This Data Processing Agreement (the “DPA”) is entered into between WISEPOPS and the User and/or Subscriber with respect to the processing of personal data by WISEPOPS on behalf of the User and/or Subscriber.
With regard to the subject matter of this DPA, in the event of any inconsistencies between the provisions of this DPA and the GTU, the provisions of this DPA shall prevail.
1. Definitions
The definitions of WISEPOPS’ General Terms of Use (hereinafter “GTU”) are applicable to this DPA. In addition, all terms in the terminology of the personal data protection regulation will have the meaning given to them by the General Data Protection Regulation n°2016/679 (“GDPR”).
2. Purpose of the DPA
The purpose of the DPA is to define the terms and conditions under which the processing of personal data occurring during the performance of WISEPOPS services in accordance with the GTU will be implemented. This DPA is part of the GTU.
3. Data processing for the provision of the Services
By displaying the Pop-ups or WISP Notifications and collecting data from Internet users (“User and/or Subscriber Data”) for Users and/or Subscribers, WISEPOPS is required to process personal data related to such User and/or Subscriber data. User and/or Subscriber and WISEPOPS acknowledge that as far as the implementation of this processing is concerned, User and/or Subscriber acts as a data controller and WISEPOPS as a data processor.
WISEPOPS certifies that it understands and will comply with the restrictions on the use of User and/or Subscriber Data in connection with the WISEPOPS services set forth in this DPA. WISEPOPS will ensure that any employees, subcontractors, and agents involved in performing WISEPOPS services under the GTU comply with the terms of this DPA.
3.1 Documented instructions and details of the data processing
WISEPOPS processes User and/or Subscriber Data only on documented instructions from User and/or Subscriber including with respect to the transfer of personal data outside the European Economic Area, except as otherwise required under the law of the European Union or that of a Member State of the European Union to which it would be subject. In such a case, WISEPOPS undertakes to inform the User and/or Subscriber of this obligation, unless the right which is the source prohibits it for important reasons of public interest.
User and/or Subscriber, acting as the data controller and being responsible for the content of their Pop-ups and WISP Notifications, hereby declares and warrants being compliant with any applicable data protection law and regulation and in particular with the GDPR and any other laws such as the California Consumer Privacy Act (“CCPA”) as may be applicable from time to time (“Data Protection Law”).
At the time of the execution of the GTU, User and/or Subscriber instructs WISEPOPS to implement the following personal data processing under the following conditions:
- Purpose: to provide the services to User and/or Subscriber in accordance with the GTU;
- Nature of operations: operations necessary for WISEPOPS to provide the services to User and/or Subscriber;
- Duration of the processing: duration of the subscription to the services unless otherwise indicated by User and/or Subscriber;
- Categories of data subjects: any visitors of User and/or Subscriber’s websites;
- Personal data processed: any data collected by User and/or Subscriber when using the services (such as email address and/or phone number), IP addresses.
If the User and/or Subscriber wishes to modify these instructions, it will inform WISEPOPS in writing. In any cases, WISEPOPS processes the User and/or Subscriber Data as reasonably requested by User and/or Subscriber provided that such instructions are consistent with the terms of this DPA and the Data Protection Law.
User and/or Subscriber may contact WISEPOPS regarding data protection issues by sending an email to the following address: [email protected].
3.2. Records of the data processing
WISEPOPS will maintain a record of all categories of processing activities carried out on behalf of the User and/or Subscriber.
3.3. Confidentiality of the data processing
WISEPOPS ensures that all persons authorized to process User and/or Subscriber Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.4. Technical and organizational measures
WISEPOPS will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to ensure the security and the confidentiality of User and/or Subscriber Data, as described in the security policy made available to User and/or Subscriber upon written request. WISEPOPS may modify or update this security policy from time to time.
3.5 Assistance
Taking into account the nature of the processing, WISEPOPS will do its best efforts to assist User and/or Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of User and/or Subscriber’s obligation to respond to requests for exercising the data subject’s rights and undertakes to transmit to User and/or Subscriber any request from a data subject regarding the processing of his data and addressed directly to WISEPOPS.
WISEPOPS assists the User and/or Subscriber in ensuring compliance with the obligations related to the security of a data processing, to the notification of a data breach to the supervisory authority, to the communication of data breach to the data subject, to the data protection data assessment and for prior consultation to the supervisory authority.
WISEPOPS will notify the User and/or Subscriber in writing within forty-eight (48) hours after becoming aware of a personal data breach. WISEPOPS will provide User and/or Subscriber with information related to the nature of the personal da{“type”:”block”,”srcClientIds”:[“9d73f389-33d7-46d3-9911-f0898766cc52″],”srcRootClientId”:””}ta breach including where possible, the categories and the approximate number of data subjects concerned and the categories and approximate number of User and/or Subscriber Data records concerned, the likely consequences of the personal data breach and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time as the notification, the information may be provided in phases without undue further delay.
