Data Processing Terms &
Conditions

Version Last Updated: 1st of February 2021

These Data Processing Terms and Conditions (“Data Processing Terms“) shall be expressly incorporated into the agreement between Company and Customer referencing these Data Processing Terms (“Agreement“) and shall apply solely to the extent that Company processes Customer Personal Data falling within the scope of the Data Protection Legislation in the course of providing Customer with access to the Platform and/or Services. Customer and Company may each be referred to herein as a “Party” and collectively as the “Parties“.

D-1. DEFINITIONS

Save as otherwise defined below, defined terms in these Data Processing Terms have the meaning given to them in the Agreement.

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, and “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

Applicable Laws” means the laws and regulations of any Member State and the United Kingdom or the laws of the European Union applicable to the parties and any other applicable law, including but not limited to the Data Protection Legislation and the e-Privacy Legislation;

Company” means the applicable Falcon.io entity that is the contracting party to the Agreement.

Content” means proprietary or public information gathered or created by Company and provided to Customer as part of the Platform or Services (e.g., via social listening functionality).

Customer” means the entity purchasing a subscription to the Platform and/or Services in the Agreement.

Customer Data” means data and information in any format, including but not limited to text (including text provided by a third-party to or for Customer), files, images, and/or URLs, that is submitted by or for Customer to the Platform, or provided to Company by or for Customer in order for Company to provide Services, or collected and processed by or for Customer using the Platform excluding Content.

Company Personal Data” means any Personal Data included in Content (as applicable), as is provided to Customer under the Agreement and as further specified in Part II of Annex I to these Data Processing Terms;

Customer Personal Data” means any Personal Data included in Customer Data, and as further specified in Part I of Annex I to these Data Processing Terms;

Data Protection Legislation” means (i) the EU Data Protection Directive (95/46/EC) as transposed into domestic legislation of each Member State and the United Kingdom as amended, replaced or superseded from time to time including by the GDPR and laws implementing or supplementing the GDPR; and (ii) to the extent applicable, the data protection laws of any other country, including the United Kingdom;

e-Privacy Legislation” means (i) the EU Privacy and Electronic Communications Directive (2002/58/EC) as transposed into domestic legislation of each Member State as amended, replaced or superseded from time to time; and (ii) to the extent applicable, the privacy laws of any other country, including the United Kingdom;

GDPR” means the General Data Protection Regulation ((EU) 2016/679);

Member State” means any member state of the European Union;

Platform” means the social media management, customer relationship management, media monitoring analytics and communications system made available online on a Software-as-a-Service basis by Company or any of its Affiliates and its underlying tools, databases, APIs, and software that make up the system, including any software or technology created by Company’s Affiliates.

Restricted Transfer” means a transfer of Personal Data from the Data Controller to the Data Processor, or from the Data Processor to a Sub-Processor, where such transfer would, in the absence of SCC, be prohibited by Data Protection Legislation;

Services” means any custom professional services (e.g., strategic consulting) that are provided to Customer as set forth in the Agreement;

SCC” means the standard contractual clauses promulgated by the European Commission for data transfers from an EU controller to a non-EU or non-EEA processor;

Sub-Processor” means any person or entity appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with the Agreement.

The terms “Data Controller“, “Data Processor“, “Data Subject“, “Personal Data” and “Personal Data Breach” have the meaning set out in the GDPR.


D-2. Data Protection – General

Each Party will comply with all requirements of the Data Protection Legislation applicable to its respective role as Data Processor or Data Controller, as applicable. These Data Processing Terms are in addition to, and do not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.


D-3. Customer Personal Data

D-3.1 The parties acknowledge that for the purposes of the Data Protection Legislation and these Data Processing Terms, it is their understanding and intention that Customer is the Data Controller and Company is the Data Processor in respect of Customer Personal Data.

D-3.2 The obligations contained in these Data Processing Terms shall apply to any Affiliate of Company that processes data under the Agreement.

D-3.3 Annex I sets out the scope, nature and purpose of processing by Company, the duration of the processing and the types of Personal Data and categories of Data Subject.

D-3.4 Without prejudice to the generality of clause D-3.1, Customer will ensure that it is lawful to enable the transfer of Customer Personal Data to Company for the duration and for the purposes of the Agreement.

