Communify
Get in touch

Communify Data Processing Addendum

Effective starting: 10/1/2025

This Data Processing Addendum (“DPA”) supplements the Master Service Agreement or other agreement in place between Customer and Communify covering Customer’s use of Communify's Products and related Support and Advisory Services (the “Agreement”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 9 of this DPA.

1. Scope and Term

1.1 Roles of the Parties For the purposes of the Agreement, the Parties agree that:

(a) Customer is either a Controller of Customer Data, or a Processor of Customer Data acting on another Controller’s behalf (e.g. Customer’s Affiliate) while passing down relevant processing instructions to Communify. Processing details are stated in Schedule 1 (Description of Processing).

(b) Communify is a Processor (or respectively, a Sub-processor) of Customer Data. Processing details are stated in Schedule 1 (Description of Processing).

1.2 Term of the DPA The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Communify ceases all Processing of Customer Personal Data).

1.3 Order of Precedence If there is any conflict or inconsistency among the following documents, the order of precedence from highest to lowest will be: (1) the main body of this DPA; (2) the applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions), provided that Schedule 2 terms shall only override the main DPA to the extent required by specific local law requirements; (3) Schedule 1 (Description of Processing); and (4) the Agreement.

2. Processing of Personal Data

2.1 Customer Instructions

(a) This DPA, the Agreement, applicable Orders and Customer’s use of the Products (including relevant configurations and settings) and related Support and Advisory Services constitute Customer’s documented instructions regarding Communify’s Processing of Customer Data (“Documented Instructions”).

(b) Communify must Process Customer Data solely in accordance with the Documented Instructions, as further stated in Section 6.1 of Schedule 1 (Description of Processing). Customer:

(i) must ensure its Documented Instructions comply with Applicable Data Protection Law. Communify is not responsible for monitoring Customer's compliance with Applicable Data Protection Law; and

(ii) is responsible for determining whether the Products and related Support and Advisory Services are appropriate for the Processing of Customer Data under Applicable Data Protection Law.

2.2 Confidentiality Communify must treat Customer Personal Data as Customer’s Confidential Information under the Agreement. Communify must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.

3. Security

3.1 Security Measures Communify has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents. Customer is responsible for configuring the Products and using features and functionalities made available by Communify to maintain appropriate security in light of the nature of Customer Data. Customer acknowledges that the Security Measures are subject to technical progress and development and that Communify may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Products during a Subscription Term.

3.2 Security Incidents Communify must notify Customer without undue delay and: (a) for Major Security Incidents, no later than four (4) hours after detection by Communify’s security team; and (b) for all other Security Incidents, no later than twenty-four (24) hours after Communify’s security team confirms a Security Incident (excluding time periods outside of Communify’s standard business hours for initial assessment), to enable Customer to meet its own notification obligations under Applicable Data Protection Law. For Security Incidents affecting critical or important functions, Communify must provide continuous updates to Customer every four (4) hours until resolution. Communify must provide detailed incident reports within seventy-two (72) hours including root cause analysis, impact assessment, and remediation timeline. Communify must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Communify’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to Communify, Communify must assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Communify’s notification of a Security Incident is not an acknowledgment by Communify of its fault or liability.

4. Sub-processing

4.1 Notice of New Sub-processors Communify maintains an up-to-date list of its Sub-processors at https://www.communify.com/subcontractors-subprocessors. Communify will provide such notice, to those emails subscribed, at least thirty (30) days before allowing any new Sub-processor to Process Customer Personal Data (the “Sub-processor Notice Period”).

4.2 Sub-processor Agreements. Communify will conduct comprehensive due diligence on all Sub-processors before engagement and enter into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those set out in this DPA, including appropriate technical and organizational measures, and operational resilience requirements including detailed exit strategies and business continuity planning. Communify will monitor Sub-processor performance continuously and maintain the ability to terminate Sub-processor arrangements if performance standards are not met. Communify remains fully liable to Customer for the performance of each Sub-processor’s obligations, provided that such liability shall be subject to the same limitations of liability set forth in the Agreement and shall not exceed the amount actually recoverable by Communify from such Sub-processor.

