Terms of last use updated on 22nd November 2021
The person or entity placing an order for or accessing the Service (“hereinafter referred to as the Customer”).
The “Effective Date” of this Agreement is the date which is the earlier of (a) Customer’s initial access to any Service through any online provisioning, registration or order process or (b) the effective date of the first Service Order Form, as applicable, referencing this Agreement. This Agreement will govern Customer’s initial purchase on the Effective Date as well as any future purchases made by Customer that reference this Agreement.
These Terms of Services (the “Agreement”) are entered into by AP & Customer on the Effective Date.
In consideration of the terms and conditions set forth below, the parties agree as follows. If you do not agree to all the terms and conditions of this agreement, you must not access or use any of our services. If these terms and conditions are considered an offer by AP, acceptance is expressly limited to these terms. The Service is available only to at least 16 years old individuals.
The only exception to the age limit is for Appy Pie Chatbot which requires you to be at least 18 years old.
1.1 Your AP Account and Site
Appy Pie AppMakr
Appy Pie AppMakr is an online, no code app builder that lets anyone, irrespective of their technical skills, build an app on their own. Known for their extensive range of features, Appy Pie AppMakr is the single biggest no code mobile app development platform.
Appy Pie Website Builder
Appy Pie Website Builder lets individuals or business entities create websites without writing even a single line of code. The website builder from Appy Pie comes loaded with features and has unique offline capabilities
Appy Pie Connect
Appy Pie Connect is an automation platform that helps businesses or individuals create automated workflows and increases the efficiency by eliminating the need to do repetitive, manual tasks.
Appy Pie Chatbot
Appy Pie Chatbot lets individuals or businesses create a Chatbot without any coding and integrate it into a website or an app. A chatbot helps businesses offer a conversational touch point to their website visitors. The product was launched on March 11, 2020 and is in public beta version.
Appy Pie Knowledge
Appy Pie Knowledge lets individuals or businesses build and publish knowledge portals without any coding. This helps businesses enable an intelligent self-service knowledge base for their customers, thus reducing the need to answer the frequently asked questions. It is a great way to increase productivity of the support team by letting them focus on critical issues. Launched on April 27, 2020, Appy Pie Knowledge is currently under public beta phase.
Appy Pie Design
Appy Pie Design is an online tool that empowers users to create different types of designs to fulfil their design needs without any design skills or training. Appy Pie Design is currently under public beta phase.
Once you hold an AP account for any of these products and create a social network, community, application, or software on the Service, you are responsible for maintaining the security of your account, and you are fully responsible for all activities that occur under the account and any other actions taken in connection with the social network, community, application or software. You must not describe or assign keywords to your social network, community, application, or software in a misleading or unlawful manner, including in a manner intended to trade on the name or reputation of others. AP may change or remove any description or keyword that it considers inappropriate or unlawful, or otherwise likely to cause AP’s liability. You must immediately notify AP of any unauthorized use of your social network, your community, your application, your software, your account, or any other breaches of security. AP will not be liable for any acts or omissions by You, including any damages of any kind incurred as a result of such acts or omissions.
1.2 Responsibility of Contributors
If you operate a social network, operate an application, manage a community, operate a software, post material to the Service, post links on the Service, or otherwise make (or allow any third party to make) material available by means of the Service (any such material, “Content”) or other services, you are entirely responsible for the content of, and any harm resulting from that Content. That is the case regardless of whether the Content in question constitutes text, graphics, an audio or video file, or computer software. By making Content available, you represent and warrant that:
- the downloading, copying and use of the Content will not infringe the proprietary rights, including but not limited to the copyright, patent, trademark or trade secret rights, of any third party;
- if your employer has rights to intellectual property you create, you have either (1) received permission from your employer to post or make available the Content, including but not limited to any software, or (2) secured from your employer a waiver as to all rights in or to the Content;
- you have fully complied with any third-party licenses relating to the Content, and have done all things necessary to successfully pass through to end users any required terms;
- the Content does not contain or install any viruses, worms, malware, Trojan horses or other harmful or destructive content;
- the Content is not spam, is not machine- or randomly-generated, and does not contain unethical or unwanted commercial content designed to drive traffic to third party sites or boost the search engine rankings of third party sites, or to further unlawful acts (such as phishing) or mislead recipients as to the source of the material (such as spoofing);
- the Content is not pornographic, libelous or defamatory, does not contain threats or incite violence towards individuals or entities, and does not violate the privacy or publicity rights of any third party;
- your social network, community, software, or application is not getting advertised via unwanted electronic messages such as spam links on newsgroups, email lists, blogs and web sites, and similar unsolicited promotional methods;
- your social network, community, software, or application is not named in a manner that misleads your readers into thinking that you are another person or company. For example, your social network’s URL or name is not the name of a person other than yourself or company other than your own; and
- you have, in the case of Content that includes computer code, accurately categorized and/or described the type, nature, uses and effects of the materials, whether requested to do so by social network or otherwise.
