Skip to main content
Data Processing Agreement Use AI technology to turn web leads into live calls for your sales team.

Data Processing Agreement

Last Updated: April 2023

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) entered into between Pipes.AI, LLC (“Pipes”) and the publisher engaging Pipes’s services (the “Client”) is incorporated into the Agreement (as defined below). This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order or an executed amendment to the Agreement.  Notwithstanding that this DPA focuses on matters under California law, it remains applicable to all similar state data protection laws existing now or in the future.

DEFINITIONS

“California Personal Information” means Personal Data that is subject to the protection of the CCPA.

“CCPA”  means California Civil  Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of

2018), as amended and the California Privacy Rights Act (CPRA) and their accompanying regulations.

“Consumer”, “Business”, “Sell,” “Share” and “Service Provider” will have the meanings given to them in the CCPA.

“Agreement” means the online Service  Agreement enter into  with Pipes, together with  all  exhibits, appendices, schedules and attachments thereto, including any potential insertion order or amendments.

“Applicable Data Protection Law means all applicable international, federal, state, provincial, and local laws, rules, regulations, directives, and governmental requirements relating in any way to the privacy, protection, transfer, or security  of  Personal  Data,  including,  without  limitation:  EU  Data  Protection  Law;  the  Gramm-Leach-Bliley  Act; Payment Card Industry Security Standards (“PCI DSS”); security breach notification laws; laws imposing minimum security requirements; laws requiring the secure disposal of records containing certain Personal Data; laws governing the  portability  and/or  cross-border  transfer  of  Personal  Data;  and  all  other  similar  international,  federal,  state, provincial, and local requirements, as amended from time to time.

“Controller” means the entity which alone or  jointly with others determines the purposes and the means of the

Processing of Personal Data.

“Data Subject” means the individual to whom Personal Data relates.

“Data  Subject  Rights”  means  Data  Subjects’  rights  to  information,  access,  rectification,  erasure,  restriction, portability, objection, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Law.

“European Data” means Personal Data that is subject to the protection of EU Data Protection Laws.

“EU Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and all other data protection laws of the European Union,   European Economic Area (“EEA”), and their respective member states, each as applicable, and as may be amended or replaced from time to time; and  in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same  to  perform  a  specific  or  general  action  with  regard  to  Personal  Data  (including,  but  not  limited  to, depersonalizing, blocking, deletion, making available).

“Permitted  Affiliates”  means  any  of  Client’s  affiliates  that  (i)  are  permitted  to  use  the  Services  pursuant to  the

Agreement, but have not signed their own separate agreement with Pipes, (ii) qualify as a Controller of Personal

Data Processed by Pipes, and (iii) are subject to European Data Protection Laws

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained  within  Client  Data  and  is  protected  similarly  as  personal  data,  personal  information  or  personally identifiable information under applicable Data Protection Laws.

“Processing  of  Personal  Data”  (or  “Processing/Process”)  means  any  operation  or  set  of  operations  which  is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording,  organization,  structuring,  storage,  adaptation  or  alteration,  retrieval,  consultation,  use,  disclosure  by transmission,  dissemination  or  otherwise  making  available,  alignment  or  combination,  restriction,  erasure  or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means the entity which Processes Personal Data on behalf of a Controller. “Sub-Processor(s)” means a Processor engaged by Pipes to Process Client Personal Data.

“Supervisory Authority” means the competent supervisory authority under Applicable Data Protection Law.

Capitalized terms used but not defined herein have the meanings given to them in the Agreement.

1.     Scope and applicability

1.1.     This DPA applies to Processing of Personal Data subject to Applicable Data Protection Law by  Pipes in the context of the Agreement.

1.2.     This DPA forms part of the Agreement between Pipes and Client, and prevails over any conflicting term of the

Agreement, but does not otherwise modify the Agreement.

1.3.     For the avoidance of doubt, Pipes’s obligations under this DPA are imposed on Pipes only to the extent that

Applicable Data Protection Law is directly applicable to Pipes.

2.    Legal Grounds and Instructions

2.1.   Within the scope of the Agreement and in its use of the Services, Client will be responsible for complying with all  requirements  that  apply  to  it  under  applicable  Data  Protection  Laws  with  respect  to  the  Processing  of Personal Data and the Instructions it issues to Pipes. In particular but without prejudice to the generality of the foregoing, Client acknowledges and agrees that Client will be solely responsible for: (i) the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired; (ii) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law for the collection, use, and Processing of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring  Client  and  Pipes  has  the  right  to  Process  the  Personal  Data  in  accordance  with  the  terms  of  the Agreement  (including  this  DPA)  as  required  by  Applicable  Data  Protection  Law;  (iv)  ensuring  that  Client’s Instructions  to  Pipes  regarding  the  Processing  of  Personal  Data  comply  with  applicable  laws,  including Applicable Data Protection Laws.

2.2.     Upon request from Pipes, Client must demonstrate that it relies on a valid legal ground for the Processing, including consent, where applicable.

2.3.    Client will inform Pipes without undue delay if it is not able to comply with its responsibilities under this section

(2) or Applicable Data Protection Laws.