D-3.5 Without prejudice to the generality of clause D-3.1, Company shall, in relation to any Customer Personal Data processed in connection with the performance by Company of its rights and obligations under the Agreement:

D-3.5.1 process that Customer Personal Data only on the written instructions of Customer, including but not limited to any instructions contained in any Agreement unless Company is obliged to process such Personal Data by the Applicable Laws. Where Company is relying on the Applicable Laws as the basis for processing Customer Personal Data, Company shall, insofar as is permissible under such Applicable laws, promptly notify Customer of its obligations before performing the processing required by the Applicable Laws;

D-3.5.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, such as are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). The details of these technical and organisational measures are set forth in Annex II hereto;

D-3.5.3 take all reasonable steps to ensure the reliability of all personnel who have access to and/or process Customer Personal Data and shall ensure that all such personnel are obliged to keep Customer Personal Data confidential and that access to Personal Data is limited to those individuals who need to have access to Customer Personal Data for the purposes of the Agreement and to comply with Applicable Laws;

D-3.5.4 be bound by the SCC, which are hereby incorporated into these Data Processing Terms, in respect of any Restricted Transfer of Customer Personal Data from Customer to Company. Such SCC shall come into effect upon the commencement of the relevant Restricted Transfer;

D-3.5.5 shall not otherwise enter into any Restricted Transfer unless the prior written consent of Customer has been obtained and the SCC are used in relation to such transfer;

D-3.5.6 notify Customer without undue delay on becoming aware of a Personal Data Breach involving Customer Personal Data or upon receipt of a request or complaint from a Data Subject involving Customer Personal Data;

D-3.5.7 assist Customer, at Customer’s cost (save where such assistance is required as a result of a breach by Company of its obligations under these Data Processing Terms and/or the Agreement in which case such costs will be borne by Company), in responding to any request from a Data Subject (but shall not respond to any such request without Customer’s prior written consent, unless otherwise required by the Data Protection Legislation) and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and

D-3.5.8 within fourteen (14) days of termination of the Agreement, at the written direction of Customer, delete or return Customer Personal Data and copies thereof to Customer unless required by Applicable Law to store Customer Personal Data.

D-3.6 Company shall maintain complete and accurate records and information (“Records“) to demonstrate its compliance with these Data Processing Terms and will allow Customer by its own personnel or by an independent auditor, who executes Company’s standard non-disclosure agreement, to access all such Records during the term of the Agreement and for one year after termination provided:

D-3.6.1 any such access for the purposes of auditing or otherwise inspecting the Records shall be on not less than thirty (30) days written notice at any time during normal business hours and not more than once during any twelve (12) month period unless:

D-3.6.1.1 Customer has reasonable grounds to suspect that a Personal Data Breach has occurred involving Customer Personal Data; or

D-3.6.1.2 Customer is required or requested to carry out an audit by Data Protection Legislation or a regulatory authority responsible for the enforcement of Data Protection Legislation in any country; and

D-3.6.2 Customer shall make (and shall ensure that any independent auditor makes) reasonable endeavours to avoid causing any damage, injury or disruption to Company’s premises, equipment, personnel and business during the audit;

D-3.6.3 Customer shall submit a detailed audit plan to Company upon giving notice of an audit, setting out details of the proposed scope and duration of the audit, such audit plan to be agreed between the parties (acting reasonably);

D-3.6.4 if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of Customer’s request, and Company provides written confirmation that there have been no material changes in the controls and systems to be audited, Customer agrees to accept that audit report in lieu of carrying out its own audit; and

D-3.6.5 Customer shall bear the costs of the audit, save where Company is found to be in breach of its obligations under these Data Processing Terms in which case Company will bear the cost of the audit.

D-3.7 The Customer hereby consents to Company appointing Sub-Processors in connection with the provision of the Platform and Services. Company shall make available at https://gdpr.cision.com/Sub-Processors a list of current Sub-Processors and shall notify Customer via such website when a Sub-Processor is replaced or added to this list. Upon notification, Customer shall have 10 days to object to the appointment of the new Sub-Processor. If Customer objects on reasonable grounds, Customer shall have the right to terminate the Agreement immediately on notice.

D-3.8 Company confirms that it has entered or (as the case may be) will enter with any appointed Sub-Processor into a written agreement incorporating terms that are substantially similar to those set out in these Data Processing Terms. As between Customer and Company, Company shall remain fully liable for all acts or omissions of any Sub-Processor appointed by it pursuant to clause D-3.7.

