Data Processing Addendum

1. Definitions

Capitalised terms used in this DPA have the meanings set out below. Terms not defined here have the meaning given in Applicable Data Protection Law or in the Terms.

• Applicable Data Protection Law means all laws and regulations applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the UK GDPR and the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA), and the Indian Digital Personal Data Protection Act 2023 (DPDPA).
• Controller means the entity that, alone or jointly with others, determines the purposes and means of the processing of personal data. Under this DPA the customer is the controller.
• Processor means the entity that processes personal data on behalf of the controller. Under this DPA ConsentX is the processor.
• Personal Data means any information relating to an identified or identifiable natural person that is processed by ConsentX on behalf of the customer under the Terms.
• Processing means any operation performed on personal data, whether or not by automated means, such as collection, recording, storage, use, disclosure, erasure or destruction.
• Data Subject means the identified or identifiable natural person to whom the personal data relates, including a website visitor or end user whose consent is recorded through the customer’s use of the platform.
• Subprocessor means any processor engaged by ConsentX to process personal data on behalf of the customer in connection with the service.
• SCCs means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, including the applicable modules.
• UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, or the UK International Data Transfer Agreement (IDTA), as applicable.
• DPF means the EU-US Data Privacy Framework, including the UK Extension and the Swiss-US Data Privacy Framework, where the recipient is certified.
• Terms means the ConsentX terms of service or master subscription agreement under which the customer accesses the platform.

2. Roles and scope

When the customer uses ConsentX to manage consent on its own websites, properties and applications, the customer is the controller of the personal data and ConsentX acts as the customer’s processor. ConsentX processes that personal data only on the customer’s documented instructions and solely for the purpose of providing and supporting the service.

This DPA forms part of the Terms. It applies to the extent that ConsentX processes personal data on behalf of the customer in its capacity as processor. Where ConsentX processes data as a controller for its own limited purposes, such as account administration, billing and security, that processing is governed by the ConsentX privacy policy rather than this DPA. In case of conflict between this DPA and the rest of the Terms on the subject of data protection, this DPA prevails.

3. Details of processing

The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are described in detail in Annex 1 to this DPA. In summary, the subject matter is the processing of consent records and related data needed to deliver the ConsentX platform. Processing lasts for the term of the subscription and any wind-down period agreed in this DPA, after which personal data is returned or deleted in accordance with Section 10.

4. Processor obligations

ConsentX, as processor, undertakes to comply with Article 28(3) of the GDPR and the equivalent obligations under Applicable Data Protection Law. In particular, ConsentX will:

• process the personal data only on documented instructions from the customer, including with regard to transfers, unless required to do otherwise by a law to which ConsentX is subject, in which case ConsentX will inform the customer of that legal requirement before processing unless the law prohibits such information on important grounds of public interest;
• ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement and maintain the technical and organisational measures required under Article 32 of the GDPR, as described in Annex 2, to ensure a level of security appropriate to the risk;
• respect the conditions for engaging subprocessors set out in Section 5;
• taking into account the nature of the processing, assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer’s obligation to respond to requests for exercising data subject rights, as described in Section 7;
• assist the customer in ensuring compliance with the obligations relating to security of processing, personal data breach notification, data protection impact assessments and prior consultation under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to ConsentX;
• at the choice of the customer, delete or return all personal data after the end of the provision of services, as described in Section 10; and
• make available to the customer all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, as described in Section 9. ConsentX will immediately inform the customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

5. Subprocessors

The customer grants ConsentX general written authorisation to engage subprocessors to process personal data in connection with the service. ConsentX maintains an up to date list of subprocessors on its subprocessors page and in Annex 3 to this DPA. ConsentX will give the customer notice of any intended addition or replacement of a subprocessor, giving the customer the opportunity to object on reasonable data protection grounds before the new subprocessor begins processing personal data.