2.4.   Pipes will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Client’s lawful Instructions, except where and to the extent otherwise required by applicable  law. Pipes is not responsible for compliance with any data protection laws applicable to Client or Client’s industry that are not generally applicable to Pipes.

2.5.   The parties agree and understand that the Agreement (including this DPA), together with Client’s use of the Services  in  accordance  with  the  Agreement,  constitute  Client’s  complete  and  final  Instructions  to  Pipes  in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between Pipes and Client.

2.6.   If Pipes becomes aware that Pipes cannot Process Personal Data in accordance with Client’s Instructions due to a legal requirement under any applicable law, Pipes will (i) promptly notify Client of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing  and  maintaining  the  security  of  the  affected  Personal  Data)  until  such  time  as  Client  issue  new Instructions with which Pipes are able to comply. If this subsection (2.6) is invoked, Pipes will not be liable to Client under the Agreement for any failure to perform the applicable Services until such time as Client issue new lawful Instructions with regard to the Processing.

3.     Data Subject Requests.

3.1.     Client represents and warrants that Client’s process for handling requests from Data Subjects complies with

Applicable Data Protection Law.

3.2.   Client shall be solely responsible for handling requests from Data Subjects to withdraw their consent, access, rectify, restrict or erase their Personal Data, exercise their right to data portability with regard to any Personal Data, object to the Processing of any Personal Data, or exercise their rights related to automated decision- making and profiling in connection with the Services.

3.3.   To the extent that Client is unable to independently address a Data Subject Request, then upon Client’s written request Pipes will provide reasonable assistance to Client to respond to any Data Subject Requests or requests from data protection authorities relating to Pipes’s Processing of Personal Data under the Agreement.

3.4.   If  a  Data  Subject  Request  or  other  communication  regarding  the  Processing  of  Personal  Data  under  the Agreement is  made  directly  to  Pipes, Pipes  will  promptly  inform  Client  and  will  advise  the  Data  Subject  to submit their request to Client. Client will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

4.     Information Security and Confidentiality.

4.1.     Client  and  Pipes  shall  develop,  maintain  and  implement  a  comprehensive  written  information  security program designed to ensure compliance with Applicable Data Protection Law.

4.2.     Without   limitation,   each   party’s   information   security   program   shall   include   technical,   physical,   and administrative/organizational safeguards designed to (1) ensure the security and confidentiality of Personal Data; (2) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (3) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any Personal Data Processed in connection with the Services (“Information Security Incident”).

4.3.     Each  party’s  information  security  program  shall,  among  other  things,  include  regular  testing  or  otherwise monitoring of  the effectiveness of its information safeguards. In addition, each Party shall comply with all provisions  of  its  written  information  security  policies,  procedures  and  guidelines  which  the  parties  have mutually agreed are applicable to the Services under this Agreement.

4.4.   Pipes will ensure that any personnel whom Pipes authorize to Process Personal Data on Pipes’s behalf is subject to  appropriate  confidentiality  obligations  (whether  a  contractual  or  statutory  duty)  with  respect  to  that Personal Data.

5.     Information Security Incident.

5.1.     To the extent required by Applicable Data Protection Law, each Party shall inform the other Party in writing of any Information Security Incident  involving Personal Data that has been Processed in connection with  the Services in a commercially reasonable time frame, and in any event, no later than the time period required under Applicable Data Protection Law.

5.2.     Such Information Security Incident notice shall describe, in reasonable detail, the nature of the Information Security Incident, the data elements involved, the identities of the affected individuals (if known), and the corrective action taken or to be taken to remedy the Information Security Incident.

5.3.     Client shall be solely responsible for any filings, communications, notices, press releases, or reports related to any Information Security Incident involving Personal Data. However, Client shall obtain Pipes’s approval prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Information Security Incident that expressly mentions Pipes or the Services.

6.     Governmental Requests for Personal Data.

6.1.     Except to the extent prohibited by Applicable Data Protection Law, each Party shall promptly inform the other Party in writing if any competent authority, regulator or public authority of any jurisdiction requests disclosure of, or information about, Personal Data that has been Processed in connection with the Services.

6.2.     Each Party shall, without limiting its rights under Applicable Data Protection Law, cooperate with the other

Party as reasonably necessary to comply with any direction or ruling made by such authorities.

7.     Sub-Processors

7.1.   Client agrees that Pipes may engage Sub-Processors to Process Personal Data on Client’s behalf.

7.2.   Where  Pipes  engages  Sub-Processors,  Pipes  will  impose  data  protection  terms  on  the  Sub-Processors  that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the  nature  of  the  services  provided  by  such  Sub-Processors.  Pipes  will  remain  responsible  for  each  Sub- Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of Pipes’s obligations under this DPA.

8.     Data Transfers

8.1.   The  parties  acknowledge  and  agree  that  Pipes  may  access  and  Process  Personal  Data  on  a  global  basis  as necessary to provide Services in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Pipes in the United States and to other jurisdictions where Pipes and Sub- Processors have operations. We will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

9.     Additional Provisions for European Data

9.1.   Scope: This ‘Additional Provisions for European Data’ section shall apply only with respect to European Data.

9.2.   Roles  of  Parties:  When  Processing  European  Data  in  accordance  with  Client’s  Instructions,  the  parties

acknowledge and agree that Client is the Controller of European Data and Pipes is the Processor.