By submitting Content to AP for inclusion on any services or applications provided by AP, you grant AP a world-wide, royalty-free, and non-exclusive license to reproduce, modify, adapt and publish the Content solely for the purpose of displaying, distributing and promoting your mobile application. If you delete Content, AP will use reasonable efforts to remove it from the Service, but you acknowledge that caching or references to the Content may not be made immediately unavailable. Without limiting any of those representations or warranties, AP has the right (though not the obligation) to, in AP’s sole discretion (1) refuse or remove any content that, in AP’s reasonable opinion, violates any AP policy or is in any way harmful or objectionable, or (2) terminate or deny access to and use of the Service to any individual or entity for any reason, in AP’s sole discretion. AP will have no obligation to provide a refund of any amounts previously paid.
1.3 Billing, Termination, Cancellation and Refund on Monthly & Yearly Subscriptions
AP offers monthly and yearly subscriptions, which entitle the original purchaser access to AP for a period of exactly 1 month/1 year from the date of purchase. AP also offers add-on plans for each subscription, which allows purchaser access to AP’s additional services, including unlimited resubmission, dedicated account manager, for a period of one month or one year. The purchaser agrees to pay all fees in effect when incurred. You will be billed for your subscription in advance at the time of purchase and the subscription will automatically renew indefinitely until explicitly cancelled. If you cancel your services, your cancellation takes effect on your next billing cycle. This means we won’t be able to refund you for early contract cancellation. All AP accounts begin with an obligation-free trial which will allow you to evaluate the service. Your credit card information will be collected to initiate a trial account. However, charges will only be applied after the trial period is exhausted. Please sign up for a monthly payment schedule if you are unsure of how long you will be using the service. If you have a question about charges made to your account, please contact us immediately. If the charges were made in error, we will immediately credit your account or credit card account for the appropriate amount. AP has a zero-tolerance policy for chargebacks. Any customer who disputes a credit card payment that is found to be valid will be permanently blacklisted and barred from use of the Service. It is also pertinent to mention here that non-payment of subscription fees will result in your app being locked for editing and viewing purposes. Any past due fees and costs will be sent to collections. If our collection efforts fail, unpaid debts will be reported to all available credit reporting agencies and may result in a lawsuit, details of which could be found in section 1.25. If AP terminates your account because of a violation of our terms of service, AP will not refund any portion of your license fees. Refunds are not applicable on rejection of your application from any App Store or marketplace. We offer a 30-day money back guarantee, hence if you cancel your subscription in this period, your request for refund will be approved. All refunds from Appy Pie will come with a deduction of 3% of the amount or the actual processing fee charged by the Payment processor (whichever is higher). However, the 30-day money back guarantee is not applicable for users who have opted for the 7 day free trial and cancellation of the monthly or yearly plan after this period will not result in a refund.
1.4 Billing, Termination, Cancellation and Refund on Lifetime Subscriptions (Perpetual License) *
AP offers Lifetime Plan* (Perpetual License), which will be perpetually active provided the client has paid the one-time upfront license fee and continues to pay the ongoing yearly fees towards maintenance & updates, i.e. (5% of one-time upfront license fee). AP also offers add-on plans for each subscription, which allows purchaser access to AP’s additional services, including unlimited resubmission, dedicated account manager, for lifetime. Terms of lifetime plan are subject to additional conditions as outlined in this term outlined below. Lifetime plan holders are guaranteed 5 years (60 months) of access to AP, however, in the event that AP discontinues the service or ceases to do business, or in the event of an acquisition, change of control, a significant merger, or other legal re-organization of AP, AP may terminate the Perpetual License by returning your purchase price less an amount computed by multiplying your purchase price by a fraction, the numerator of which is the number of complete months since your purchase of the lifetime plan and the denominator of which is 60. If AP terminates your account because of a violation of our terms of service, AP will not refund any portion of your license fees. Refunds are not applicable on rejection of your application from any App Store or marketplace; AP may introduce additional services from time to time, which may be excluded from an existing lifetime plan without additional cost. If your AP lifetime plan account has no activity for a period of 3 years, we will consider that account dormant and will remove online access to the data. We will then keep the data for an additional one year, at which point we will delete your data. Activity is defined as a login to the AP account. You can cancel or delete your lifetime plan at any time either yourself or by contacting us; however, cancellation of a lifetime plan will not result in a refund.
*Please note – We have discontinued our lifetime plan since December 2018. However, all of the clients who have subscribed to our Lifetime Plan on or before 31st December 2018 will be getting all the benefits as per the plan.
1.5 Refund Policy
In case Appy Pie and the client conclude that there is a refund to be issued, it will be processed within X days. However, it is of significance to note that the amount charged by the Payment processor is non-refundable. Hence, all refunds from Appy Pie will come with a deduction of 3% of the amount or the actual processing fee charged by the Payment processor (whichever is higher).