WISEPOPS makes available to User and/or Subscriber all information necessary to demonstrate compliance with the obligations laid down in this Article. WISEPOPS will contribute to audits, including inspections, conducted by the User and/or Subscriber or another auditor mandated by User and/or Subscriber, at User and/or Subscriber’s costs. WISEPOPS will inform the User and/or Subscriber if, in its opinion, an instruction infringes applicable Data Protection Law.
3.6. Deletion of the personal data
WISEPOPS will delete User and/or Subscriber Data at the end of the provision of the services relating to processing unless applicable Data Protection Law requires the storage of the personal data.
4. Ulterior subprocessing
User and/or Subscriber hereby gives a general authorization to WISEPOPS to engage sub-processors for carrying out specific processing activities on behalf of the User and/or Subscriber in relation to the processing of User and/or Subscriber Data.
At this date, the sub-processors are:
| Identity and address of the subsequent sub-processor | Appropriate safeguards if non-EEA data transfer | Purpose of the sub-processing |
| Name: Google Ireland Limited Head Office Address: Gordon House, Barrow Street – Dublin 4, Ireland | Not applicable | Google Cloud & Google Analytics |
| Name: Amazon Web Services EMEA SARL Head Office Address: 38 John F. Kennedy Avenue, L-1855, Luxembourg | Not applicable | Provision of hosting services |
| Name: Cloudflare, Inc. Head Office Address: 101 Townsend St, San Francisco, CA 94107, USA | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Content Delivery Network |
| Name: Postmark Head Office Address: 2400 Market St #235b, Philadelphia, PA 19103, USA | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Transactional emails |
| Name: New Relic Head Office Address: 188 Spear St, San Francisco | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Performance monitoring |
| Name: Rollbar, Inc Head Office Address: 510 Federal Street Suite 401 San Francisco, CA 94107 United States | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Software errors tracking |
| Name: Taxamo Head Office Address: Ireland | Not applicable | Tax Compliance service |
| Name: Hotjar Ltd. Head Office Address: Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe | Not applicable | Web analytics service |
| Name: Fullstory Head Office Address: 1745 Peachtree St NE Atlanta, USA | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Product Analytics |
| Name: Customer.io Head Office Address: 921 SW Washington St, Suite #820 – Portland, OR 97205 | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Email service provider |
| Name: Segment.io, Inc. Head Office Address: 100 California Street, Suite 700 – San Francisco, CA 94111, USA | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Customer Data Infrastructure / Business Analytics |
| Name: HubSpot, Inc. Head Office Address: 25 First Street, 2nd Floor – Cambridge, MA 02141 USA | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Customer Relationship Management platform |
| Name: Intercom Head Office Address: 55 2nd Street, 4th Floor – San Francisco, CA 94105 | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Customer messaging application |
| Name: Stripe Head Office Address: 510 Townsend Street – San Francisco, CA 94103, USA | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Payment processing and subscription management |
| Name: Baremetrics, Inc. Head Office Address: 548 Market St #22583 – San Francisco, CA 94104 | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Payment analytics and subscription management |
| Name: Amplitude Head Office Address: 631 Howard St Floor 5 – San Francisco | The transfer of data is governed by the standard contractual clauses of the European Commission: https://eur-lex.europa.eu/legal-content/FR/ALL/?uri=celex%3A32010D0087 | Product analytics |
| Name: SatisMeter Head Office Address: Česká 1113/1, Prague 5, 158 00, Czech Republic | Not applicable | Product analytics |
| Name: Harvestr Head Office Address: 5 Rue Eugène Freyssinet F, 75013 Paris | Not applicable | Product management |
The same data protection obligations as above-mentioned are imposed on that sub-processors by way of a contract or other legal act. Where that sub-processors fail to fulfil their data protection obligations, WISEPOPS will remain fully liable to the User and/or Subscriber for the performance of other sub-processors’ obligations.
The User and/or Subscriber will be informed of any change, addition, or replacement of sub-processors by subscribing to the change alert. User and/or Subscriber may object to such changes and terminate this agreement by sending a written notice within fourteen days of such notice. The User’s and/or Subscriber’s objection shall be based on reasonable grounds.
If you would like to receive an email when we make updates to the Sub-Processors List, click here.
5. General Provisions
5.1. Severability
If one or several provisions of the DPA are deemed to be invalid or are declared as such under any law or regulation or following a definitive decision by a competent court, the other stipulations shall retain their full force and scope.
5.2. Liability
WISEPOPS’ liability that may arise from this DPA shall be limited in accordance with the provisions of the GTU.
5.3. Governing law and jurisdiction
This DPA is governed by French law. Any interpretation and/or dispute which may result from the DPA as well as any disputes between WISEPOPS and a User and/or Subscriber relating to the processing of User and/or Subscriber personal data are the exclusive jurisdiction of the competent courts located in Paris