Data Processing Agreement
Customer (“Customer”) has entered into an agreement with CrescendoAI Inc. (“Crescendo”) (each a “Party” and collectively the “Parties”) under which Crescendo has agreed to provide the Services in accordance with such agreement (the “Agreement”). This Data Processing Agreement (“DPA”), including its attachments is incorporated into, and forms part of, the Agreement and shall be effective on the effective date of the Agreement and applies to Customer Personal Data that Crescendo processes when providing Services to Customer under the Agreement. The purpose of this DPA is to ensure such processing is conducted in accordance with Applicable Data Protection Laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.
This DPA consists of the main body and the following attachments: 1 (EU Standard Contractual Clauses); 2 (Details of the Processing); 3 (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data); 4 (List of Crescendo Affiliates; and 5 (UK Addendum).
Any capitalized terms not defined in this DPA shall have the meaning stated in the Agreement.
1. Definitions
“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a party.
“Agreement” means (i) each applicable Order Form and (ii) the Agreement made between Crescendo and Customer.
“Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, each as amended, repealed or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.
“CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act together with any implementing regulations.
“Customer Account Data” means Personal Data that relates to Customer’s relationship with Crescendo, including the names or contact information of individuals authorized by Customer to access Customer’'s account, and billing information of individuals that Customer has associated with its account and also includes any personal data Crescendo may need to Process for the purpose of identity verification, maintain or improve performance of the Service(s), provide support, investigate and prevent system abuse, or fulfill legal obligations.
“Customer Personal Data” means the Personal Data that Crescendo processes for Customer in connection with the Agreement.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including as applicable a “business” as set forth in the CCPA and a “controller” as set forth in the GDPR and UK GDPR.
“Crescendo Affiliates” means the subsidiaries of Crescendo that may Process Customer Personal Data as stated in Attachment 4.
“Data Subject” means the identified or identifiable person to whom Personal Data relates and includes similarly defined terms in Data Protection Laws, including “person”, “individual”, and “consumer”.
“General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data.
“Personal Data” means information that (a) identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to, an individual or household (including, without limitation, names, addresses, telephone numbers, e-mail addresses, authentication credentials and other unique identifiers); or (b) otherwise meets the definition of personal information, personal data, personally identifiable information, sensitive personal information or similar term under Applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, including similarly defined terms in Applicable Data Protection Laws.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person or other body which processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined under the CCPA.
“Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time) as stated in Attachments 1 and 2.
“Sub-processor” means Crescendo Affiliates and any entity engaged by Crescendo to process Customer Personal Data in connection with the Agreement.
“UK Addendum” means the UK International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A(1) of the UK Data Protection Act 2018 (as may be amended by the ICO or UK Government from time to time) as stated in Attachment 6.
“UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
“Website” means the webpage available at https://www.crescendo.ai
2. Details of the Processing
2.1 The Parties agree that Customer is a Controller and Crescendo is an independent Controller, not a joint Controller with Customer. Crescendo will process Customer Account Data as a Controller in order to: (a) manage the relationship with Customer; (b) carry out Crescendo's core business operations; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Service(s); (d) perform identity verification; (e) to comply with Crescendo's legal or regulatory obligations; and (f) as otherwise permitted under Applicable Data Protection Laws and in accordance with this DPA and the Agreement.
2.2 The Parties agree that Customer is the Controller of Customer Personal Data and Crescendo is the Processor of Customer Personal Data and for the purposes of US Data Protection Laws, Customer is the "business" and Crescendo is the Service Provider.
2.2 Attachment 1 describes the Processing details.
3. Ownership of the Customer Personal Data
3.1 As between the Parties, all Customer Personal Data processed under the terms of this DPA and the MSA shall remain the property of Customer. Under no circumstances will Crescendo act, or be deemed to act, as a Controller (or equivalent concept) of the Customer Personal Data under any Applicable Data Protection Laws.
4. Customer Obligations
4.1 The Agreement and this DPA are Customer’s documented instructions to Crescendo relating to Processing Customer Personal Data, and Customer may amend or replace these instructions with a separate, written agreement between the Parties.