Please note: If you upgrade to a higher plan, you will not be eligible for a refund, even if your 30-day period is not exhausted. We advise you to be 100% sure about your
commitment to the platform, before you go for an upgrade to a higher plan. Also the 30-day refund policy is applicable only on the first app subscription and also not applicable for the users who opted for the trial subscription and cancellation of the monthly or yearly plan after the trial period will not come with any refund eligibility.
1.6 Free Trials, Cancellations, and Refund on Subscription Renewals
All AP accounts begin with an obligation-free trial which will allow you to evaluate the service. Your credit card information will be collected to initiate a trial account. However, charges will only be applied after explicit account purchase. Please sign up for a monthly payment schedule if you are unsure of how long you will be using the service. Unfortunately, we can’t provide extensions to the free trial period and once billing has taken place, we are not able to offer refunds. If you decide to become a subscriber, you can upgrade to one of our paid plans even during the 7-day trial period. Once you have subscribed to one of our paid plans, your subscription will renew automatically, on your monthly or annual renewal date, until you cancel. Your cancellation stops all future payments only and no refunds will be offered on renewal payments made to date. Renewal rates are subject to change, but we’ll always notify you beforehand.
We offer a 30-day money back guarantee, and if you happen to cancel your subscription in this period, the request for refund will be approved. All refunds from Appy Pie will come with a deduction of 3% of the amount or the actual processing fee charged by the Payment processor (whichever is higher). However, the 30-day money back guarantee is not applicable for users who have opted for the 7-day free trial and cancellation of the monthly or annual plan after this period will not result in a refund.
Cancellations can be made any time by visiting the billing info page of your app or by contacting email@example.com. Please note that once billing has taken place, we are not able to offer refunds. The availability and duration of the free trial may vary by region and payment gateways.
1.7 Custom Mobile Apps Development
Payments for custom App design and development projects are made to us in increments as a courtesy to the client. Once a payment or deposit is made, it is non-refundable. If a project is cancelled or postponed, AP retains all monies paid and if applicable, a fee for all work completed beyond what was already paid for shall be paid by the client.
1.8 Build it for Me Plan
Payment of $499 towards Build it for me Plan is treated as a custom App design and development project. Hence once the payment of $499 is made, it is non-refundable. If a project is cancelled or postponed, AP retains all monies paid and if applicable, a fee for all work completed beyond what was already paid for shall be paid by the client.
1.9 Payment for Additional Services
AP offers additional Consumable in-app purchases that includes, but not limited to, Domain Name Registration, Premium Background Images, App Promotion (Appy Jump), App Hosting, App Bandwidth, Submission, Re-submission, Account Manager, App Download, Reseller, Push Notifications, Additional Drivers, Moderators, additional tasks, sms, change or removal of app permissions which you can select depending on your needs. Once a payment or deposit is made for these services, it is non-refundable. Consumable in-app purchases are depleted but can be upgraded on need basis and email notifications are sent to users when critical level thresholds are reached. It is pertinent to mention here that if Consumable in-app purchases are fully depleted and not upgraded, then this will lead to your app being locked for editing and viewing purposes.
App permission Changes: Please note that there will be a one-time charge of $99 each time you wish to add/remove permissions in your .apk (Android build).
1.10. App Promotion Campaign
To join the App Promotion Campaign, the following terms and conditions must be met.
- In order to promote an app, it must be live either on Google Play Store or Apple App Store or both, so that interested users can install your app
- A Firebase account must be set up and integrated with your Android and/or iOS app
- The apps must be resubmitted on the app stores (Google Play Store or Apple App Store), to activate the app promotion plan
- The apps must be “free to install” which means interested users should not be charged, just to download or install your app on their devices
- There will be no refund once the app promotion campaigns have started
1.11 Content Posted on Other Services
We have not reviewed, and cannot review, all of the material, including computer software, made available through the services and webpages to which AppyPie.com links, and that link to AppyPie.com. AP doesn’t have any control over those non-AP services and webpages, and is not responsible for their contents or their use. By linking to a non-AP website or webpage, AP does not represent or imply that it endorses such website or webpage. You are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content. AP disclaims any responsibility for any harm resulting from your use of non-AP websites and web pages.
1.12 Copyright Infringement and DMCA Policy
As AP asks others to respect its intellectual property rights, it respects the intellectual property rights of others too. If you believe that material located on or linked to by AppyPie.com or any AP social network or mobile application violates your copyright, you are encouraged to notify AP in accordance with AP’s Digital Millennium Copyright Act (”DMCA”) Policy. AP will respond to all such notices, including as required or appropriate by removing the infringing material or disabling all links to the infringing material. In the case of a visitor who may infringe or repeatedly infringes the copyrights or other intellectual property rights of AP or others, AP may, in its discretion, terminate or deny access to and use of the Service to such visitor. In the case of such termination, AP will have no obligation to provide a refund of any amounts previously paid to AP. Intellectual Property. This Agreement does not transfer from AP to you any AP or third party intellectual property, and all right, title and interest in and to such property will remain (as between the parties) solely with AP, AppyPie.com, the AppyPie.com logo, and all other trademarks, service marks, graphics and logos used in connection with AppyPie.com, or the Service are trademarks or registered trademarks of AP’s licensors. Other trademarks, service marks, graphics and logos used in connection with the Service may be the trademarks of other third parties. Your use of the Service grants you no right or license to reproduce or otherwise use any AP or third-party trademarks.
