Updated 14 December 2020
We have updated our Terms of Service and Data Processing Agreement. The changes relate to the use and processing of Customer Data. Updated terms shall be valid from the date of this notice, which is 14 December 2020, or within 30 days from this notice, depending on your contract with Supermetrics.
These Terms of Service (the “Terms”) including its appendices listed below, order form and/or any other agreement constitutes the entire agreement (“Agreement”) between the Customer or You and Supermetrics Oy (”Supermetrics” or “we,” “our” or “us”), regarding your use of our services specified in the Terms (the software, and services are collectively referred to as the “Service”). Please read these Terms carefully. You may authorize your employees or other individual authorized users (collectively, “Authorized Users”) to use the Service. You agree that you are fully responsible with respect to any use of the Service by an Authorized User, including any breach by an Authorized User of these Terms.
The following appendices forms an inseparable part of and is governed by the terms of these Terms of Service:
In the event of any conflicting terms in the Terms and its appendices, the Terms shall take precedence over the appendices, except in any matters relating to the processing of personal data, in which case Annex 1 (Data Processing Agreement) shall take precedence.
1. The Service
The Service is an analytics and reporting solution that helps customers collect their online data for reporting, analysis and active data management. The Service is provided only electronically through user interfaces on third party platforms, for example through an add-in or add-on functionality, and through interfaces hosted by Supermetrics.
The Service is not intended for users that are consumers (being an individual acting primarily for purposes other than a trade, business or profession) and the applicability of consumer protection legislation is therefore excluded. You must be 18 years of age or older to enter into this agreement and use the Service. You represent and warrant that any information you submit is true and accurate and that you are 18 years of age or older and are fully able and competent to enter into, and abide by these Terms, and that you have the authority to bind the Customer entity listed on the Agreement, if applicable.
3. Account Registration
All Authorized Users must register to use the Service. You agree to, and cause all Authorized Users to: (a) provide accurate, current and complete information as may be prompted by registration forms on the Service (“Registration Data”); (b) maintain the security of, and not share with any third party, any logins, passwords, or other credentials that you or any Authorized User selects or that are provided to you or any Authorized User for use on the Service; (c) maintain and promptly update the Registration Data, and any other information you or any Authorized User provides to us, and to keep all such information accurate, current, and complete; and (d) notify us immediately of any unauthorized use of any Authorized User account or any other breach of security by emailing us at firstname.lastname@example.org. Any activity on an Authorized User’s account shall be the sole responsibility of the Customer.
4. Free Trial
We may at our sole discretion offer you free trials for selected features of the Service or a limited time trial period of the entire Service. Once your free trial period ends, your ability to access the Service will terminate. Supermetrics reserves the right to determine if you are eligible for a free trial and to discontinue any free trial without notice at our sole discretion.
5. Fees and payment
Access to selected features of the Service may be provided to you free of charge. We will charge fees for certain features, either on a one-time or a subscription basis (“Paid Services”). Supermetrics reserves the right to implement fees or change the fees for certain services at any time by providing you notice on the Service or otherwise. When you purchase any Paid Services, you authorize Supermetrics or its third party payment processors to charge the credit card identified by you (which you represent and warrant that you are authorized to use) all applicable fees for your purchase, including all applicable taxes, and you agree that our payment provider can store your credit card information. If Supermetrics does not receive payment from your credit card provider, you agree to pay all amounts due upon demand and Supermetrics may suspend your access to the Services until full payment is received or terminate the Terms of Service. All sales are final and Supermetrics will not issue refunds, including for prepaid monthly fees. If you choose an automatic recurring payment and later decide to end your subscription, cancelling the payment is your responsibility. Supermetrics does not refund automatic payments not cancelled in time.
6. Access; Use Restrictions
Supermetrics hereby grants you the right to access and use the Service, subject to your compliance with these Terms at all times, including timely payment of all applicable fees. Your right to access and use the Service is personal, limited to your internal business purposes, non-transferable, non-exclusive, and revocable.
Your access and use of the Service are based on the Service client, data source, data destination and usage restrictions. Access and use may be restricted to one individual, company, your Supermetrics team or specific data access/usage. There may be additional restrictions, which may change from time to time, and we will use reasonable efforts to provide you with advance notice of impending changes in a timely manner. Specific written agreements for access and usage restrictions will be indicated in the Agreement and they will override these Terms.