9.3.   Data Protection Impact Assessments: To the extent that the required information is reasonably available to Pipes, and Client does not otherwise have access to the required information, Pipes will provide reasonable assistance to Client with any  data  protection impact assessments, and prior  consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws. Pipes may charge a reasonable fee for assistance under this subsection (9.3).

9.4.   Transfer Mechanisms for Data Transfers: Pipes shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is  in  compliance  with  applicable  European  Data  Protection  Laws.  Such  measures  may  include  (without limitation)  transferring  such  data  to  a  recipient  that  is  covered  by  a  suitable  framework  or  other  legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of  protection  for  Personal  Data,  to  a  recipient  that  has  achieved  binding  corporate  rules  authorization  in accordance  with  European Data  Protection  Laws,  or  to  a recipient that  has  executed  appropriate  standard contractual  clauses  in  each  case  as  adopted  or  approved  in  accordance  with  applicable  European  Data Protection Laws.

9.5.   Compliance: Pipes will make all information reasonably necessary to demonstrate compliance with this DPA available  to  Client  and  allow  for  and contribute  to  audits,  including  inspections  by  Client in  order  to  assess compliance with this DPA. Client acknowledges and agrees that Client will exercise Client’s audit rights under this  DPA  by  instructing  us  to  comply  with  the  audit  measures  described  in  this  sub-section  (9.5).  Client acknowledges that the Services are hosted by our data center partners who maintain independently validated security  programs  and  that  Pipes’s  systems  are  periodically  tested  by  independent  third  party  penetration testing firms. Upon request, Pipes will supply (on a confidential basis) a summary copy of its penetration testing report(s) to Client, so that Client can verify our compliance with this DPA. Further, at Client’s written request, Pipes will provide written responses (on a confidential basis) to all reasonable requests for information made by Client necessary to confirm our compliance with this DPA, provided that Client will not exercise this right more than once per calendar year. The parties agree that Client will, when reviewing our compliance with this DPA pursuant to this sub-section (9.5), take all reasonable measures to limit any impact on Pipes.

10.  Additional Provisions for California Personal Information

10.1. Scope: This ‘Additional Provisions for California Personal Information’ section (Section 10) of the DPA will apply only with respect to California Personal Information.

10.2. Roles of the parties: When processing California Personal Information in accordance with Client’s Instructions, the parties acknowledge and agree that Client is a Business and Pipes is a Service Provider for the purposes of the CCPA.

10.3. Responsibilities: The parties agree that Pipes will Process California Personal Information as a Service Provider strictly  for  the  purpose  of  performing  the  Services  under  the  Agreement  (the  “Business  Purpose”)  or  as otherwise permitted by the CCPA.

11.  Permitted Affiliates

11.1. By  signing  the  Agreement,  Client enter  into  this  DPA  on  behalf  of  itself  and,  to  the  extent  required  under applicable Data Protection Laws, in the name and on behalf of Client’s Permitted Affiliates, thereby establishing a separate DPA between Pipes and each such Permitted Affiliate subject to the Agreement and this DPA. Each Permitted Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the purposes of this DPA only, and except where indicated otherwise, the term “Client” will include Permitted Affiliates.

11.2. Except where  applicable  Data  Protection  Laws  require  a  Permitted  Affiliate  to  exercise  a  right or  seek  any remedy under this DPA against Pipes directly by itself, the parties agree that (i) solely the Client entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii)  the Client entity that is the contracting party  to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Client entity that is the contracting  entity  is  responsible  for  coordinating  all  communication  with  Pipes  under  the  DPA  and  will  be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.

12.  Authorization

12.1. The legal entity agreeing to this DPA as Client represents that it is authorized to agree to and enter into this

DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates

13.  Notifications

13.1. Client  will  send  all  notifications,  requests  and  instructions  under  this  DPA  in  accordance  with  the  notice provision contained in the Agreement with a copy provided to Pipes’s Privacy and Data Protection department via email to privacy@Pipes.ai.

14.  Severability

14.1. If  any  individual  provisions  of  this  DPA  are  determined  to  be  invalid  or  unenforceable,  the  validity  and enforceability of the other provisions of this DPA will not be affected.

15.  Governing Law

15.1. This DPA will be governed by and construed in accordance with the ‘Applicable Law’ section of the Agreement, unless required otherwise by Data Protection Laws.

16.  Termination and Deletion:

16.1. This DPA is terminated when there are no further active Agreements in place between Pipes and the Client.

16.2. Client  may  request  return  of  Personal  Data  up  to  ninety  (90)  days  after  termination  of  the  applicable Agreement. Unless required or permitted by applicable law, Pipes will delete all remaining copies of Personal Data, within a commercially reasonable period after returning Personal Data to Client.

17.  Liability

17.1. Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Limitation of Liability’ section of the Agreement and any reference in such section to the liability of a party means aggregate liability of  that party and all of its Affiliates under the Agreement (including this DPA).