4.2 Customer shall be responsible for ensuring that; (a) all necessary notices have been given, and all necessary consents and authorisations have been obtained, as required under Applicable Data Protection Laws for the processing of Customer Personal Data; (a) it has complied with and will continue to comply, with all Applicable Data Protection Laws; and (c) it has, and will continue to have the right to transfer, or provide access to, Customer Personal Data for processing in accordance with the terms of the Agreement.
4.3 Customer acknowledges that Crescendo is neither responsible for determining which laws are applicable to Customer’s business nor whether Crescendo’s Service(s) meet or will meet the requirements of such laws. Customer will ensure that Crescendo’s processing of Customer Personal Data, when done in accordance with Customer’s Instructions, will not cause Crescendo to violate any Applicable Data Protection Laws.
5. Crescendo Obligations
5.1 Crescendo agrees to process Customer Personal Data in accordance with Customer’s documented instructions as set out in the Agreement and this DPA for the specific purpose of providing the Service(s) to Customer, and also with regard to transfers of Personal Data to a third country in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by a Member State Law to which Crescendo is subject. In any such case, Crescendo shall notify Customer of such legal requirement upon becoming aware of same, except where prohibited by applicable laws.
5.2 Crescendo agrees to comply with its obligations under Applicable Data Protection Laws and shall: (i) notify Customer if it is no longer able to meet its obligations under Applicable Data Protection Laws; and (ii) cease Processing Customer Personal Data until Customer provides new instructions with which Crescendo is able to comply.
5.3 If section 5.2 is invoked, Crescendo will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer provides new instructions for Processing.
5.4 Except as otherwise permitted by the CCPA, Crescendo will not: (i) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement for Customer; (ii) Sell or share (as defined by the CPPA) Customer Personal Data; (iii) combine the Customer Personal Data with other Personal Data except where expressly permitted under the CCPA, such as to detect data security incidents or protect against fraudulent or illegal activity; and (iv) further collect or use Customer Personal Data except as necessary to perform the Services.
5.5 Crescendo shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, provided that such measures shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved in the processing. Specific measures are further detailed in Attachment 3.
5.6 Crescendo shall ensure that any personnel whom Crescendo authorizes to process Customer Personal Data on its behalf is subject to confidentiality obligations with respect to the Customer Personal Data. The undertaking of confidentiality shall continue after the termination of the above-entitled activities.
6. Data Subject Requests.
6.1 Customer has sole responsibility for responding to requests from a Data Subject to exercise their rights under Data Protection Laws (“Data Subject Request”).
6.2 Crescendo shall not respond to any Data Subject Requests without Customer’s prior written instructions, except where required by law.
6.3 If Crescendo receives a Data Subject Request directly, it shall promptly notify Customer (insofar as it is able to identify the Data Subject) and, unless legally prohibited from doing so, direct the Data Subject to contact Customer.
6.4 Crescendo shall assist Customer, taking into account the nature of the processing and the requirements of Applicable Data Protection Laws, to address Data Subject Requests, provided such assistance is commercially reasonable and upon receiving Customer’s written instructions, Crescendo will provide reasonable assistance to address Data Subject Requests that Customer is unable to fulfill, using information made available by Customer.
7. Law Enforcement Requests.
7.1 Crescendo will not disclose or provide law enforcement with access to any Customer Personal Data unless required by law.
7.2 If law enforcement contacts Crescendo with a demand for Customer Personal Data, Crescendo will attempt to redirect the law enforcement agency to request that data directly from Customer.
7.3 If law enforcement compels Crescendo to disclose or provide access to any Customer Personal Data, Crescendo will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.
8. Deletion or Retrieval of Personal Data.
8.1 Following the termination or expiration of the Agreement, Customer shall provide written instructions to Crescendo to delete or return all Customer Personal Data and Crescendo shall comply with Customer's written instruction unless applicable law requires Crescendo to retain some or all of the Customer Personal Data, in which event Crescendo shall isolate and protect the Customer Personal Data from any further Processing except to the extent required by such law until deletion is possible.
8.2 Crescendo may store and retain information that serves as evidence demonstrating Crescendo’s compliance with its obligations under the Agreement and this DPA.