Without limiting the generality of the foregoing, you will not, will not attempt to, and will not permit or encourage any third party to:
- reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain improper access to any software component of the Service, in whole or in part;
- modify or create derivative works of the Service, in whole or in part;
- use the Service in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any third party;
- interfere with or disrupt the integrity of the Service or any content or data contained therein or transmitted thereby;
- access, monitor, or copy any content or information on the Service using any robot, spider, scraper, or other automated means or any manual process for any purpose without our express written permission;
- violate the restrictions in any robot exclusion headers on the Service or bypass or circumvent other measures employed to prevent or limit access to the Service;
- take any action that imposes, or may impose, in our discretion, an unreasonable or disproportionately large load on our infrastructure;
- deep-link to any portion of the Service for any purpose without our express written permission;
- “frame”, “mirror,” sell, resell, rent, or lease any portion of the Service or otherwise incorporate any part of the Service into any other website without our prior written authorization;
- input any virus, malware, or other harmful code into the Service;
- use the Service or any Supermetrics Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services or to develop, commercialize, license, or sell any product, service, or technology that could, directly or indirectly, compete with the Service; or
- violate any applicable local, provincial national, or international law or regulation.
We may at any time suspend or terminate your or any Authorized User’s access to the Service if we have reason to believe that you are not complying with the Terms or you are otherwise abusing the Service.
7. Third-party services, data and content
7.1 The Service allows you to gather data from multiple third-party data sources and services, including various third-party websites (jointly “Third-Party Services”). The Third-Party Services from which the data can be gathered are selected by Supermetrics at its sole discretion and Supermetrics may, during the Term, change the Third-Party Services that are compatible with the Service. In addition, Supermetrics may discontinue the compatible Third-Party Services if the applicable service providers of the Third-Party Services discontinue the relevant services or discontinue making such services available to Supermetrics.
7.2 Supermetrics assumes no liability whatsoever for the data or other content collected from Third-Party Services, such as Facebook, Google Analytics and Google Ads. You are solely responsible for ascertaining that you have the right to use the Service for gathering and processing any such data by using the Service, and you must obtain any such consents and authorizations as may be needed from time to time in relation to such data or other content and their processing by using the Service. We do not assume any liability for such Third-Party services or software, and you are exclusively responsible for obtaining any necessary licenses or consents needed for their use. You must familiarize yourself with the applicable terms and conditions, including any restrictions on use, in relation to any such Third-Party Services and you agree to comply with the third-party terms and conditions applicable to the Third-Party Services in addition to the terms of the Agreement.
7.3 Furthermore, the Service may contain links to web pages and content of third parties as a service to those interested in this information. We do not monitor, endorse, or adopt, or have any control over any third-party web pages or content. We undertake no responsibility to update or review any such web pages or third-party content and can make no guarantee as to its accuracy or completeness. Additionally, if you follow a link or otherwise navigate away from the Service, please be aware that these Terms will no longer govern. You should review the applicable terms and policies, including privacy and data gathering practices, of any web page, third-party content or service provider to which you navigate from the Service. You access and use third-party content at your own risk.
7.4With respect to Google services, our tools will only have rights to access your Google Analytics/Ads/YouTube data (depending on which service you are logging in to), and nothing else on your Google account. You can revoke Supermetrics’ right to access your data at any point from your Google account control panel (https://security.google.com/settings/security/permissions).
8. Modifications to the Service
You acknowledge that Supermetrics may make modifications to the Service during the Term without prior notice to you; however, Supermetrics will use reasonable efforts to notify you of any material changes to the Service in advance. In the event of material changes to the Service, Supermetrics may provide further instructions to you with respect to any actions required by you in order to continue access and use of the Service, if necessary.
Supermetrics may engage subcontractors to perform the Service under the Agreement, provided that Supermetrics remains fully liable for any actions of such subcontractors. Notwithstanding the foregoing, Supermetrics shall not be liable for the acts or omissions of any of its hosting service or data communication service providers.
10. Term and Termination
10.1 Your account and subscription of the Service remains in effect unless you terminate it or unless Supermetrics terminates your account as provided by these Terms. Your account and subscription of the Service may, depending on your choice, be automatically renewable or valid for a fixed period. If your subscription is automatically renewable, your subscription to the Service will remain in effect and will be renewed automatically at the end of each subscription period unless you terminate your subscription or we terminate it.
