This WIZ AI Conversational Talkbot Data Protection Terms applies to the purchase and use of the Services, included in the contents of the Software As A Service Service Agreement (“Agreement”) between Wiz and Customer. Capitalized terms used in these Terms, have the meaning set forth in the Agreement. This Terms apply to all purchases and use of the Services provided by Wiz.
The Parties agree as follows:
- Definitions and Interpretation
In this Schedule unless the subject or context otherwise requires, the following expressions have the following meanings:
“Applicable Data Protection Laws” means: (a) the PDPA; (b) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument of the Customer’s Member State which implements, the Regulation (EU) 2017/003, the e-Privacy Directive and the GDPR (in each case as amended, consolidated, re-enacted or replaced from time to time); (c) all other personal data protection legislation applicable to Vendor and/or Customer; (in each case as amended, consolidated, re-enacted or replaced from time to time);
“End User” means the data subjects for which Personal Data are forwarded by Customer to Vendor;
“End User Personal Data” means any Personal Data belonging to an End User that Customer transmits to Vendor;
“e-Privacy Directive” means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“PDPA” means the Singapore Personal Data Protection Act 2012;
“Personal Data” means data, whether true or not, about an individual who can be identified either from that data or from that data when combined with other information to which an entity has access or is likely to have access;
“DNC Registry” means the Do Not Call Registry established by the PDPA.
- Background
In the course of Vendor’s discharge of obligations under this Agreement, Customer may from time to time transmit End User Personal Data to Vendor.
- Customer’s Obligations
3.1 Customer shall at all times comply with Applicable Data Protection Laws at Customer’s cost.
3.2 Collection and Disclosure of Personal Data. Where Customer intends to disclose End User Personal Data (including without limitation by way of uploading a call list) to Vendor, Customer:
- shall cooperate with Vendor to provide all information and supporting documents requested by Vendor, and to Vendor’s satisfaction, for each set of End User Personal Data that Customer intends to transmit to Vendor;
- shall not disclose or transmit any End User Personal Data to Vendor before receiving Vendor’s express prior written approval;
- shall not disclose End User Personal Data unless the End User gives, or is deemed to have given, his consent under the Applicable Data Protection Laws to the collection, use or disclosure by Customer to third parties;
- shall be solely responsible for the accuracy, quality, and legality of (i) the End User Personal Data provided to Vendor by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data;
- not provide or make available to Vendor any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Vendor from all claims and losses in connection therewith;
- warrants: (i) the accuracy, quality, and legality of all End User Personal Data provided to Vendor; (ii) the legality of the means by which Customer acquired End User Personal Data and (iii) that Customer was duly authorised by End User to disclose End User Personal Data to Vendor.
3.3 Use and Processing of Personal Data. Where Vendor processes End User Personal Data on Customer’s behalf, Customer shall at all times:
- ensure that Customer’s instructions to Vendor comply with all Applicable Data Protection Laws and will not cause Vendor to be in breach of the Applicable Data Protection Laws;
- be solely responsible for the accuracy, quality, and legality of the instructions Customer provides to Vendor;
- immediately inform the Vendor if, in its opinion, an instruction of the Customer infringes the Applicable Data Protection Laws.
3.4 Managing End User Requests: access, correction, deletion etc. Customer is solely responsible to manage any request from an End User to access, correct, update or delete their Personal Data. Where Customer receives a request from End User to access, correct or delete their Personal Data, Customer shall:
a) promptly respond to an End User’s requests;
b) directly resolve all requests to access, correct or delete End User Personal Data;
c) if a complaint or request relating to any End User Personal Data has been made, promptly notify Vendor.
3.5 Compliance with Part IX of the PDPA (DNC Registry). Where a specified message (as defined by the PDPA) is sent to an End User, Customer is solely responsible to send the message, cause the message to be sent, authorise the sending of the message, make a voice call containing the message, cause a voice call containing the message to be made, or authorise the making of a voice call containing the message, and Customer shall at all times:
a) conduct regular checks to ensure that all End Users are not registered on the DNC Registry unless Customer has obtained clear and unambiguous consent from all End Users;
b) immediately notify Vendor when an End User becomes registered on the DNC Registry and (if Customer has not obtained clear and unambiguous consent from such End User) take all necessary steps to complete the removal of all such End User’s Personal Data;
c) immediately notify Vendor if Customer failed to obtain clear and unambiguous consent from any End User permitting the End User Personal Data to be collected by Customer, forwarded to Vendor and/or Vendor’s external service providers, and handled in by Vendor such manner as may be reasonably necessary to discharge Vendor’s obligations under this Agreement.
3.6 Compliance with Part IXA of the PDPA (Dictionary Attacks, Address Harvesting Software). Customer shall not cause any message to be sent to a telephone number that is generated or obtained through the use of a dictionary attack (i.e. method by which the telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations) or address-harvesting software (i.e. software that is specifically designed or marketed for use for (i) searching the Internet for telephone numbers; and (ii) collecting, compiling, capturing or otherwise harvesting those telephone numbers). At all times, Customer shall not:
a) provide or make available to Vendor any Personal Data that was (or is suspected to have been) obtained through illegal means;
b) provide or make available to Vendor any Personal Data that was derived through dictionary attack method or obtained by way of address-harvesting software.
