technical sufficiency criteria

Attachment
Last Updated: June 22, 2020
 
This Data Processing Addendum ("DPA") is made by and between RingCentral and Customer (each a "party", together the "parties"), pursuant to the Agreement for the provision of the Services (as defined below) to Customer.
 
This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is processed by RingCentral as a Processor on behalf of Customer for the Services listed in Annex B.
 
Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1.         Definitions
1.1.       For the purposes of this DPA:
    (a)    "Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
    (b)    "Agreement" means the main written or electronic agreement between Customer and RingCentral for the provision of any of the services set out at Annex B to Customer (each a "Service" and collectively the "Services").
    (c)    "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, EU and California Data Protection Laws.
    (d)    "EEA" means the European Economic Area, including the United Kingdom.
    (e)    "EU Data Protection Laws" means the applicable European data protection legislation, including, but not limited to, EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (also known as the General Data Protection Regulation) (the “GDPR”), and any and all applicable national data protection laws, rules and regulations in the United Kingdom, including the Data Protection Act 2018, and the EEA, which may be adopted from time to time including the French Law No 78-17 of 6 January 1978 on information  technology, data files and civil liberties as last amended by the Ordonnance n° 2018-1125 of 12 December 2018. 
    (f)    “California Data Protection Laws” means all applicable privacy and data security-related legislation and regulations adopted by the State of California, including, but not limited to, the California Consumer Privacy Act ("CCPA") (when in force) and any implementing regulations promulgated thereunder.
    (g)   "Controller" shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
    (h)   "Processor" shall mean an entity which processes Personal Data on behalf of the Controller.
    (i)    "Personal Data" means any information relating to an identified or identifiable natural person or household consisting of natural persons.
    (j)    “Sale” has the meaning set out in the CCPA, as and where the CCPA applies.  Disclosure of Personal Data to a Sub-processor pursuant to the terms of this DPA is expressly excluded from the definition of Sale.
    (k)   "Privacy Shield Framework" means the EU-US and Swiss-US Privacy Shield self-certification programs operated and administered by the U.S. Department of Commerce.
    (l)    "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C/2016/4176 of July 12, 2016 (as amended, superseded or replaced, as the case may be).
    (m)    "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.
    (n)    "Usage Data" means any data resulting from the Customer's use or operation of the Services, including, without limitation, traffic data, call detail records, metadata, log data, billing information, emails, customer authentication and audit logs, any data related to professional services, access logs, system logs, server logs. 
 
2.       Applicability of DPA
2.1            Applicability of DPA. This DPA will apply to the extent that RingCentral processes Personal Data on behalf of a Customer or Customer Affiliate as a Processor.
2.2           Usage Data. Notwithstanding anything to the contrary contained in this DPA, RingCentral is a Controller of Usage Data. To the extent that such Usage Data is collected or generated by RingCentral, such data may be used by RingCentral for purposes including regulatory compliance, network security, fraud detection and prevention, billing, internal analytics and other lawful purposes, but shall not be subject to Sale. For the avoidance of doubt, with the exception of this Section 2, this DPA will not apply to Usage Data.
 
3.       Roles and Responsibilities
3.1          Parties' Roles. As between the parties and for the purposes of this DPA, Customer shall be the Controller of the Personal Data that is processed by RingCentral under the Agreement as described in Annex A and RingCentral shall process the Personal Data as a Processor on Customer's behalf.
3.2         Obligations of the Customer. Customer undertakes to:
    (a)    Ensure that it may lawfully disclose the Personal Data to RingCentral for the purposes set out in the Agreement;
    (b)    Comply with Applicable Data Protection Laws in its use of the Services, and its own collection and processing of Personal Data (for the avoidance of doubt, Customer's instructions to RingCentral shall comply with Applicable Data Protection Laws and Customer shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Customer acquired Personal Data); and
    (c)    Ensure that no special categories of data or sensitive data (as defined in the GDPR or Applicable Data Protection Laws), nor any Personal Data concerning children or minors is stored within the Services.
3.3         Purpose Limitation.
    (a)    Except where otherwise required by applicable law, RingCentral shall process the Personal Data (i) in accordance with Customer's documented instructions (which instructions are set out in the Agreement, this DPA and Customer's use of the Services in accordance with the applicable terms of use), (ii) for the purposes of providing the Services as further described in Annex A, and (iii) using means of processing that are reasonably necessary and proportionate to achieve provision of the Services.
    (b)    Any additional processing required by Customer outside of the scope of the Agreement will require prior written agreement between the parties, including an agreement on any additional fees that Customer may be required to pay.   
    (c)    For the avoidance of doubt, RingCentral shall not engage in the Sale of the Personal Data.
3.4         Confidentiality of Processing. RingCentral shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty).
3.5         Security. RingCentral will maintain appropriate technical and organizational security measures to safeguard the security of Personal Data. RingCentral will maintain an information security and risk management programme based on commercial best practices to preserve the confidentiality, integrity and accessibility of Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices. RingCentral shall implement appropriate technical and organisational measures designed to protect the Personal Data from a Security Incident. 
3.6         Security Incidents. Upon becoming aware of a Security Incident, RingCentral shall notify Customer without undue delay at the contact information that Customer has provided in the Administrative Portal and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under Applicable Data Protection Laws.
3.7         Provision of Security Reports. RingCentral shall provide, upon Customer's request, copies of any relevant summaries of external security certifications or security audit reports necessary to verify RingCentral's compliance with this DPA.
3.8         Deletion or Return of Data. Upon termination or expiry of the Agreement, and upon written request, RingCentral shall, at Customer's election, either delete or return to Customer the Personal Data (including copies) in RingCentral's possession, save to the extent that RingCentral is required by applicable law to retain some or all of the Personal Data.
 