Notwithstanding anything contained in this Agreement, AP shall be the sole and exclusive owner of all the intellectual property developed by you or any developer on your behalf during a project, which shall be deemed to be assigned to you as long as you fulfill all commercial and other obligations towards AP. In case you choose not to fulfill all commercial obligations or breach any term and condition of this Agreement, any use of the Software or the project or any publishing of the Software or the app on the public app stores or any use of the Software or the project/app by you will be considered as an unauthorized use and amount to infringement of the intellectual property rights of AP.
AP reserves the right, at its sole discretion, to modify or replace any part of this Agreement. It is your responsibility to check this Agreement periodically for changes. Your continued use of or access to the Service following the posting of any changes to this Agreement constitutes acceptance of those changes. AP may also, in the future, offer new services and/or features through the Service (including, the release of new tools and resources and modification as well as termination of released features). Such new features and/or services shall be subject to the terms and conditions of this Agreement.
AP may terminate your access to all or any part of the Service at any time, with or without cause, with or without notice, effective immediately. If you wish to terminate this Agreement or your AppyPie.com account (if you have one), you may simply discontinue using the Service. AP can terminate the Service immediately as part of a general shut down of our service. All provisions of this Agreement which by their nature shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.
If we receive a chargeback or payment dispute (i.e. PayPal Dispute) from a credit card company or bank, your service and/or project will be suspended without notice. A $100 chargeback fee (issued to recover fees passed on to us by the credit company), plus any outstanding balances accrued as a result of the chargeback(s) must be paid in full before service is restored, files delivered, or any further work is done. Instead of issuing a chargeback, please contact us to address any billing issues. Requesting a chargeback or opening a PayPal dispute for a valid charge from us is fraud, and is never an appropriate or legal means of obtaining a refund. In case you dispute a valid charge, you stand ineligible for any refund, irrespective of whether you qualify for the refund otherwise.
1.16 Disclaimer of Warranties
The Service is provided “as is”. AP and its suppliers and licensors hereby disclaim all warranties of any kind, express or implied, including, without limitation, the warranties of merchantability, fitness for a particular purpose and non-infringement. Neither AP nor its suppliers and licensors, makes any warranty that the Service will be error free or that access thereto will be continuous or uninterrupted. You understand that you download from, or otherwise obtain content or services through, the Service at your own discretion and risk.
1.17 Limitation of Liability
You expressly understand and agree that AP shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses (even if AP has been advised of the possibility of such damages), resulting from: (i) the use or the inability to use the service; (ii) the cost of procurement of substitute goods and services resulting from any goods, data, information or services purchased or obtained or messages received or transactions entered into through or from the service; (iii) unauthorized access to or alteration of your transmissions or data; (iv) statements or conduct of any third party on the service; (v) any bugs arising in the app; (vi) corruption of application, hacking attacks, security of the app or any other matter relating to the service; (vii) any rejection of your mobile application from any mobile application store or marketplace; (viii) for any amounts that exceed the fees paid by you to AP under this agreement during the twelve (12) month period prior to the cause of action. AP shall have no liability for any failure or delay due to matters beyond their reasonable control. The foregoing shall not apply to the extent prohibited by applicable law.
1.18 General Representation and Warranty
You agree to indemnify and hold harmless AP, its contractors, and its licensors, and their respective directors, officers, employees and agents, from and against any and all claims, damages, obligations, losses, liabilities, costs or debts, and expenses (including but not limited to attorney’s fees) arising from: (i) your use of and access to the Service; (ii) your violation of any term of these Terms; (iii) your violation of any third party right, including without limitation any copyright, intellectual property, or privacy right; or (iv) any claim arising from feature bugs or content of the app by either you or a third party; or (v) any rejection of your mobile application from any mobile application store or marketplace, for any reason whatsoever. This defense and indemnification obligation will survive these Terms and your use of the Service.