If your subscription is made for a fixed period and/or not automatically renewable, your subscription will automatically terminate at the end of the agreed subscription period.
Upon the termination or expiration of the Agreement, you must immediately stop using the Service.
10.2 Supermetrics may terminate this Agreement or terminate or suspend any Authorized User’s access or use of the Service in the following circumstances:
(a) If Customer’s or any Authorized User’s continued use of the Service may, in Supermetrics’ discretion, result in material harm to Supermetrics, its subcontractors, affiliates, or another customer of the Service, Supermetrics may reasonably block or restrict Customer’s access to the Service;.
(b) if Customer or any Authorized User has (i) submitted information to the Service in violation of applicable law or (ii) otherwise used the Service in breach of these Terms, including the restrictions set forth in Section 6 above;
(c) any fees due by Customer remain unpaid fifteen (15) days after the applicable due date as set forth in the Agreement; or
(d) if Customer commits a material breach of its obligations under the Agreement and does not remedy such breach within thirty (30) days of receiving notice of breach from Supermetrics.
10.3 Either party may terminate the Agreement upon written notice to the other party if the other party enters into bankruptcy, becomes insolvent or makes an assignment for the benefit of creditors.
Any feedback, comments, suggestions, ideas, or other information provided by you in the form of email or other submissions to us (collectively “Feedback”), are non-confidential and you hereby grant to us and our subcontractors and affiliates a nonexclusive, royalty-free, perpetual, irrevocable, and fully sublicensable right to use your Feedback for any purpose without compensation or attribution to you.
12.1 The “Supermetrics” name, the Supermetrics logos, and any other product or service name or slogan contained on the Service are trademarks or registered trademarks of Supermetrics and its suppliers or licensors, and may not be copied, imitated or used, in whole or in part, without the prior written permission of the applicable trademark owner. All other trademarks, registered trademarks, product names and company names or logos mentioned on the Service are the property of their respective owners. Reference to any products, services, processes or other information, by trade name, trademark, manufacturer, supplier or otherwise, does not constitute or imply endorsement, sponsorship, or recommendation thereof by us, or vice versa.
12.2 Supermetrics may use your company name(s) and logo(s) for marketing purposes, including on the Supermetrics website and in press releases, promotional and sales literature, customer/prospect presentations, and customers lists.
13. Ownership and intellectual property rights
13.1 As between you and Supermetrics, Supermetrics owns all right, title, and interest, including all intellectual property rights, in and to the Service, and any services available in connection with the Service. Except for those rights expressly granted in these Terms, no other rights are granted, either express or implied, to you and all other rights are hereby reserved.
14. Confidential information
If we share non-public information about the Service with you, you must keep it confidential and use reasonable security measures to prevent unauthorized disclosure of or access to that information.
15.1 Supermetrics will process personal data as both 1) data controller; and 2) data processor on documented instructions from you as the data controller.
15.3 As a data processor, we process such personal data which you have provided to us (including collected or generated through the use of the Service) for the purpose of providing the Service. This processing of personal data is governed by a separate Data Processing Agreement entered into between you and us in connection with your signing up for the Service, which is attached hereto as Annex 1.
16. Customer Data
16.1 Customer, its subsidiaries, affiliates and customers retain all rights pertaining to all data, personal data or other information that Customer, or another party on Customer’s behalf, provides to Supermetrics for the purpose of providing the Service (“Customer Data”). Where permitted by Data Protection Laws, Supermetrics may process Customer Data or other data derived from the operation of the Service: (i) to build or improve the quality of its services (data shall be in aggregated and anonymous form); (ii) to detect security incidents; (iii) to protect against fraudulent or illegal activity and (iv) to create public statistics, for example, to enable Customers to benchmark their performance against industry level statistics (data shall be in aggregated and anonymous form). In no event does the aggregated data include any personally identifiable information or company level data.