9 Data Protection Impact Assessments and Consultation with Supervisory Authorities.
9.1 Crescendo will, upon Customer's request, and taking into account the nature of the Processing and information available to Crescendo, provide reasonable assistance to Customer to fulfill Customer’s obligation to conduct data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR and UK GDPR or equivalent provisions of any Data Protection Laws, in each case solely in relation to the Processing of Customer Personal Data.
10. Personal Data Breaches
10.1 Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer.
10.2 Crescendo will notify Customer in accordance with Article 33(2) of the GDPR and equivalent requirements in other Applicable Data Protection Laws, without undue or unreasonable delay, and, where feasible, not later than 72 hours after it becomes aware of a Personal Data Breach affecting Customer Personal Data and, to the extent remediation is within Crescendo’s reasonable control, Crescendo will make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as it deems necessary and reasonable to remediate the cause of the Personal Data Breach.
10.3 At Customer’s request, and only where the Personal Data Breach is caused by Crescendo actions or omissions, Crescendo will provide Customer with all reasonable assistance to enable Customer to make any notifications to Data Subjects, supervisory authorities, governmental or other regulatory authority regarding a Personal Data Breach.
10.4 Crescendo’s notice of, or response to, a Personal Data Breach will not be construed as an acknowledgement or admission by Crescendo of any fault or liability regarding the Personal Data Breach.
11. Audits
11.1 The parties acknowledge that Crescendo uses external auditors to verify the adequacy of its security measures and validate the level of compliance from which Crescendo provides its data processing services. These audits:
(i) will be performed at least annually;
(ii) will be performed according to requirements of the applicable International Standard(s) including ISO (International Organization for Standardization) or other such alternative standards that are substantially equivalent to such frameworks;
(iii) will be performed by independent third-party security professionals at Crescendo’s selection and expense;
(iv) will lead to the creation of certificate(s) and or audit report(s) confirming that Crescendo’s data security controls meet current industry standards, in line with attestation standards set by the International Standards Organization and/or the American Institute of Certified Public Accountants (AICPA), or other equivalent standards (“Report”);
(v) Upon written request from the Customer, Crescendo will provide a confidential summary of the Report (“Summary Report”) at no cost. The Summary Report will be considered Cresecendo’s Confidential Information; and
(vi) If the Customer’s audit obligations under Applicable Data Protection Laws are not adequately met by the Summary Report or other documentation generally available to Customers, Customer may request to conduct an audit of Crescendo in compliance with Applicable Data Protection Laws, by submitting a written request with at least 30 days advance notice to Crescendo at: contracts@crescendo.ai.
11.3 This audit can be conducted no more than once every twelve months, during Crescendo’s regular business hours and Customer shall ensure that it does not disrupt Crescendo’s regular day-to-day operations and Crescendo will reasonably cooperate with Customer and its auditor. Customer may perform the audit themselves or engage an independent accredited third-party audit firm, which may adhere to a confidentiality agreement with Crescendo. The Customer acknowledges that Crescendo operates a multi-tenant cloud environment, and any on-site audit will be restricted to the facility where Crescendo is providing Services to Customer. The audit will not involve access to data related to other Crescendo customers or systems not involved in processing the Customer’s Personal Data, and must not cause Crescendo to breach its confidentiality obligations to third parties. Customer will bear all costs and expenses related to such an audit, including any time Crescendo spends on the audit at its then applicable professional services rates.
11.4 Any audit report generated in connection with an on-site audit shall be considered Crescendo Confidential Information and shall be promptly provided to Crescendo. In case of a conflict between the audit terms in this section 10 and those in the EU SCCs and/or the UK Addendum, the terms in the EU SCC’s and/or UK Addendum will prevail. This section 10 does not affect the rights of supervisory authorities under the EU SCCs and/or UK Addendum.