1.20 User Generated Content
All apps, posts, community, software, social networks created on our platform is considered User Generated Content, AP does not endorse and has no control over User Generated Content submitted by you or others and accepts no responsibility whatsoever in connection with or arising therefrom. User Generated Content created through the Site is not necessarily reviewed by AP prior to posting in any Market Place or forum and does not necessarily reflect the opinions or policies of AP. If at any time AP chooses, in its sole discretion, to monitor the Marketplace, AP nonetheless assumes no responsibility for User Generated Content, no obligation to modify or remove any inappropriate or inaccurate User Generated Content, and no responsibility for the conduct of the user submitting any User Generated Content. AP makes no warranties, express or implied, as to the suitability, accuracy or reliability of any Content and other materials on the Marketplace. Nonetheless, Administrator reserves the right to prevent you from submitting User Generated Content and to edit, restrict or remove any User Generated Content for any reason at any time. You agree that Administrator shall accept no liability if we prevent, in our sole discretion, your User Generated Content from being submitted, or we edit, restrict or remove it. You also agree to permit any other user of this Site and any third-party website on which your User Generated Content may be included, to access, view and comment on the material for such user’s personal use.
1.21 Third-Party Services & Third-Party Application Providers
AP services utilize multiple Third-Party services including but not limited to Shutter Stock, PubNub, Facebook, Google’s (YouTube, Maps, Firebase, Sheets, API.AI), Sinch, Vuforia, AWS, Azure, Pixabay API, and others. You acknowledge that the license to each Third-Party Service that you obtain, is a binding agreement between you and the Application Provider. For Third-Party Apps, you acknowledge that (i) you are acquiring the license to each Third-Party App from the Application Provider; (ii) AP is not acting as agent for the Application Provider in providing each such Third-Party App to you; and (iii) AP is not a party to the license between you and the Application Provider with respect to that Third-Party App. The Application Provider of each Third-Party App is solely responsible for that Third-Party App, the content therein, any warranties to the extent that such warranties have not been disclaimed, and any claims that you or any other party may have relating to that Third-Party App. In the case of Third-Party Apps, the License Fee is set as the sole discretion of the Third-Party Application Provider and AP does not collect the License Fee on behalf of the Third-Party Application Provider, you will have to pay this directly to the Third-Party Application Provider. The Licensor may change the License Fee at any time.
For Appy Pie Chatbot: We offer integration with other third-party products with Chatbot. To be able to utilize the integrations you may be required to buy a separate subscription of those products from their respective websites. These integrations’ availability will be dependent on the availability of the API of those products. In case an integration is being removed you will be duly informed.
1.22 Beta Features
Some AP platform releases contain beta features like (Taxi, Food Court, Augmented Reality, Messenger, Chatbot, Design, Knowledge). We release these beta features to collect feedback on their implementation so that we can improve them. We value any feedback on these beta features, as it enables us to provide you with the best possible product. By submitting any suggestion, you agree that your disclosure is voluntary, unsolicited and without restriction and will not place AP under any fiduciary or other obligation, and that we are free to use the suggestion without any additional compensation to you, and/or to disclose the suggestion on a non-confidential basis or otherwise to anyone. Also, we have the sole authority and discretion to determine the period of time for testing and evaluation of Beta Services. We will be the sole judge of the success of such testing and the decision, if any, to offer the Beta Services as commercial services.
The availability of beta features will be documented in the release notes for every specific release. Other documentation will be available through the AP support section. Please consult the release notes and the documentation on how to enable and use these beta features.
Please take note of the following limitations regarding beta features:
- Beta features may be incomplete; future releases may include more functionality to complete the features
- Beta features may change in future releases, depending on the feedbacks
- Even though we aim for backwards compatibility, AP can’t guarantee backwards compatibility between monthly releases for beta features
- Beta features are not covered by any SLA and not part of our Reseller Platform
- We value feedback, including tickets describing problems with beta features, but these tickets will not be handled according to your SLA
- We cannot guarantee timely fixes for any problems you encounter with beta features
- Beta features should not be used for production applications
- Beta features may contain bugs, which could potentially lead to data corruption
1.23 Children’s Personal Information
AP does not knowingly collect any personal information from children under the age of 16. If you are under the age of 16, please do not submit any personal information through our Websites or Apps. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Policy by instructing their children never to provide personal information through the Websites or Apps without their permission. If you have reason to believe that a child under the age of 16 has provided personal information to us through the Websites, Bots or Services, please contact us at firstname.lastname@example.org, and we will use commercially reasonable efforts to delete that information.
1.24 Data Ownership Rights
You own the App, App data (content), Social Network and its content, Community and its content, Software and its content, and retain copyright and any other rights you already hold in Application, Software, Social Network, or Community that you create, submit, post, transmit or display on, or through, the Service, including any intellectual property rights which subsist in that Application, Software, Social Network, Community and your User Content, and you are responsible for protecting those rights. However, we reserve rights to lock your app, software, social network, or community for further viewing, editing or updating, in case your subscription is cancelled.