17. Disclaimer of Warranties
YOUR USE OF THE SERVICE, INCLUDING, WITHOUT LIMITATION, YOUR USE OF ANY CONTENT ACCESSIBLE THROUGH THE SERVICE AND YOUR INTERACTIONS AND DEALINGS WITH ANY SERVICE USERS, IS AT YOUR SOLE RISK. SUPERMETRICS DOES NOT WARRANT UNINTERRUPTED USE OR OPERATION OF THE SERVICE OR YOUR ACCESS TO ANY CONTENT. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE SERVICE WILL CREATE ANY WARRANTY REGARDING SUPERMETRICS THAT IS NOT EXPRESSLY STATED IN THESE TERMS.
EXCEPT FOR ANY EXPRESS WARRANTIES INCLUDED HEREIN, WE DISCLAIM ALL WARRANTIES, TO THE MAXIMUM EXTENT PERMITTED BY LAW, EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE AND WE DO NOT WARRANT THE ACCURACY OF ANY DATA PROVIDED IN CONNECTION WITH THE SERVICE, OR THAT THE SERVICE IS FREE OF BUGS OR ERRORS.
18.1 Supermetrics will defend, indemnify and hold harmless Customer from and against any costs, damages, expenses, and liabilities (including, but not limited to, reasonable attorneys’ fees) arising out of or in relation to third-party claims or actions arising out of or relating to infringement of a third party’s intellectual property rights due to Customer’s use of the Service, except to the extent such claims or actions arise out of or are related to (i) any modification or combination of the Service by Customer with any service not provided by Supermetrics; (ii) any third-party programs, information, or data (including any Third-Party Services); (iii) any access or use of the Services by Customer in violation of these Terms, including the restrictions set forth in Section 6; or (iv) any data, information, or content provided by Customer.
Supermetrics’ indemnification obligation in this Section only applies under the condition that Customer has notified Supermetrics in writing of a claim or action within a reasonable time.
In case such third party claim is made or is likely to be made, Supermetrics is responsible, at its own cost, for obtaining any necessary rights for Customer to continue to use the Service under the terms of the Agreement or replace or modify the infringing part of the Service to be non-infringing without decreasing functionality. If Supermetrics is unable to replace or modify the infringing part, then Supermetrics may terminate this Agreement upon written notice to Customer, in which case Customer shall be entitled, as its sole remedy, to a pro-rata refund in the amount of the unused portion of any prepaid fees for the terminated Service calculated as of the effective date of termination. Supermetrics liability, and your sole remedy, for infringement of intellectual property rights in the Service shall be limited to this Section 18.1.
18.2 Customer will defend, indemnify and hold harmless Supermetrics from and against any costs, damages, expenses, and liabilities (including, but not limited to, reasonable attorneys’ fees) arising out of or in relation to third-party claims or actions arising out of or relating to:
(a) any breach by Customer or any Authorized User of the restrictions set forth in Section 6 above;
(b) any violation of applicable law by Customer;
(c) any data, information, or content inputted into the Service or otherwise provided by Customer, including any actual or alleged infringement of third-party intellectual property rights or rights to privacy arising out of any such data, information, or content, including Customer Data;
(d) any of Customer’s products or services;
(e) any material breach by Customer of this Agreement; or
(f) any gross negligence, willful misconduct, or fraud by Customer.
19. Limitation of Liability
Neither party nor its suppliers or licensors will be liable for any indirect, incidental, special, consequential, or exemplary damages, including, without limitation, damages for loss of profits, goodwill, use, data, or other intangible losses (even if such party or any supplier or licensor has been advised of the possibility of these damages), arising out of this Agreement.
Supermetrics’ maximum total liability towards the Customer and its Authorized Users for all claims under these Terms or otherwise in relation to the Service, whether in contract, tort, or otherwise, is limited to 100 EUR.
Any limitations of liability under this Section 19 shall not apply with respect breach of Section 14 (Confidential information) or in the event of gross negligence, willful misconduct, or fraud.
20. Governing law and dispute resolution
These Terms shall be governed and construed in accordance with the laws of Finland, without giving effect to principles of conflicts of law or to the Convention on Contracts for the International Sale of Goods. Any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The seat of arbitration shall be Helsinki, Finland. The number of arbitrators shall be one. The language of the arbitration shall be English.