12. Sub-Processors
12.1 Customer hereby grants Crescendo a general authorisation to engage the Sub-Processors listed at https://www.crescendo.ai/subprocessors (“Sub-Processor Policy”) in accordance with Article 28 of the GDPR and equivalent requirements in other Applicable Data Protection Laws to assist Crescendo in providing the Service(s) and processing Customer Personal Data, provided that such Sub-Processors:
(i) agree to only act on Crescendo’s instructions when processing the Customer Personal Data, which instructions shall be consistent with Customer’s processing instructions to Crescendo;
(ii) agree to protect the Customer Personal Data to a standard consistent with the requirements of this DPA, including implementing and maintaining appropriate and organisation measures to protect the Customer Personal Data they process with the Security Standards described in Attachment 3 to this DPA, as applicable.
12.2 Crescendo will update the Sub-Processor Policy on its Website with any Sub-Processor to be appointed at least thirty (30) days prior to such change. Customer may sign up to receive email notification of any such changes on Crescendo’s Website.
12.3 In the event that Customer objects to the processing of its Personal Data by an proposed Sub-Processor on reasonable grounds relating to data protection, it shall inform Crescendo in writing by emailing privacy@crescendo.ai within thirty (30) days following the update of the Sub-processor Policy above. In such an event, the Parties shall negotiate in good faith a solution to Customer’s objection. If the Parties cannot reach a resolution within sixty (60) days of Crescendo’s receipt of Customer’s objection, Crescendo will either (a) instruct the Sub-Processor to not process Customers Personal Data, in which event this DPA will continue unaffected, or (b) allow Customer to terminate this DPA and any unrelated services agreement with Crescendo immediately and provide it with a pro rated reimbursement of fees of any sums paid in advance for Services yet to be provided, but not yet received by Customer as of the effective date of termination.
12.4 Crescendo will remain liable to Customer for each Sub-processor’s performance of its obligations under its contract with Crescendo.
12.5 The Service(s) provide links to integrations with Non-Crescendo Services, which may be integrated directly into Customer’s account or into the Service(s). If Customer elects to enable, access or use such Non-Crescendo Services, its access and use of such Non-Crescendo Services are governed solely by the terms and conditions of those services. Crescendo does not endorse, is not responsible for, and makes no representations as to any aspect of such Non-Crescendo Services, including, without limitation between Customer and the provider of such Non-Crescendo Services. Crescendo shall not be liable for any damage or loss caused or alleged to be caused by Customers reliance on the privacy practices, data security processes, data handling or other policies of such Non-Crescendo Services. The providers of Non-Crescendo Services shall not be deemed Sub-processors for any purpose under this DPA.
13. Data Transfers
13.1 Customer acknowledges and agrees that, in connection with the performance of the Service(s) under the Agreement: (i) Crescendo may transfer and Process Customer Personal Data on a global basis as necessary to provide the Service(s). Crescendo shall ensure that such transfers are made in compliance with Applicable Data Protection Laws and this DPA.
13.2 Attachment 1 and Attachment 2 apply to transfers of Customer Personal Data outside the European Economic Area and Attachment 5 applies to transfers of Customer Personal Data outside the UK.
13.3 To the extent that Customer or Crescendo are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked, or held in a court of competent jurisdiction to be invalid, Customer or Crescendo agree to cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.
14. Limitation of Liability
14.1 This DPA shall be subject to the limitations of liability agreed between the parties set forth in the Agreement and any reference to the liability of a party means that party and its Affiliates in the aggregate. For the avoidance of doubt, Customer acknowledges and agrees that Crescendo’s total liability for all claims from Customer or its Affiliate(s) arising out of or related to the Agreement and this DPA shall apply in aggregate for all claims under both the Agreement and this DPA. This section shall not be construed as limiting the liability of either party with respect to claims brought by data subjects or under the EU SCC’s Clause 12 and/or the UK Addendum.
15. Governing Law
15.1 The governing law and jurisdiction will be governed by the Agreement, unless otherwise stated in this DPA.
16. General Provisions
16.1 In case of any conflict between the terms of this DPA and the terms of the Agreement, this DPA shall take precedence.
16.2 In case of any conflict between the terms of this DPA and the Standard Contractual Clauses or UK Addendum, the Standard Contractual Clauses or UK Addendum shall prevail.