4.3 Sub-processor Objections. During the Sub-processor Notice Period, Customer may object to the engagement of a new Sub-processor by providing written notice to Communify setting forth specific, reasonable grounds for such objection based on (i) the Sub-processor’s inability to provide adequate data protection, or (ii) its legal restrictions on complying with Customer instructions. The Parties will discuss the objection in good faith. If resolution cannot be reached, Customer may terminate the affected Products or Services by providing thirty (30) days’ written notice and will pay for all Services rendered up to the termination date.

5. Assistance and Cooperation Obligations

5.1 Data Subject Rights Taking into account the nature of the Processing, Communify shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights under Applicable Data Protection Law. This includes assistance with rights of access, rectification, erasure, restriction, objection, and data portability.

5.2 Cooperation Communify shall provide reasonable cooperation to Customer in relation to any obligations under Applicable Data Protection Law to conduct data protection impact assessments or prior consultations with competent supervisory authorities, to the extent Customer cannot otherwise fulfil its obligations by using the available information or features within the Products.

5.3 Third-Party Requests If Communify receives a legally binding request for disclosure of Customer Personal Data from a law enforcement or government authority, Communify shall promptly notify Customer unless prohibited by law. Where Communify is prohibited from notifying Customer, Communify shall use reasonable efforts to obtain a waiver of the prohibition to communicate as much information as possible. All other third-party requests (including data subject requests sent directly to Communify) shall be redirected to Customer.

6. Deletion and Return of Customer Personal Data

6.1 During Subscription Term During the Subscription Term, Customer or its authorized Users may access, retrieve, and delete Customer Personal Data via the Products using available functionality (e.g., data export tools, dashboards, and APIs).

6.2 Post-Termination Upon termination or expiry of the Agreement, Communify shall:

(a) Provide transition assistance for at least twelve (12) months or until migration completes, whichever is earlier;

(b) Export all Customer Personal Data to Customer in a commonly used, machine-readable format within thirty (30) days of termination; and

(c) Permanently delete all Customer Personal Data following completion of the transition period and, upon request, provide written certification of such deletion.

Communify may retain Customer Personal Data where required by law or where retention forms part of standard backup or disaster recovery procedures, provided that such retained data remains subject to confidentiality obligations and is not processed further except as required by applicable law.

7. Audit

7.1 Audit Reports Communify is audited regularly by independent third-party auditors to verify the adequacy of its security and data protection controls. Upon written request and subject to confidentiality obligations, Communify shall provide Customer with summary copies of relevant audit or certification reports (e.g., SOC 2 Type II, ISO 27001) for Customer’s review to reasonably verify compliance with this DPA. Communify may also provide written responses to relevant security and privacy questionnaires where audit reports are insufficient to address Customer’s legitimate concerns. Such access shall occur no more than once every twelve (12) months unless otherwise required by law or in response to a verified Security Incident.

7.2 On-Site Audits Where Customer reasonably requires an on-site audit under Applicable Data Protection Law or following unresolved compliance concerns, Customer or its designated independent auditor (bound by confidentiality obligations) may perform such audit at Customer’s cost, subject to the following conditions:

(a) Customer must provide at least thirty (30) days’ prior written notice and coordinate logistics with Communify to minimize disruption;

(b) Audits shall be limited to once every twelve (12) months, except for justified Security Incidents or regulatory requests;

(c) Customer shall ensure auditors access only information relevant to verifying compliance with this DPA; and

(d) Communify may charge a reasonable fee to cover the costs incurred in supporting such audits unless they reveal material non-compliance.

8. International Provisions.

To the extent Communify Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region- Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).