21. Other terms
Neither party will be responsible for any failure or delay in the performance of its obligations under this Agreement (except for any payment obligations) due to causes beyond its reasonable control (a “Force Majeure Event”), which may include, without limitation, labor disputes, strikes, lockouts, shortages of or inability to obtain energy, raw materials or supplies, denial of service or other malicious attacks, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God. Our failure to act in a particular circumstance does not waive our ability to act with respect to that circumstance or similar circumstances. Any provision of these Terms that is found to be invalid, unlawful, or unenforceable will be severed from these Terms, and the remaining provisions of these Terms will continue to be in full force and effect. The section headings and titles in these Terms are for convenience only and have no legal or contractual effect.
Neither party may assign this Agreement.
Supermetrics may change the content of these Terms, subject to posting a notice of change in its web page.
Any notices under or in relation to the Agreement shall be sent in accordance with the notice provisions in the Agreement.
By using the Service, you consent to receiving electronic communications from us. These communications may include notices about your account and information concerning or related to the Service.
ANNEX 1 Data Processing Agreement
1. Nature and purpose of the processing
This Data Processing Agreement (“DPA”) is an annex to and forms an inseparable part of the Agreement between the Customer or you and Supermetrics, regarding your use of our Services.
The agreed Service delivery may include processing of personal data by Supermetrics and its subcontractors, on behalf of the Customer, within the scope described in the Agreement. The purpose of this DPA is to set the terms and conditions governing such processing by Supermetrics on behalf of the Customer in compliance with the requirements set by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation, including the California Consumer Privacy Act of 2018 (“CCPA”) (collectively, “Data Privacy Laws”).
Supermetrics may process personal data only on behalf of the Customer solely to the extent necessary for the provision of the Services set forth in the Agreement, and may not otherwise process or use personal data for purposes other than those set forth in this DPA or as reasonably instructed by the Customer in writing where such instructions are consistent with the terms of the Agreement. Supermetrics may not sell the Customer’s personal data, as the term “sale” is defined under the CCPA. This DPA shall take precedence over conflicting provisions relating to processing of personal data in the Agreement, unless otherwise expressly stated in this DPA.
The parties acknowledge and agree that the Customer enters into this DPA on behalf of itself and on behalf of its affiliates which utilize the Services as defined in the Agreement (“Affiliates”), thereby establishing a separate DPA between Supermetrics and each of the Customer Affiliates subject to the terms of this DPA. The Customer and Affiliates are jointly referred to as the “Customer”. Supermetrics enters into this DPA on its own behalf and on behalf of those of Supermetrics’ group companies that are involved in the processing of personal data under this DPA and the Agreement.
All references to “personal data”, “processing”, “data subject” and other terms defined in Data Privacy Laws and not expressly defined herein shall have the same meaning in this DPA as in Article 4 of the GDPR. When CCPA applies, these above mentioned terms shall have the same meaning as defined in the CCPA; “controller” shall mean “Business” and “processor or “data processor” shall mean “Service Provider”.
In the event that under the Agreement it is agreed that Supermetrics’ cloud based service shall be delivered by a third-party provider (Amazon Web Services, Microsoft, Google or other) the parties acknowledge that any personal data processed within the cloud service shall be exclusively governed by the terms and conditions for the cloud service as stipulated and amended from time to time by the cloud service provider.
2. Term and termination of this DPA
This DPA shall become effective upon the Customer entering into the Agreement and shall remain in force during the validity of the Agreement and thereafter for as long as necessary for the finalization of the agreed processing of personal data.
3. Processing of your personal data
For the sake of clarity, it is noted that in relation to the personal data processed under this DPA, Supermetrics acts as a data processor or second data processor (a so called sub-processor), and the Customer acts as a data controller or first data processor (to the extent Supermetrics process personal data for which a customer of the Customer is considered controller).
The types of personal data and categories of data subjects may include the following depending on the service(s) Supermetrics provides:
|Categories of data subjects|
|The personal data will concern the following categories of data subjects:
Customers or users (including prospective customer’s or user’s) of the Customer or Customer’s customers.
|Types of personal data|
This DPA with the Agreement constitutes the instructions in accordance with which any such data is processed as per the date of entering into this DPA.
Supermetrics shall not process the personal data provided to Supermetrics via the Services by (or at the direction of) the Customer for any other purpose or otherwise deviate from the Customer’s instructions relating to the processing of personal data in any way, unless required to do so by the laws of the European Union or its member states to which Supermetrics is subject, in which case Supermetrics shall inform the Customer of that legal requirement before carrying out such processing (unless that law prohibits Supermetrics from doing so).