4.            GDPR Obligations
4.1            Applicability of Section. This Section 4 shall apply to the processing of Personal Data that is subject to the protection of the GDPR or the CCPA.
4.2            Sub-processors. Customer agrees that RingCentral may engage RingCentral Affiliates and third party sub-processors (collectively, "Sub-processors") to process the Personal Data on RingCentral's behalf. RingCentral shall impose on such Sub-processors data protection terms that protect the Personal Data to an equivalent standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. The Sub-processors engaged by RingCentral in respect of each of the Services at the time of the Agreement are noted on the RingCentral Sub-processor List available at https://netstorage.ringcentral.com/documents/RingCentral_Subprocessor_List.pdf.
4.3            Changes to Sub-processors. RingCentral may, by giving reasonable notice to the Customer, add or make changes to the Sub-processors. If the Customer objects to the appointment of an additional Sub-processor within 30 calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then the parties will discuss such concerns in with a view to achieving resolution. If such resolution cannot be reached, then RingCentral will either not appoint the Sub-processor or, if this is not possible, Customer will be entitled to suspend or terminate the affected RingCentral Service in accordance with the termination provisions of the Agreement. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a Sub-processor failure) that can provoke a degradation or interruption of the Service, RingCentral reserves the right to immediately change the failing Sub-processor in order to maintain or restore the standard conditions of Service. In this situation, the notification of Sub-processor change may be exceptionally sent after the change.
4.4           Cooperation and Data Subjects' Rights. Some of the RingCentral Services may provide direct technical means to enable Customer to fulfil its duties to respond to requests from data subjects under Applicable Data Protection Laws. For the avoidance of doubt, it is the Customer’s responsibility to respond to any data subject request. If Customer is unable to address the data subject's request through such technical means, or where such functionality is not available, RingCentral shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to such data subject requests. In the event that such request is made directly to RingCentral, RingCentral shall promptly inform the data subject to contact the Customer of the same. It is Customer’s sole responsibility to ensure that any account Administrator identified for Customer’s RingCentral account to manage and carry out data subject requests has appropriate authority to do so.
4.5            Data Protection Impact Assessments. RingCentral shall, to the extent required by EU Data Protection Laws, and upon Customer's request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Laws in relation to the scope of the Services to be provided by RingCentral pursuant to the Agreement.
4.6            International Transfers. RingCentral may transfer and process Personal Data anywhere in the world where RingCentral, its Affiliates or its Sub-processors maintain data processing operations.  To the extent that RingCentral processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, RingCentral shall put in place such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Laws, which may include reliance on RingCentral, Inc.'s self-certification to the Privacy Shield Framework and its compliance with the Privacy Shield Principles, the execution of standard contractual clauses approved by the European Commission, or the putting in place of any other valid transfer mechanism under EU Data Protection Laws.
4.7            Audits.
    (a)    While it is the parties' intention ordinarily to rely on the provision of the security reports at Section 3.7 above to verify RingCentral's compliance with this DPA, RingCentral shall permit the Customer (or its appointed third-party auditors) to carry out an audit of RingCentral's processing of Personal Data under the Agreement following a Security Incident suffered by RingCentral, or upon the instruction of a data protection authority. Customer must give RingCentral thirty (30) days prior notice of such intention to audit and such conduct will be at Customer’s own costs. Any such audit shall be subject to RingCentral's security and confidentiality terms and guidelines.
    (b)    Customer shall use its reasonable endeavours to ensure that the conduct of each audit does not unreasonably disrupt RingCentral's operations or delay the provision of the Services. RingCentral shall provide Customer (and its auditors and other advisers) with all reasonable cooperation, access and assistance in relation to each audit. The audit shall be conducted at RingCentral’s place of business during normal business hours and shall last no longer than two business days. 
    (c)    For the avoidance of doubt, RingCentral is not obligated to disclose to the Customer any documents or other material relating to RingCentral’s profitability, legally privileged documents or information, or documents that is commercially confidential or RingCentral is bound to maintain as confidential by written obligation to a third party or under applicable law or regulation. Audit results, including information and documentation disclosed or made available to Customer in the course of any such audit, will be deemed RingCentral’s Confidential Information.
 