1.25 Legal Issues & Jurisdiction
This Agreement, and any disputes arising out of or related hereto, shall be governed by the laws of the State of New Delhi, India without regard to its conflict of laws rules. The parties agree that this contract is not a contract for the sale of goods; therefore, this Agreement shall not be governed by codification of Article 2 or 2A of the Uniform Commercial Code, or any references to the Uniform Computer Information Transactions Act or the United Nations Convention on the International Sale of Goods. The district and high courts located in New Delhi, India shall have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement. Each party hereby consents to the exclusive jurisdiction of such courts. Non-payment shall result in acceleration of the minimum value of this agreement being payable in full. You acknowledge that in the event of such acceleration, the minimum value of this agreement shall be due and payable as minimum liquidated damages because such balance will bear a reasonable proportion to AP’s minimum probable loss from your non-payment, the amount of AP’s actual loss being incapable to calculate. Client agrees to pay all costs and expenses, including but not limited to, attorney fees and court costs, for the collection and/or enforcement of any obligation under this agreement, whether or not a lawsuit or arbitration is commenced.
Connecting with AP
DATA PROCESSING ADDENDUM
(Rev. September 29, 2020)
This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement between Appy Pie (“AP”) and Customer for the purchase of online services (including associated AP offline or mobile components) from AP (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
By agreeing to the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates, if and to the extent AP processes Personal Data for which such Affiliates qualify as the Controller. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, AP may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
HOW THIS DPA APPLIES
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such a case, the AP entity that is party to the Agreement is party to this DPA.
If the Customer entity signing this DPA has executed an Order Form with AP or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the Appy Pie entity that is party to such Order Form is party to this DPA.
If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement execute this DPA.
This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in Customer’s Agreement (including any existing data processing addendum to the Agreement).
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than
50% of the voting interests of the subject entity
“Controller” means the entity, which determines the purposes and means of the Processing of Personal Data.
“Customer Data” means what is defined in the Agreement as “Customer Data.” or “Your Data.”
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom Personal Data relates.
“AP” means the Appy Pie entity which is a party to this DPA, as specified in the section “HOW THIS DPA APPLIES” above, Appy Pie LLP, a limited liability partnership incorporated under the LLP Act, 2008 having LLPIN AAF-5370 and having its principal place of business at 165, NSEZ Noida, 201305 India .
“AP Group” means AP and its Affiliates engaged in the Processing of Personal Data.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Sub-processor” means any Processor engaged by AP, by a member of the AP Group or by another Sub-processor.
“Supervisory Authority” means an independent public authority, which is established by an EU Member State pursuant to the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, AP is a Processor and that AP or members of the AP Group will engage Sub-processors pursuant to clause 5 “Sub-processors” below.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 AP’s Processing of Personal Data. AP shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by AP is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 (Details of the Processing) to this DPA.
3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject Request. AP shall, to the extent legally permitted, promptly notify Customer if AP receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, AP shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, AP shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent AP is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from AP’s provision of such assistance.
3.2 Data Subject Access Request (DSAR). If you wish to request for a DSAR, all you need to do is send us an email at email@example.com and we’ll respond at the earliest. AP shall, in the event of Data Subject Access Request (DSAR) from a data subject, furnish and send a report to the data subject within one calendar month of receipt of request. DSAR is essentially a request from a data subject for a copy of the personal data being processed by the Controller and an explanation of the purpose for which this personal data is being used.Typically the DPO responds back within 15 days, however the response time is never more than 30 days. In accordance with Article 15 of GDPR, individuals have the right to ask for the following information from AP:
- What personal data is being processed
- The purposes for which the personal data is being processed
- Who has the personal data or who will it be disclosed to
- The existence of any automated decision-making, including profiling. And, at least where this produces legal or similarly significant effects, what logic is being used for that purpose.
- How long will the data be retained for (or at least the criteria used to determine this)
4. AP PERSONNEL
4.1 Confidentiality. AP shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. AP shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2 Reliability. AP shall take commercially reasonable steps to ensure the reliability of any AP personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access. AP shall ensure that AP’s access to Personal Data is limited to those personnel who require such access to perform the Agreement.
4.4 Data Protection Officer. Members of the AP Group will appoint a data protection officer where Data Protection Laws and Regulations require such appointment. The appointed person may be reached at firstname.lastname@example.org.
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) AP’s Affiliates may be retained as Sub-processors; and (b) AP and AP’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. AP or a AP Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the services provided by such Sub-processor.
5.2 List of Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors as of 6 May 2020 for the Services is annexed in Schedule 1. Upon request, AP shall make available to Customer an updated list of Sub-processors for the Services with the identities of those Sub-processors and their country of location (“Updated Sub-processor List”).
5.3 Objection Right for New Sub-processors. Customer may object to AP’s use of a new Sub-processor by notifying AP in writing within ten (10) business days after receipt of an Updated Sub-processor List. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, AP will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If AP is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by AP without the use of the objected-to new Sub-processor, by providing written notice to AP. AP will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
5.4 Sub-processor Agreements. The parties agree that AP will provide the copies of the Sub-processor agreements only upon reasonable request by Customer.