In the event that Supermetrics believes an instruction from the Customer is in breach of applicable data protection legislation or otherwise lacks instructions which, in Supermetrics assessment, are necessary to perform the processing of personal data in accordance with this DPA or applicable data protection legislation, Supermetrics shall promptly inform the Customer thereof and await further necessary instructions.
4. Responsibilities of the Customer
The Customer is the owner of its personal data and is responsible for the accuracy, legality, integrity and content reliability of such personal data. Customer shall, in its use of the Services, process personal data in accordance with the requirements of applicable data protection legislation and Customer will ensure that its instructions for the processing of personal data shall comply with applicable data protection legislation. Customer is solely liable for its compliance with Data Privacy Laws in its use of the Services. Customer must provide a written notification to Supermetrics without undue delay if it believes this DPA and Customer’s written instructions do not fulfil requirements of applicable Data Privacy Laws.
5. Assistance to the Customer
5.1 Supermetrics will assist the Customer in ensuring compliance with their obligations under Article 32 (security of processing), Article 33 (notification of personal data breaches to supervisory authorities), Article 34 (communication of personal data breach to data subjects), Article 35 (data protection impact assessments) and Article 36 (prior consultation), taking into account the nature of processing and the information available to the Supermetrics. Any assistance by Supermetrics outside the scope of the services agreed under the Agreement shall be charged by Supermetrics at the then current rate applied by Supermetrics.
5.2 Supermetrics shall, taking into account the nature of the processing, assist the Customer by appropriate technical or organisational measures, in the fulfilment of the Customer’s obligations to respond to data subject requests relating to their exercise of their rights under Data Privacy Laws. In this respect, Supermetrics shall provide assistance only upon request by the Customer. Any request directed to Supermetrics by a data subject shall be referred by Supermetrics to the Customer without undue delay. Any assistance by processor outside the scope of the Services agreed under the Agreement shall be charged by Supermetrics at the then current rate applied by Supermetrics.
5.3 Supermetrics shall notify the Customer about any personal data breaches concerning the Customer’s personal data without undue delay after having become aware of such personal data breach. To the extent possible, the notification shall include the following information:
- description of the nature of the personal data breach including where possible the categories and approximate number of data subjects and personal data records concerned;
- the name and contact details of Supermetrics data protection officer or other contacts where further information can be obtained;
- description of the likely consequences of the personal data breach; and
- description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.4 Where it is not possible for Supermetrics to provide the information as indicated in Section 5.3 at the same time as the notification of the personal data breach, the information may be provided in phases without undue delay.
6. Confidentiality and security
6.1 Supermetrics shall ensure that all persons authorized to process the personal data of the Customer are bound by an obligation of confidentiality with respect to such personal data, and only processes such personal data on instructions from the Customer, unless required to do so under applicable EU or EU member state law.
6.2 Supermetrics shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. This shall include, inter alia as appropriate, measures to:
- implement and maintain technical and organisational measures for safeguarding the confidentiality, integrity, availability and resilience of systems and services processing personal data;
- restore the availability and access to personal data in a timely manner in the event of an incident;
- regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing; and
- pseudonymize and/or encrypt personal data.
6.3 On request, Supermetrics shall cooperate with the supervisory authority in the performance of its tasks and shall comply with decisions by the supervisory authority on security measures required to comply with the GDPR. If and to the extent the Customer or the supervisory authority instructs Supermetrics to perform any measure, activity or action outside the scope of the Services agreed to under the Agreement, then such instruction shall be considered a request for additional services pursuant to the Agreement and additional fees may apply.
7. Sub-processors and transfers to third countries
7.1 The Customer acknowledges that Supermetrics needs to engage other processors for carrying out specific processing activities, and that Supermetrics wishes to deliver standard services to its customers in a consistent, secure and efficient manner. Accordingly, the DPA shall constitute a general authorization by the Customer for Supermetrics’ use of sub-processors. Supermetrics shall ensure that sub-processors are bound by a written agreement that require them to provide at least the level of data protection required by Supermetrics under this DPA. Supermetrics shall inform the Customer of changes concerning its sub-processors, including the identity and location of new or replaced sub-processors. A list of sub-processors (including their name, country, processing activities and country/area where processing activities are carried out) is available at Supermetrics web page or other location as designated by Supermetrics from time to time. Supermetrics will notify the Customers by adding the name and above mentioned details of new and replacement sub-processors to the list prior to them starting sub-processing of personal data.