5.              Miscellaneous
5.1            Except as amended by this DPA, the Agreement will remain in full force and effect.
5.2            If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
5.3            Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
ANNEX A
 
DESCRIPTION OF THE DATA PROCESSING
I. RingEX Plan Services
 
Nature and Purposes of Processing
RingEX provides cloud-based communications and collaboration services for high-definition voice, video, SMS, messaging and collaboration, conferencing, online meetings, and fax (the “Services”).  As part of the Services, RingCentral processes the Personal Data of the individuals who participate in these communications, including the Customer's employees and authorized users and other third parties who are involved in communications taking place through the Customer's use of the Services.
RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, for the purposes of customer relationship management, and customer support.
 
Categories of Data Subjects
  • Customer's employees and authorized users who use the Services in connection with the business of the Customer.  
  • Any other third party individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer's use of the Services.
Type(s) of Personal Data Processed
The Personal Data transferred concerns the following categories of data:
  •  Identification information for Customer, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title);
  • Identification information for anyone who uses the Services at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Any other Personal Data that the Customer, its authorized users or third parties involved in the communications choose to include in the content of the communications that are sent and received using the Services.
The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.
 
Special Categories of Data
RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time.
 
Duration of Processing
The Personal Data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
 
II. RingCentral Video
 
Nature and Purposes of Processing
 
RingCentral Video is an online meetings and screen sharing solution that helps Customers easily host meetings and transition between chat, video and web meetings (the “Services”). As part of the Services, RingCentral processes the Personal Data of the individuals who participate in these communications, including the Customer's employees and authorized users and other third parties who are involved in communications taking place through the Customer's use of the Services.
 
RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, for the purposes of customer relationship management, and customer support.
 
Categories of Data Subjects
  • Customer's employees and authorized users who use the Services in connection with the business of the Customer.  
  • Any other third party individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer's use of the Services.
Type(s) of Personal Data Processed
The Personal Data transferred concerns the following categories of data:
  • Identification information for Customer, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title);
  • Identification information for anyone who uses the Services at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Any other Personal Data that the Customer, its authorized users or third parties involved in the communications choose to include in the content of the communications that are sent and received using the Services.
The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.
 
Special Categories of Data
 
RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time. 
 
Duration of Processing

The Personal Data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
 
III. RingCentral Contact Center
 
Nature and Purposes of Processing
RingCentral Contact Center is an omni-channel customer communication management platform that unifies all customer-facing communication channels, including voice, email, SMS, website, mobile app, chat and social media communications, onto a single platform (the “Services”). As part of the Services, RingCentral processes the Personal Data of the individuals who participate in these communications, including the Customer's employees and authorized users and other third parties who are involved in communications taking place through the Customer's use of the Services.
 
RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer  has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of publishing content on public/private communications channels, customer relationship management, user management, and customer support.
 
Categories of Data Subjects
  • Customer's employees and authorized users who use the Services in connection with the business of the Customer.  
  • Any other third-party individuals who are involved in or referred to in the content of communications taking place or otherwise managed through the Services.
Types of Personal Data Processed
The Personal Data transferred can be classified in the following categories:
  • Identification information for Customer as well as End Users such as full name, gender, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title) and company name;
  • Identification information for anyone who uses the Services at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Any other Personal Data that the Customer's users or individuals involved in the communications choose to include in the content of the communications that take place or are otherwise managed using the Services;
The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.
 
Special Categories of Data
 
RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time.
 