D-3.9 Company may, at any time on not less than 30 days’ notice, revise these Data Processing Terms for the purposes of complying with its obligations pursuant to Applicable Law or an applicable certification scheme by replacing them with any applicable controller to processor standard clauses or terms required by such law or scheme.


D-4. Company Personal Data

The parties acknowledge that for the purposes of the Data Protection Legislation and these Data Processing Terms it is their intention and understanding that Company and Customer are independent Data Controllers with respect to Company Personal Data and each Party will comply with its respective obligations in connection therewith pursuant to the Data Protection Legislation and all Applicable Laws.

ANNEX I

PROCESSING, PERSONAL DATA AND DATA SUBJECTS


A. Customer Personal Data

1. General

Nature and Purpose of processing Company may process Customer Personal Data as necessary to provide access to and use of the Platform, perform the Services and comply with its obligations under the Agreement.
Duration of the processing Subject to clause D-3.5.8, Company may process Customer Personal Data for the duration of the Agreement, unless otherwise agreed by the parties.


2. Falcon.io Platform

For the Falcon.io Platform excluding the Benchmark Module, the following shall apply:

Types of personal data
  1. Individual Company platform user data (e.g., name, username, email address, title);
  2. Customer relationship management (CRM) system data (e.g., name, title, company, email address, business phone number, mobile phone number, geographic location); and
  3. Information that has been made public by data subjects themselves, such as identification data (e.g., name, username, social media handle, geographic location), and media (e.g., images, videos).
Categories of data subject
  1. Customer’s authorized users of the Company platform;
  2. Customer’s own clients; and
  3. Individual social web users engaging with Customer’s social media channels.


3. Benchmark Module

For the Benchmark Module only, the following shall apply:

Types of personal data
  1. Individual Company platform user data (e.g., name, username, email address, title); and
  2. Information that has been made public by data subjects themselves, such as identification data (e.g., name, username, social media handle, geographic location) and media (e.g., images, videos).
Categories of data subject
  1. Customer’s authorized users of the Company platform;
  2. Customer’s own clients;
  3. Individual social web users engaging with Customer’s or a Customer’s competitor’s social media channels; and
  4. Individuals who have publicly accessible social media channels.


B. Company Personal Data

1. General

Nature and Purpose of processing Customer may process Company Personal Data as necessary to access and use the Platform, receive the Services and comply with its obligations under the Agreement.
Duration of the processing Customer may process Company Personal Data only for so long as is necessary for Customer to receive the benefit of access to and use of the Platform and the provision Services and otherwise in compliance with its own obligations under the Data Protection Legislation.


2. Falcon.io Platform

For the Falcon.io Platform excluding the Benchmark Module, the following shall apply:

Types of personal data Information that has been made public by data subjects themselves, such as identification data (e.g., name, username, social media handle, geographic location) and media (e.g., images, videos).
Categories of data subject Individuals publishing information publicly on the Internet, including social web users, bloggers and web content writers.


3. Benchmark Module

For the Benchmark Module only, the following shall apply:

Types of personal data Information that has been made public by data subjects themselves, such as identification data (e.g., name, username, social media handle, geographic location) and media (e.g., images, videos).
Categories of data subject Individuals who have publicly accessible social media channels.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

 

Below is a description of the technical and organisational security measures and controls implemented by Company to protect personal data and ensure the ongoing confidentiality, integrity and availability of Company’s products and services.  It is a high-level overview of Company’s technical and organisational security measures.  More details on the measures we implement are available upon request.  Company reserves the right to revise these technical and organisational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that Company processes in providing its various services. In the unlikely event that Company does materially reduce its security, Company shall notify its customers.

Company shall take the following technical and organisational security measures to protect personal data:

  1. Organisational management and dedicated staff responsible for the development, implementation, and maintenance of Company’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Company organization, monitoring and maintaining compliance with Company policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
  3. Maintain information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
  4. Communication with Company applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, firewalls are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
  5. Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilisation of commercially available and industry-standard encryption technologies.
  6. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  7. Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
  8. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
  9. Physical and environmental security of data center, server room facilities and other areas containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Company facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
  10. Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Company possession.
  11. Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to Company technology and information assets.
  12. Incident / problem management procedures design to allow Company investigate, respond to, mitigate and notify of events related to Company technology and information assets.
  13. Network security controls that provide for the use of firewalls and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  14. Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  15. Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.