8.1 International Data Transfers

(a) EU and EEA Transfers: To the extent Customer Personal Data originates from the EEA and is transferred to a country that does not provide an adequate level of protection within the meaning of Applicable Data Protection Law, the Parties agree that such transfers shall be governed by the EU Standard Contractual Clauses (“SCCs”) incorporated herein by reference. The SCCs shall apply as follows: Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable; Communify acts as “data importer,” and Customer as “data exporter.”

(b) UK Transfers: For transfers subject to UK data protection law, the International Data Transfer Addendum to the EU SCCs (Issued by the ICO, Version B1.0) shall apply.

(c) Swiss Transfers: For transfers subject to the Swiss FDPA, the EU SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

(d) Other Transfers: Where Customer Personal Data is transferred from other jurisdictions, Communify shall ensure adequate safeguards in accordance with applicable law, which may include reliance on Binding Corporate Rules, certifications under the Data Privacy Framework, or approved contractual clauses.

8.2 Processing Limitations and Data Minimization

(a) Data Minimization: Communify shall only Process the minimum Personal Data necessary for providing the Products and Services to Customer.

(b) Purpose Limitation: Communify shall not Process Customer Personal Data for any purpose other than as set forth in this DPA or the Agreement without Customer’s prior written consent.

(c) Storage Limitation: Communify shall not retain Customer Personal Data longer than is necessary for the purposes for which it is processed or as required by Applicable Law.

9. Definitions

Applicable Data Protection Law: All laws and regulations relating to the Processing of Personal Data under the Agreement, including the GDPR, UK Data Protection Act 2018, Swiss FDPA, CCPA/CPRA, and other similar privacy laws.

Controller: An entity which determines the purposes and means of the Processing of Personal Data.

Customer Personal Data: Personal Data contained within Customer Data that Communify Processes solely on behalf of Customer under the Agreement.

Major Security Incident: A Security Incident that materially impacts the availability, integrity, or confidentiality of Customer Personal Data or critical functions of the Products, or that requires notification to a supervisory authority or data subjects under law.

Personal Data: Any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Law.

Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

Processor: An entity that Processes Personal Data on behalf of a Controller.

Security Incident: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by Communify.

Sub-processor: Any third party engaged by Communify to Process Customer Personal Data on its behalf in connection with the Agreement.

Commercially Reasonable: Actions or efforts that are economically and technically feasible for Communify while meeting its legal and contractual obligations.

10. Remedies and Limitations

10.1 Limitation of Liability.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE DATA PROTECTION LAW, COMMUNIFY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS DPA SHALL NOT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER TO COMMUNIFY UNDER THE AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY. IN NO EVENT SHALL COMMUNIFY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES.

10.2 Exclusive Remedies. Customer’s exclusive remedy for any breach of this DPA shall be (i) Communify’s re-performance of the obligations, or (ii) if re-performance is not commercially reasonable, termination of the affected Services. Additionally, Customer may terminate the affected Services if: (a) Communify is in material breach and has failed to cure such breach within thirty (30) days after written notice; (b) circumstances arise that materially negatively alter Communify’s performance capabilities; (c) material weaknesses in Communify’s operational resilience are identified; or (d) a Supervisory Authority gives an instruction of termination. Customer waives any other remedies at law or equity, except to the extent such waiver is prohibited by Applicable Data Protection Law or other mandatory law.

10.3 Dispute Resolution. Except to the extent otherwise mandated by Applicable Data Protection Law, any disputes arising under this DPA shall be governed by and resolved in accordance with the governing law and dispute resolution provisions set forth in the Agreement.

10.4 Compliance Cure Period. If Customer claims Communify has breached this DPA, Customer must provide written notice specifying the alleged breach. Communify shall have thirty (30) days to cure any such breach before Customer may exercise any termination rights or claim damages.

Schedule 1

Description of Processing

1. Categories of data subjects whose Personal Data is Processed: Customer and its Users.

2. Categories of Personal Data Processed: Customer Personal Data, the content of which is determined and controlled solely by Customer and its Users.