Duration of Processing

The Personal Data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
 
IV. RingCentral Engage Digital
 
Nature and Purposes of Processing
RingCentral Engage Digital is an omni-channel digital customer communication management platform that unifies all customer-facing communication channels, including email, SMS, website, mobile app, chat and social media communications, onto a single platform (the “Services”). RingCentral Engage Digital publishes authorized users’ content onto the public or private communication channels connected to their platform and synchronizes end user content from the same channels. RingCentral Engage Digital stores and displays Customer information and conversations history to the authorized users. Authorized users are identified, have accesses and permissions defined by authorized users with administrator roles and all their actions are logged into an application journal.
 
RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of publishing content on public/private communications channels, customer relationship management, user management, and customer support.
 
Categories of Data Subjects
  • Customer's employees and authorized users who use the Services in connection with the business of the Customer.  
  • Any other third-party individuals who are involved in or referred to in the content of communications taking place or otherwise managed through the Services
Types of Personal Data Processed
The Personal Data transferred can be classified in the following categories:
  • Identification information for Customer, full name, gender, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title) and company name;
  • Identification information for anyone who uses the Services at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Content published on communication channels connected to the Services, including public information on social media channels connected to the Service;
  • Any other Personal Data that the Customer's users or individuals involved in the communications choose to include in the content of the communications that take place or are otherwise managed using the Services;
The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.
 
Special Categories of Data
 
RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time.
 
Duration of Processing
 
The data retention duration (between 1 day and 2 years) is defined by the Customer, based on the Customer's needs and context, and can be configured on the Services by the Customer's Users or by RingCentral.
 
V. RingCentral Engage Communities
 
Nature and Purposes of Processing
 
RingCentral Engage Communities is an online community management platform enabling community responses to customer service inquiries (the “Services”). Community administrators manage all different aspects of the platform regarding the registered community members: they can create, edit and give specific permissions and roles to the community members. The Community administrators also manage the community members’ contents creation, restriction, moderation, publishing, and edition. 
 
RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of the online platform management, customer relationship management, and customer support.
 
Categories of Data Subjects
  • Customer's employees or authorized users; 
  • Any other third-party individuals who are contributors to the online sharing space.
Types of Personal Data Processed
The Personal Data transferred can be classified in the following categories:
  • Identification information of Customer's employees or authorized users or other third-party contributors, including name and e-mail address;
  • Content published on the online sharing space, including any public posts and private messages;
  • Any other Personal Data that the Customer's users or third-party contributors choose to include in content posted, sent or received using the Service.
Special Categories of Data
 
RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data, sensitive categories of data or data regarding minors to RingCentral at any time.
 
Duration of Processing
 
The data retention duration (between 1 day to 2 years since the last user action) is defined by the Customer, based on the Customer's needs and context, and can be configured on the Services. Content can also be deleted by administrators and moderators of RingCentral Engage Communities or by RingCentral.
 
VI. RingCentral Engage Voice
 
Nature and Purposes of Processing
 
RingCentral Engage Voice provides a cloud-based omni-channel customer communication management services (the “Services”) that help companies meet customers on the channel of their choice including voice, email, SMS, MMS, website, mobile app, chat and social media communications. As part of the Services, RingCentral processes the Personal Data of the individuals who participate in these communications, including the Customer's employees and authorized users and other third parties who are involved in communications taking place through the Customer's use of the Services.
 
RingCentral processes the Personal Data for the purposes of providing and maintaining the Services to which the Customer  has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of publishing content on public/private communications channels, customer relationship management, user management, and customer support.
 
Categories of Data Subjects
 
  • Customer's employees and authorized users who use the Services in connection with the business of the Customer.  
  • Any other third-party individuals who are involved in or referred to in the content of communications taking place or otherwise managed through the Services.
Types of Personal Data Processed
The Personal Data transferred can be classified in the following categories:
  • Identification information for Customer as well as End Users such as full name, gender, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title) and company name;
  • Identification information for anyone who uses the Services at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile) and email address);
  • Any other Personal Data that the Customer's users or individuals involved in the communications choose to include in the content of the communications that take place or are otherwise managed using the Services;
The Personal Data transferred to RingCentral for processing is determined and controlled by the Customer in its sole discretion. As such, RingCentral has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Customer or its users.
 
Special Categories of Data
 
RingCentral does not intentionally collect or process any special categories of data in the provision of its Services. Under the DPA, the Customer agrees not to provide special categories of data to RingCentral at any time.
 
Duration of Processing

The Personal Data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
 
ANNEX B
LIST OF RINGCENTRAL SERVICES COVERED BY DPA
  • RingEX Plan Services
  • RingCentral Video
  • RingCentral Contact Center 
  • RingCentral Engage Digital
  • RingCentral Engage Communities
  • RingCentral Engage Voice