in this DPA are for reference purposes only and shall not affect in any way the meaning or interpretation of this DPA. In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of any Service Agreement, the terms and conditions of this DPA shall govern.
Name: Entity identified as “Customer” in the DPA and “Client” in the Agreement.
Address: See the Agreement.
Contact person’s name, position and contact details: See the Agreement.
Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).
Signature and date: See the Agreement.
Role (controller/processor): Controller.Data importer(s):
Name: Campsite Software Co. (“Vendor”)
Address: 3374 22nd Street San Francisco, CA 94110
Contact person’s name, position and contact details:
Role: Co-Founder, CEO
Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).
Role (controller/processor): Processor.B. Description of transfer
Categories of data subjects whose personal data is transferred
Current employees, independent contractors, and other individuals providing services to Customer (collectively, “Users”).
Categories of personal data transferred
First name, last name, email address, IP address, and any other personal data that may be included in Client Data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the duration of the Services pursuant to the Agreement.
Nature of the processing
To provide the Services pursuant to the Agreement.
Purpose(s) of the data transfer and further processing
To provide the Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As long as necessary to provide the Services pursuant to the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
To provide the Services pursuant to the Agreement.
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13
The Supervisory Authority where the Data Exporter is located.
Technical and organisational measures including technical and organisational measures to ensure the security of the data
|Technical and Organizational Security Measure||Details|
|Measures of pseudonymisation and encryption of personal data||Data transmitted between customers and the Campsite application is encrypted using HTTPS/SSL and is encrypted at rest. Employee computers are required to use full-disk encryption.|
|Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services||Campsite has policies and procedures in place to ensure confidentiality, integrity and resilience of processing systems and services. These include an Access Control Policy, Business Continuity and Disaster Recovery Policy, and a Secure Development Policy. Campsite will maintain and provide policies upon request.|
|Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident||All database-stored customer data is backed up twice-daily using industry-standard database tooling. Backups and restore capabilities are tested on an annual cadence.|
|Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing||Campsite regularly monitors and tests controls to ensure they are operating as intended and updated as needed. Campsite uses 3rd party independent vendors to automate several of these controls, including employee activity and adherence to Campsite policies and procedures, infrastructure monitoring, and development procedures. Campsite leadership monitors these controls regularly, and is notified immediately when a control is at risk so that prompt action can be taken.|
|Measures for user identification and authorization||Campsite maintains an Access Control Policy, which can be provided upon request. Measures for access control and authorization include formally documented roles and permissions, encrypted connection to production systems and networks, strong passwords stored within a password manager, and single-sign on or 2FA where available.|
|Measures for the protection of data during transmission||Data transmitted between customers and the Campsite application is encrypted using HTTPS/SSL. All measures are outlined in the Campsite’s Data Management Policy, which can be provided upon request.|
|Measures for the protection of data during storage||Data stored in a database is encrypted at rest.|
|Measures for ensuring physical security of locations at which personal data are processed||Campsite does not operate physical servers or other infrastructure. Campsite employees are required to complete physical security training. Employees are also required to enable screen lock while unattended and enable full-disk encryption.|
|Measures for ensuring events logging||Campsite maintains logs and monitors when production systems and data are accessed.|
|Measures for ensuring system configuration, including default configuration||Campsite monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in a version control system.|
|Measures for certification/assurance of processes and products||Campsite has completed its SOC2 Type II audit and is pending certification.|
|Measures for ensuring data minimisation||Data is collected to serve commercial or business purposes, such as providing, customizing and improving Services, marketing and selling the Services, corresponding with customers about Services, and meeting legal requirements. Campsite will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing customer notice.|
|Measures for ensuring data quality||All data collection is instrumented by the Campsite’s software engineering team and all data collection changes are peer reviewed. Data is tested during development and verified after deployment. Campsite uses reporting tools to understand and validate the data that is stored.|
|Measures for ensuring limited data retention||Campsite retains data as long as there is a need for its use, or to meet regulatory or contractual requirements. Campsite, in consultation with legal counsel, may determine retention periods for data. Retention periods shall be documented in the Data Management Policy.|
|Measures for ensuring accountability||Campsite employees are required to review and acknowledge Campsite security practices and policies, complete security training, and go through a security walkthrough with a senior member of the engineering organization. Campsite requires all employees to sign a non-disclosure agreement before gaining access to Campsite information.|
|Measures for allowing data portability and ensuring erasure||Customer can ask for a copy of its Personal Data in a machine-readable format. Customer can also request that Campsite transmit the data to another controller where technically feasible. The Service allows ability to export relevant application data in a standard CSV format. In the case that a customer wishes to exercise portability or erasure rights, the Campsite has measures of retrieving securely stored data and has a process in place to ensure access is restricted only to those who have a business justification for accessing data during the copy, transfer, or erasure.|
|Technical and organizational measures of sub-processors||Campsite collects and reviews the most security assessments from sub-processors on an annual basis.|
List of sub-processors
|Fly.io||Application hosting||United States|
|Vercel Inc.||Application hosting||United States|
|PlanetScale, Inc.||Data services||United States|
|Redis Ltd.||Application data syncing||United States|
|MessageBird Ltd (Pusher)||Application data syncing||United Kingdom|
|WorkOS, Inc.||Single sign-on||United States|
|Amazon Web Services, Inc.||Cloud services||United States|
|Zebrafish Labs Inc. (Imgix)||Cloud services||United States|
|June Inc.||Product analytics||United States|
|Axiom, Inc.||Service logging||United States|
|Functional Software, Inc. (Sentry)||Service logging||United States|
|Tilde Inc. (Skylight)||Service Logging||United States|
|Stripe, Inc.||Payment processing||United States|
|Userlist, Inc.||Email communication||United States|
|ActiveCampaign, LLC (Postmark)||Email communication||United States|
|Slack Technologies, LLC||Messaging services||United States|
|Linear Orbit, Inc.||Developer tooling||United States|
|Retool, Inc.||Product analytics||United States|
|Hex Technologies, Inc.||Product analytics||United States|
|GitHub, Inc.||Developer tooling||United States|