Where ConsentX engages a subprocessor, it will do so by way of a written contract that imposes on the subprocessor data protection obligations no less protective than those set out in this DPA, in particular obligations to implement appropriate technical and organisational measures. ConsentX remains fully liable to the customer for the performance of each subprocessor’s obligations. If the customer reasonably objects to a new subprocessor and ConsentX cannot offer a commercially reasonable alternative, the customer may terminate the affected service as set out in the Terms.

6. International transfers

ConsentX hosts production data in the Amazon Web Services Asia Pacific Mumbai region (ap-south-1) in India, with Cloudflare providing content delivery and web application firewall services and Vercel hosting the public marketing site. Where the provision of the service involves a transfer of personal data outside the European Economic Area, the United Kingdom or another jurisdiction with data localisation requirements, ConsentX implements an appropriate transfer mechanism under Applicable Data Protection Law.

• For transfers subject to the GDPR, the parties incorporate the EU SCCs (Commission Decision (EU) 2021/914), applying the module appropriate to the relationship, with ConsentX acting as data importer.
• For transfers subject to the UK GDPR, the parties incorporate the UK Addendum or the UK IDTA in conjunction with the EU SCCs.
• Where the recipient is certified under the EU-US Data Privacy Framework, the UK Extension or the Swiss-US Data Privacy Framework, that certification may serve as the transfer mechanism for transfers to that recipient.

Where the SCCs apply, they are incorporated into this DPA by reference and, in case of conflict between the SCCs and any other term of this DPA, the SCCs prevail. ConsentX has appointed IntelligenceX as its representative in the European Union and the United Kingdom under Article 27 of the GDPR and the UK GDPR. The representative can be contacted via intelligencex.org.

7. Data subject rights assistance

ConsentX provides built-in features to help the customer respond to requests from data subjects to exercise their rights, including rights of access, rectification, erasure, restriction, objection and data portability, through the platform’s data subject access request and grievance workflows. Taking into account the nature of the processing, ConsentX assists the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer’s obligation to respond to such requests.

Where a data subject request reaches ConsentX directly, ConsentX will, unless legally required to act otherwise, promptly refer the request to the customer as controller and will not respond to the request itself except on the customer’s documented instructions.

8. Personal data breach

ConsentX will notify the customer without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting the customer’s personal data. The notification will, taking into account the information available to ConsentX, include:

• a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
• the name and contact details of the ConsentX contact point from whom more information can be obtained;
• a description of the likely consequences of the breach; and
• a description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

ConsentX will cooperate with the customer and take reasonable steps to assist in the investigation, mitigation and remediation of the breach. The customer remains responsible for any notifications to supervisory authorities and affected data subjects required of it as controller. Breach notifications should be sent to security@consentx.io.

9. Audits and inspections

ConsentX makes available to the customer all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by the customer or an auditor mandated by the customer. ConsentX may satisfy an audit request, in the first instance, by providing relevant documentation such as security certifications, third party audit reports, summaries of penetration tests and responses to a reasonable security questionnaire.

Where the customer reasonably requires an on-site inspection, ConsentX will permit such inspection on reasonable prior notice, during normal business hours, no more than once in any twelve month period unless required by a supervisory authority or following a personal data breach, subject to appropriate confidentiality undertakings and conducted so as to minimise disruption to ConsentX’s operations and the security of other customers.

10. Return and deletion on termination

On termination or expiry of the Terms, ConsentX will, at the choice of the customer, delete or return all personal data processed on behalf of the customer and delete existing copies, unless Applicable Data Protection Law requires storage of the personal data. ConsentX will carry out deletion or return within a reasonable period after the end of the provision of services, subject to a defined wind-down period agreed in this DPA.

Personal data retained in routine backups will be deleted in accordance with ConsentX’s documented backup retention schedule and will not be used for any purpose other than continuity while it remains in those backups. On the customer’s written request, ConsentX will provide written certification that it has complied with this Section 10.