5.5 Liability. AP shall be liable for the acts and omissions of its Sub-processors to the same extent AP would be liable if performing the services of each Sub-processor directly under the terms of this DPA, save as otherwise set forth in the Agreement.
6.1 Controls for the Protection of Personal Data. AP shall maintain administrative, physical and technical safeguards designed for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, including Personal Data.
6.2 SOC 2 Type 1 & Type 2 Report Upon Customer’s written request no more frequently than once annually, AP shall provide to Customer a copy of AP’s then most recent service organization controls SOC 2 Type 1 and Type 2 report for the Services. AP may require Customer to sign a nondisclosure agreement reasonably acceptable to AP before AP provides a copy of such report to Customer.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
AP has robust incident response management policies and data breach response policy in place and adheres to the procedures in case of any data breach and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by AP or its Sub-processors of which AP becomes aware (a “Customer Data Incident”) within 72 hours of confirmation of the incident via email and/or phone.
Once AP notifies their Customers, it becomes the Customers’ responsibility to notify their app users or “Data Subjects” about the data breach within 72 hours of the confirmation of the incident by AP. You agree to indemnify and hold harmless AP, its contractors, and its licensors, and their respective directors, officers, employees and agents, from and against any and all claims, damages, obligations, losses, liabilities, costs or debts, and expenses (including but not limited to attorney’s fees) arising from your inability to notify your users or Data Subjects about the data breach within 72 hours.
8. RETURN AND DELETION OF CUSTOMER DATA
AP shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement.
For Appy Pie Knowledge: If an account deletion request is raised from the tool, the team will get in touch with you regarding the same within 7-10 days to seek confirmation and clarification on the request. Following the communication, the account will be deleted, and you will not be able to restore the data.
9. AUTHORIZED AFFILIATES
9.1 Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Affiliates, thereby establishing a separate DPA between AP and each such Affiliate subject to the provisions of the Agreement, this Clause 9, and Clause 10 below. Each Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Affiliates must comply with the terms and conditions of the Agreement, and Customer shall deem any violation of the terms and conditions of the Agreement by an Affiliate a violation.
9.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with AP under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates
10. LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Affiliates and AP, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” clause of the Agreement, and any reference in such clause to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, AP’s and its Affiliates’ total liability for all claims from the Customer and all of its Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Affiliate that is a contractual party to any such DPA. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules thereto.
11. EUROPE-SPECIFIC PROVISIONS
11.1 GDPR. With effect from 25 May 2018, AP will Process Personal Data in accordance with the GDPR requirements directly applicable to AP’s provision of its Services.
11.2 Data Protection Impact Assessment. With effect from 25 May 2018, upon Customer’s request, AP shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to AP. AP shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Clause 9.2, to the extent required under the GDPR.
11.3 Invalidation of EU-US Privacy Shield.A recent ruling by the Court of Justice of the European Union invalidated the EU-US Privacy Shield Framework but did not invalidate Standard Contractual Clauses (SCCs) as a lawful transfer mechanism for personal data transferred outside of the EU, Switzerland or the UK.
At Appy Pie, we have Standard Contractual Clauses (SCCs) in place for transfer of data so that all personal data is protected. We are committed to enable our customers to provide customer service responsibly by implementing and adhering to prescribed compliance policies, both as a data controller and processor.
11.5 Additional Terms for Services offered by AP.
11.5.3 Appointment of New Sub-processors and List of Current Sub-processors. Customer acknowledges and expressly agrees that (a) AP’s Affiliates may be retained as Sub-processors; and (b) AP and AP’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services offered by AP. AP shall make available to Customer the current list of Sub-processors in accordance with Clause 5.2 of this DPA
11.5.4 Notification of New Sub-processors and Objection Right for New Sub-processors. Customer acknowledges and expressly agrees that AP may engage new Sub-processors as described in Clauses 5.2 and 5.3 of the DPA.
11.5.5 Copies of Sub-processor Agreements. The parties agree that AP will provide the copies of the Sub-processor agreements that have all commercial information only upon request by Customer.
11.5.6 Audits and Certifications. The parties agree that the audits shall be carried out in accordance with the following specifications: Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, AP shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of AP and that has signed nondisclosure agreement reasonably acceptable to AP) information regarding the AP Group’s compliance with the obligations set forth in this DPA in the form of AP’s SOC 1 report and, for its Sub-processors and its subsidiaries, the third-party certifications and audits set forth in the appypie.com Security, Privacy and Architecture Documentation located at https://www.appypie.com/security & https://www.appypie.com/privacy-policy to the extent appypie.com makes them generally available to its customers. Following any notice by AP to Customer of an actual or reasonably suspected unauthorized disclosure of Personal Data, upon Customer’s reasonable belief that AP is in breach of its obligations in respect of protection of Personal Data under this DPA, or if such audit is required by Customer’s Supervisory Authority, Customer may contact AP in accordance with the “Notices” Clause of the Agreement to request an audit at AP’s premises of the procedures relevant to the protection of Personal Data. Any such request shall occur no more than once annually, save in the event of an actual or reasonably suspected unauthorized access to Personal Data. Customer shall reimburse AP for any time expended for any such on-site audit at the AP Group’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and AP shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable; taking into account the resources expended by AP. Customer shall promptly notify AP with information regarding any non-compliance discovered during the course of an audit.