3.7 Customer warrants and represents that:
a) Customer shall at all times be compliant with the Applicable Data Protection Laws;
b) Customer has obtained, or will take steps to obtain, clear and unambiguous consent from all End Users permitting the End User Personal Data to be collected by Customer, forwarded to Vendor and/or Vendor’s external service providers, and handled in by Vendor such manner as may be reasonably necessary to discharge Vendor’s obligations under this Agreement;
c) all End Users (who have not provided clear and unambiguous consent to Customer) are not registered on the DNC Registry and will re-verify the same in such frequency as required by Applicable Data Protection Laws;
d End User Personal Data was not obtained through illegal means; and
e) End User Personal Data was not derived through dictionary attack method or obtained by way of address-harvesting.
3.8 Customer agrees to pay all fines, penalties that Vendor is liable for, to fully and sincerely cooperate and assist Vendor, procure appearances in court, and make attestations by way of affidavit or otherwise, at Customer’s own expense, in the event Vendor is prosecuted or investigated under any Applicable Data Protection Laws.
- Compliance action
- Vendor may, at its sole and absolute discretion, take any action to ensure that Vendor complies with the Applicable Data Protection Laws, including without limitation to:
- removing any non-compliant End User Personal Data from the Vendor’s environment (including without limitation to the Vendor’s data centres, hardware, cloud system, etc.);
- suspending the Services until Vendor determines that Vendor can continue to perform its obligations under the Agreement without violating any Applicable Data Protection Laws;
- requesting Customer to remove the entire (or any portion) of the End User Personal Data and to re-transmit a new list of End User Personal Data that is compliant with all Applicable Data Protection Laws;
- terminating the Services with thirty (30) days’ written notice, or such shorter notice, if reasonably necessary to avoid non-compliance; and
e) taking any other action advised by legal counsel (including without limitation to modifying the Services) to avoid non-compliance with Applicable Data Protection Laws.
4.2 In taking action under Clause 4.1 above: all charges, fees, expenses that would have been payable to Vendor, if not for the suspension or non-performance of Services, shall continue to be payable, notwithstanding the fact that Services were not performed.
- Disclaimers
- No or limited collection. In general, Vendor does not collect any End User Personal Data except to the extent that: (a) End User directly and voluntarily provides Personal Data to Vendor; or (b) Customer disclosed or otherwise transmitted End User Personal Data to Vendor. Where Customer discloses or transmits End User Personal Data to Vendor, Clause 3.2 shall apply.
- Limited use and processing. In general, Vendor does not use or process any End User Personal Data except to the extent that: (a) End User has directly instructed or authorised Vendor to process their Personal Data; (b) Customer has instructed or authorised Vendor to process End User Personal Data on Customer’s behalf; (c) it is reasonably necessary that Vendor has to process End User Personal Data in order to perform Vendor’s obligations arising from the Agreement; (d) it is reasonably necessary that Vendor has to process any End User Personal Data in order to meet its obligations arising by operation of law. Where Vendor uses or processes End User Personal Data on Customer’s behalf, Clause 3.3 shall apply.
- Managing End User Requests: access, correction, deletion etc. In general, Vendor will not (of its own accord) correct or delete any End User Personal Data. However, at Customer’s instruction, Vendor may: (i) extend the necessary technological assistance to Customer if Customer is unable to access, correct or delete any End User Personal Data due to a technical fault; or (ii) manually correct or delete any End User Personal Data on Customer’s behalf. Further, if Vendor deems that a correction or deletion of any End User Personal Data is reasonably necessary in order to comply with Applicable Data Protection Laws, Vendor will take any action it deems fit. Where End Users request to access, correct or delete their Personal Data, Clause 3.4 shall apply.
- DNC Registry, Dictionary Attacks, Address Harvesting Software, etc. Vendor merely provides a service that enables a specified message to be sent. Vendor will not generally of its own accord send the message, cause the message to be sent, authorise the sending of the message, make a voice call containing the message, cause a voice call containing the message to be made, or authorise the making of a voice call containing the message. At all times, the following shall apply:
- any messages sent to End Users (through the use of Vendor’s Services) are sent on behalf of Customer and at Customer’s instructions;
- while Vendor may make recommendations to Customer: (i) Vendor generally has no input on the substantive content of the messages; (ii) Vendor does not decide when messages will be sent to End Users; and (iii) Vendor does not authorise the sending of the message;
c) Vendor does not perform any marketing through the messages for Vendor’s benefit and simply transmits all messages on behalf of Customer.
- Change to Applicable Data Protection Laws
The Parties agree to negotiate in good faith modifications to this Schedule if amendments are required for the Vendor to continue to perform its obligations under this Agreement in compliance with the Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection Laws, including (i) to comply with any amendments to the PDPA; (ii) to comply with the GDPR and any guidance on the interpretation of its provisions once it takes effect; or (iii) if changes to the membership status of a country in the European Union or the EEA require such modification.
- Disclaimer and Limitation of Liability
- Without prejudice to any other rights or remedies that the Vendor may have, Customer hereby acknowledges and agrees that Vendor may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, Vendor shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this Schedule.
7.2 Customer agrees that it will (in addition to, and without affecting, any other rights or remedies that Vendor may have whether under statute, common law or otherwise) indemnify and hold harmless Vendor, on demand from and against all claims, liabilities, costs, expenses, loss or damage incurred by Vendor (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) arising directly or indirectly from a breach of this Schedule by Customer or enforcement of any rights under it.