11. CCPA addendum

To the extent that the CCPA applies to the processing of personal information under this DPA, ConsentX acts as a service provider to the customer as a business, as those terms are defined in the CCPA. ConsentX:

• processes personal information only on behalf of the customer and for the specific business purposes set out in the Terms and this DPA;
• does not sell or share personal information, and does not retain, use or disclose personal information for any purpose other than the business purposes specified, including not for its own commercial purposes;
• does not retain, use or disclose personal information outside the direct business relationship with the customer, and does not combine personal information received from the customer with personal information from other sources except as permitted by the CCPA;
• certifies that it understands and will comply with these restrictions; and
• will notify the customer if it determines that it can no longer meet its obligations as a service provider under the CCPA.

12. India DPDPA addendum

To the extent that the Indian Digital Personal Data Protection Act 2023 applies, the customer acts as the data fiduciary and ConsentX acts as a data processor engaged under a valid contract. ConsentX:

• processes personal data only in accordance with the customer’s instructions and the Terms;
• implements reasonable security safeguards to protect personal data in its possession or under its control and to prevent a personal data breach;
• intimates the customer of any personal data breach without undue delay so that the customer can meet its obligations to notify the Data Protection Board of India and affected data principals;
• assists the customer in responding to requests from data principals to exercise their rights, including the right to access, correction, completion, updating and erasure of personal data; and
• assists the customer with its grievance redressal obligations and refers any grievance received directly to the customer for handling.

13. Liability and order of precedence

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms, and any reference to the liability of a party in the Terms means the aggregate liability of that party under the Terms and this DPA together.

In case of any conflict or inconsistency, the following order of precedence applies: first, the SCCs and the UK Addendum to the extent they apply to a relevant transfer; second, the body of this DPA and its annexes; and third, the remainder of the Terms. Nothing in the Terms or this DPA is intended to limit or override the rights of data subjects or the powers of any supervisory authority.

Annex 1: Details of processing

This Annex 1 describes the processing carried out by ConsentX as processor on behalf of the customer as controller, as required by Article 28(3) of the GDPR and the SCCs.

Annex 2: Technical and organisational measures

ConsentX maintains the technical and organisational measures set out below, appropriate to the risk, in accordance with Article 32 of the GDPR. These measures may be updated over time provided the updates do not materially reduce the overall level of security. Further detail is available on the ConsentX security page.

• Encryption in transit and at rest. Personal data is encrypted in transit using current TLS protocols and encrypted at rest using industry standard algorithms.
• Access control and least privilege. Access to systems and personal data is restricted on a need to know basis, governed by role-based access controls, unique accounts and multi-factor authentication for administrative access.
• Network security. Production systems sit behind a Cloudflare web application firewall and security groups, with segmentation between environments and restricted ingress.
• Logging and monitoring. Security relevant events are logged and monitored, with tamper-evident consent evidence and alerting on anomalous activity.
• Secure software development. ConsentX follows a secure software development lifecycle that includes code review, dependency management and testing before release.
• Backup and recovery. Regular backups are taken and recovery procedures are maintained to support business continuity and resilience.
• Vulnerability management. ConsentX performs vulnerability scanning and periodic security testing and remediates findings according to their severity.
• Personnel training. Personnel are bound by confidentiality obligations and receive security and data protection training appropriate to their role.
• Physical security. Physical security of the underlying infrastructure is provided by Amazon Web Services data centres in the Asia Pacific Mumbai region (ap-south-1), which maintain recognised physical and environmental controls.

Annex 3: List of subprocessors

ConsentX uses a limited set of subprocessors to deliver the service, including Amazon Web Services for hosting in the Asia Pacific Mumbai region, Cloudflare for content delivery and web application firewall services, and Vercel for the public marketing site. Each subprocessor is bound by data protection obligations no less protective than those in this DPA.

The current and authoritative list of subprocessors, together with the mechanism for receiving notice of changes, is maintained on the ConsentX subprocessors page, which is incorporated into this Annex 3 by reference.

How to execute this DPA

To request a signed copy of the ConsentX DPA, email legal@consentx.io with your company name and the legal entity that will sign. ConsentX will return a copy for execution. For privacy enquiries contact privacy@consentx.io, and for security matters contact security@consentx.io. ConsentX’s representative in the European Union and the United Kingdom under Article 27 is IntelligenceX, which can be contacted via intelligencex.org.