11.5.7 Certification of Deletion. The parties agree that AP shall provide the certification of deletion of Personal only upon Customer’s request.
1. PARTIES TO THIS DPA
The Section “HOW THIS DPA APPLIES” specifies how AP is party to this DPA.
2. UNRESOLVED PRIVACY OR DATA USE DISPUTES
In the event that AP was unable to satisfactorily address or resolve any privacy or data use concern then please contact us by writing an email to us on email@example.com. In case you need any clarification, you can also refer to our privacy policies in detail here.
3. ONLINE DISPUTE RESOLUTION (ODR)- AVAILABLE TO EUROPEAN CUSTOMERS ONLY
Information regarding online dispute resolution (ODR): The European Commission offers a platform for the resolution of online disputes. This platform is dedicated to facilitating the out-of-court settlement of disputes concerning contractual obligations in online sales and service agreements.
The platform can be found at http://ec.europa.eu/consumers/odr/.
4. LEGAL EFFECT
This DPA shall only become legally binding between Customer and AP, when the parties’ authorized signatories have duly executed this Agreement:
California Consumer Privacy Act is a state statute that is aimed at enhancing the privacy rights and consumer protection for California residents.
Appy Pie is in compliance with CCPA and is transparent about all or any personal data collected from the clients through the platform. To read Appy Pie’s CCPA policy, please click here.
You can place a ‘Do not sell my data’ request by filling in this form.
Annex 1 – Details of Processing
A. List of Parties
Name: The Customer, as defined in the Appy Pie Customer Terms of Service (on behalf of itself and Permitted Affiliates)
Address: The Customer’s address, contact details, as set out in the Order as set out in the Customer’s Appy Pie Account
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Appy Pie Subscription Services under the Appy Pie Customer Terms of Service
Role (controller/processor): Controller
Name: Appy Pie LLP
Address: 165, NSEZ, Noida-201305, India.
Contact person’s name, position and contact details: TN Pandeya, Data Protection Officer, Appy Pie LLP, 165, NSEZ, Noida-201305, India.
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Appy Pie Subscription Services under the Appy Pie Customer Terms of Service
Role (controller/processor): Processor
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
You may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.
Categories of Personal Data Transferred
You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
- a. Contact Information
- b. Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.
Sensitive Data transferred and applied restrictions or safeguards
The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
1. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or
2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
Period for which Personal Data will be retained
Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
C. Competent Supervisory Authority
For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer’s compliance with the GDPR; (ii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer’s representative is established; or (iii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).
Schedule 5 – Standard Contractual Clauses
Module Two: Transfer Controller to Processor (C2P)
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8 – Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9 – Clause 9(a), (c), (d) and (e);
(iv) Clause 12 – Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18 – Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in DPA and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in DPA. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Use of sub-processors
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
(a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination- including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authorities, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that these Clauses shall be governed in accordance with Legal Issues & Jurisdiction Specific Term as defined in the Appy Pie Customer Terms of Service or if such section does not specify an EU Member State, by the law of the Republic of Ireland (without reference to conflicts of law principles)
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of the jurisdiction specified in Clause 17.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
UK AND SWISS ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES
(a) This Addendum amends the Standard Contractual Clauses to the extent necessary so they operate for transfers made by the data exporter to the data importer, to the extent that the UK GDPR or Swiss DPA (as defined in the Appy Pie Data Processing Addendum) apply to the data exporter’s processing when making that transfer.
(b) The Standard Contractual Clauses shall be amended with the following modifications:
(i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR or Swiss DPA (as applicable);
(ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the UK GDPR or Swiss DPA (as applicable);
(iii) references to Regulation (EU) 2018/1725 shall be removed;
(iv) references to “EU”, “Union” and “Member State” shall be replaced with references to the “UK” or “Switzerland” (as applicable);
(v) Clause 13(a) are not used and the “competent supervisory authority” shall be the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
(vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable);
(vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
(viii) to the extent the UK GDPR applies to the processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”; and
(ix) to the extent the Swiss DPA applies to the processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the competent courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts”.
List of Schedules Annexed:
Schedule 1: Sub-processors as of 6 May 2020
Schedule 2: Details of the Processing
Schedule 4: Process to access personal information retained by Processors/Controllers
Schedule 5: Standard Contractual Clauses – Module Two: Transfer Controller to Processor (C2P)
If you need a signed copy of our SLA, please send an email to firstname.lastname@example.org