3. Sensitive data transferred: Communify does not actively collect Sensitive Data (herein defined) but cannot control customer uploads. Customer or its Users may upload content to the Products which may include (i) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) data relating to criminal convictions and offences (collectively “Sensitive Data”), which is determined and controlled solely by Customer and its Users.

4. The frequency of the transfer: Continuous.

5. Nature of the Processing: Communify will Process Personal Data in order to provide the Products and related Support and Advisory Services in accordance with the Agreement, including this DPA. Additional information regarding the nature of the Processing (including transfer) is described in respective Orders for relevant Products and Documentation referring to technical capabilities and features, including but not limited to collection, structuring, storage, transmission, or otherwise making available of Personal Data by automated means.

6. Purpose(s) of the Processing:

6.1. Customer Data: Communify will Process Customer Data as a Processor in accordance with Customer’s Documented Instructions to:

(a) provide and improve the Products and related Support and Advisory Services for Customer, and enable the use of various features and functionalities in accordance with the Documentation and as directed by Users through the Products, including investigating Security Incidents, and resolving issues, bugs and errors;

(b) enforce the Acceptable Use Policy;

(c) comply with Communify’s legal obligations.

6.2. Controller Activities. Communify is a Controller of Personal Data as specified in Communify's Privacy Policy. This DPA does not limit or prohibit Communify from acting in that capacity.

7. Duration of Processing: Communify will Process Customer Personal Data for the term of the Agreement as outlined in Section 6 (Deletion and Return of Customer Personal Data).

Schedule 2

Region-Specific Terms

Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this Schedule will have the meanings given to them in Section 4 of this Schedule.

1. Europe, United Kingdom and Switzerland.

1.1 Customer Instructions. In addition to Section 2.1 (Customer Instructions), and Schedule 1 (Description of Processing) of the DPA above, Communify will Process Customer Personal Data only on Documented Instructions from Customer, including with regard to transfers of such Customer Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Law to which Communify is subject; in such a case, Communify shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Communify will promptly inform Customer if it becomes aware that Customer's Processing instructions infringe Applicable Data Protection Law.

2. United States of America. The following terms apply where Communify Processes Personal Data subject to the US State Privacy Laws:

2.1. To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that Communify Processes as a Service Provider or Processor, on behalf of Customer, Communify will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer's Documented Instructions, as necessary for the limited and specified purposes identified in Section 6.1 of Schedule 1 (Description of Processing) of this DPA. Communify will not:

(a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Order, or as otherwise permitted under US State Privacy Laws;

(b) "sell" or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and

(c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws.

2.2. Communify must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws.

2.3. Customer may take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Customer Personal Data.

2.4. To the extent Customer discloses or otherwise makes available Deidentified Data to Communify or to the extent Communify creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, Communify will:

(a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;

(b) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that Communify may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and

(c) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.3 (including imposing this requirement on any further Recipients).

3. Definitions.

“Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.

“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework selfcertification program operated by the US Department of Commerce.

“Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.

“EU Data Protection Law” includes (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time.

“EU SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.

“Service Provider” has the same meaning as given in the CCPA.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time.

“UK Data Protection Law” means the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time.

“US State Privacy Laws” means all applicable state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”).

4. Canada. The following terms apply where Communify Processes Personal Data subject to Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation:

4.1. Communify will Process Customer Personal Data in accordance with Canadian privacy laws and will provide comparable privacy protection as required under applicable Canadian privacy legislation.

4.2. Cross-border transfers of Customer Personal Data will be conducted in accordance with applicable Canadian privacy law requirements.

5. Asia-Pacific. For Personal Data subject to privacy laws in Singapore, Hong Kong, Japan, India, or other Asia-Pacific jurisdictions where Communify provides Services:

5.1. Communify will comply with applicable local data protection requirements and will implement appropriate safeguards for cross-border data transfers as required by local law.

5.2. Where required by local law, Communify will obtain necessary registrations, notifications, or approvals for data processing activities.

×
Top