16.3 Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
16.4 This DPA will automatically terminate when the Agreement terminates or expires.
Attachment 1: EU Standard Contractual Clauses
Where Customer Personal Data protected by GDPR is transferred either directly or via onward transfer, to a country outside the EEA that is not subject to an adequacy decision, the Parties have agreed to the Standard Contractual Clauses as follows:
- Module Two (Controller to Processor) applies where Customer is Controller of Customer Personal Data and Crescendo is Processing Customer Personal data as Processor.
- The Parties’ signature to this DPA is considered as signature to the Standard Contractual Clauses.
- Clause 7 (Docking clause): does not apply.
- Clause 9(a) (Use of sub-processors), Option 2: applies and the time period for prior notice of Sub-processor changes is stated in Section 12.2 of this DPA.
- Clause 11 (Redress): the optional language does not apply.
- Clause 13(a) (Supervision), the data exporter is Customer
- Clause 17 (Governing law): Option 1 applies, and the law of Ireland governs these Standard Contractual Clauses.
- Clause 18(b) (Choice of forum and jurisdiction): the courts of Ireland will resolve disputes arising from these Standard Contractual Clauses.
- Annex I of the EU SCCs shall be deemed completed with the information set out in Attachment 2 to this DPA; and
- Annex I.A and I.B and Annex II of the EU SCCs shall be deemed completed with the information set out in Attachment 2 and Attachment 3 to this DPA.
Attachment 2: Details of the Processing
A. LIST OF PARTIES
Data Exporter/Controller: Customer (as defined in the Agreement)
Data Importer/Processor: Crescendo ((as defined in the Agreement)
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer’s customers
Categories of personal data transferred
Customer’s customer’s Personal Data which may include account information such as first name, last name, email address, telephone number and physical address
Sensitive data transferred (if applicable)
The parties do not anticipate the transfer of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
The transfers will be made on a continuous basis.
Nature of the processing
Customer Personal Data will be Processed in accordance with the Agreement (including this DPA)
Purpose(s) of the data transfer and further processing
Processor will Process Customer Personal Data as necessary to provide the Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement and subject to Section 8 of this DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing is stated in section B - Description of Transfer section of this Attachment 1. Subprocessors will Process Customer Personal Data as necessary to provide the Services.
C. COMPETENT SUPERVISORY AUTHORITY
Ireland Data Protection Commissioner
Attachment 3: Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
Crescendo observes the security practices described in its set of security policies, which includes:
- Information Security Policy
- Data Protection Policy
These policies cover the following domains:
- Security Roles and Responsibilities
- HR Security
- Asset Management
- Access Control
- Physical, Endpoint and Network Security
- Cloud Security
- Logging and Monitoring
- Encryption
- Vulnerability Management
- Incident Response
- Acceptable Use and Security Awareness
- Data Handling Requirements (including GDPR/Privacy, PCI-DSS, HIPAA, COPPA)
Customer may request from Crescendo, current versions of the policies listed above at any time for review.
Notwithstanding any provision to the contrary otherwise agreed to by Customer, Crescendo may modify or update these policies and associated practices at its discretion, provided that such modification and update does not result in a material degradation in the protection offered by the policies and practices.
Attachment 4: List of Crescendo Affiliates
Attachment 5: UK Addendum
Where Customer Personal Data protected by UK GDPR is transferred, either directly or via onward transfer, to a country outside the United Kingdom that is not subject to an adequacy decision, the following Standard Contractual Clauses, pursuant to the International Commissioner's Office decision of February 2, 2022 applies:
TABLE 1: PARTIES
The Parties’ details and key contact information is defined in the Agreement.
TABLE 2: SELECTED SCCS, MODULES AND SELECTED CLAUSES
See Attachment 1 of this DPA.
TABLE 3: APPENDIX INFORMATION
Annex 1A: List of Parties
Defined in the Agreement.
Annex 1B: Description of Transfer
See Attachment 2 of this DPA.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data
See Attachment 3 of this DPA.
Annex III: List of Sub processors
See Section 12.1 of this DPA and https://www.crescendo.ai/subprocessors
Table 4: Ending this Addendum when the Approved Addendum Changes
Both the Data Importer and Data Exporter may end the UK Addendum