7.2 Where a sub-processor fails to fulfil its data protection obligation, Supermetrics shall remain fully liable to the Customer for the performance of that sub-processor’s obligations.
7.3 If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Supermetrics of such objection in writing within ten (10) days of the notification. In case the Customer objects to the use of a specific sub-processor, the parties shall enter into good faith negotiations on how to resolve the issue. In case the negotiations do not solve the issue and the Customer opposes Supermetrics’ use of a specific sub-processor either party shall, for a justified reason and as a final remedy, be entitled to terminate the relevant Agreement on thirty days’ written notice.
7.4 Supermetrics and its sub-processors may transfer or process personal data outside the EU/EEA area.
7.5 When transfer of personal data by Supermetrics to a sub-processor outside the EU/EEA, is permitted as stated above, in case of any transfer Supermetrics shall ensure that transfer is only made to (a) a country deemed by the Commission to have an adequate level of protection, (b) entities having entered into the EU Commission standard contractual clauses approved by the European Union concerning the transfer of personal data to outside the EU/EEA or provided other appropriate safeguards as described in Article 46 of the GDPR.
7.6 Subject to the above and subject to Supermetrics keeping the Customer informed of any transfer of personal data outside the EU/EEA, the Customer gives its consent to the transfers and authorizes Supermetrics to agree on the use of privacy clauses on behalf of the Customer and to represent the Customer regarding those conditions of the standard contractual clauses that refer to the rights and liabilities of the Customer, as shown in Exhibit 1.
8. Retention of your data
Supermetrics has no obligation to store and Supermetrics will not store any of Customer’s data after the termination of your account and/or subscription of the Service. Supermetrics will, at Customer’s election, promptly delete or return all personal data related to Customer’s account after the end of the provision of the Services relating to processing and delete existing copies unless applicable legislation requires storage of the personal data.
9.1 Supermetrics shall upon the Customer’s request make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR.
9.2 The Customer or an auditor authorized by the Customer (however, not a competitor of the Supermetrics) is entitled to audit the activities pursuant to the DPA. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 30 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of Supermetrics or its subcontractors in regard to third parties. The representatives of the Customer and the auditor must sign conventional non-disclosure commitments. The Customer shall be responsible for its own and Supermetrics’ expenses caused by the auditing. If notable defects are perceived during auditing, Supermetrics shall be liable for the costs incurred from remediating said defects.
9.3 . Provided that the parties have an applicable Non-Disclosure Agreement in place, Supermetrics reserves the right to provide the Customer with a copy of a third-party certification or report in lieu of an onsite audit as described in 9.2 above. In the event the customer does not find all reasonably needed info from the report, then 9.2. will apply.
Supermetrics shall compensate the Customer for damages incurred by the Customer as a result of fault or negligence by Supermetrics, or by a sub-contractor to Supermetrics, in the processing of personal data in breach of the Agreement or this DPA, including for claims by data subjects or a supervisory authority against the Customer caused directly by Supermetrics’ breach of this DPA.
To clarify, the limitations of liability set forth in Section 19 of the Agreement shall apply.
Standard Contractual Clauses (Processors)
for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Customer (as defined in the Agreement) (the data exporter)
Supermetrics’ sub-processor(s) as set forth in Section 7 of Annex 1 in the Agreement (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
to the Standard Contractual Clauses
This Appendix forms part of the Clauses
The data exporter is: Customer as set forth in the Agreement.
The data importer is: Supermetrics’ sub-processor(s) as set forth in Section 7 of Annex 1 in the Agreement.
The personal data transferred concern the following categories of data subjects: data subjects as set forth in Section 3 of Annex 1 in the Agreement.
Categories of data
The personal data transferred concern the following categories of data: As set forth in Section 3 of Annex 1 in the Agreement.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: As set forth in Section 3 of Annex 1 in the Agreement.
The personal data transferred will be subject to the following basic processing activities: Processing to carry out the Services pursuant to the Agreement (as defined in the Agreement and Annex 1).
to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
The data importer shall implement and maintain technical and organisational security measures as set forth in Annex 1.
Try Supermetrics for free
Get full access to Supermetrics with a 14-day free trial.
No credit card required.