RingCentral Data Processing Addendum

Last Updated: August 12, 2021
This Data Processing Addendum ("DPA") is made by and between RingCentral and Customer (each a "Party", together the "Parties"), and is supplemental to the agreement executed between the Parties to which it is attached (“Agreement”) for the provision of the Services (as defined below) to Customer.
Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1.         Definitions
1.1.       For the purposes of this DPA:
    (a)    "Affiliate" means a person or entity that is controlled by a Party hereto, controls a Party hereto, or is under common control with a Party hereto, and “control” means beneficial ownership of greater than fifty percent (50%) of an entity’s then-outstanding voting securities or ownership interests.
    (b)    "Agreement" means the main written or electronic agreement between Customer and RingCentral for the provision of any of the RingCentral services to the Customer (each a "Service" and collectively the "Services"). 
    (c)    "Applicable Data Protection Laws" means all data protection and privacy laws applicable to RingCentral in the processing of Personal Data under this DPA.
    (d)    "Controller" shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
    (e)    "Customer Personal Data" means any Personal Data that RingCentral processes as a Processor under the Agreement. 
    (f)    “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law. 
    (g)   "Processor" means the entity which processes Personal Data on behalf of the Controller.
    (h)   "Security Incident" means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data that compromises the privacy, security, or confidentiality of such Personal Data.
2.       Scope of DPA
2.1            This DPA will apply to the extent that RingCentral processes Customer Personal Data on behalf of a Customer as a Processor, as defined by Applicable Data Protection Law. Any processing of Personal Data as a Controller by RingCentral is out of scope of this DPA.
3.       Roles and Responsibilities
3.1          Parties' Roles. As between the parties and for the purposes of this DPA Customer shall be the Controller of the Customer Personal Data processed by RingCentral under the Agreement as a Processor on Customer's behalf. RingCentral will comply with the obligations of a Controller under the GDPR to the extent it processes Personal Data as a Controller for RingCentral’s legitimate business purposes, including as necessary for the operation of the offered Services, and as necessary to comply with applicable law.
3.2         Obligations of the Customer. Customer undertakes to:
    (a)    Ensure that it may lawfully disclose the Customer Personal Data to RingCentral for the purposes set out in the Agreement.
    (b)    Comply with applicable data protection laws in its use of the Services, and its own collection and processing of Personal Data including Customer Personal Data; and
    (c)    Process special categories of Personal Data or sensitive data (as defined by Applicable Data Protection Laws), or Personal Data concerning children or minors, or related to criminal convictions and offenses, lawfully and relying on a valid legal basis in accordance with Applicable Data Protection Laws. The Parties acknowledge that the Services are not designed to recognize and/or classify such data.
3.3         Purpose Limitation.
    (a)    Except where otherwise required by applicable law, RingCentral shall process the Customer Personal Data (i) in accordance with Customer's documented instructions (which instructions are set out in the Agreement, this DPA and Customer's configuration and use of the Services, in accordance with the applicable terms of use), (ii) for the purposes of providing, monitoring, supporting, improving, and maintaining the Services.
    (b)    RingCentral shall not engage in the sale of any Personal Data.
3.4         Confidentiality of Processing. RingCentral shall ensure that any person that it authorizes to process the Customer Personal Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty). 
3.5         Security. RingCentral will maintain appropriate technical and organizational security measures to safeguard the security of Customer Personal Data. RingCentral will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Customer Personal Data with administrative, technical and physical measures conforming to generally recognized telecommunication industry standards and practices.
3.6         Security Incidents. Upon becoming aware of a Security Incident, RingCentral shall notify Customer without undue delay at the contact information that Customer has provided in the Administrative Portal and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfill any data breach reporting obligations under Applicable Data Protection Laws.
3.7         Provision of Security Reports. RingCentral will select an independent, qualified third-party auditor to conduct, at RingCentral’s expense, at least annual audits of the security of the Services and environments, in accordance with internationally recognized standards such as ISO27001, the SOC 2, Type II standards or its equivalent. Upon Customer request and under Non-Disclosure Agreement, RingCentral will provide a copy of the most recent audit reports (or similar security attestation) to document compliance with the foregoing requirement, where such certification is available. Such audit report is RingCentral’s Confidential Information and Customer will not distribute to any third party without RingCentral’s written approval.
3.8         Deletion or Return of Data. Upon termination or expiry of the Agreement, RingCentral shall delete Customer Personal Data (including copies) in RingCentral's possession or, at Customer’s request, provide options to return the Personal Data to the Customer, except to the extent that RingCentral is required by applicable law  to retain some or all of the Customer Personal Data.
4.            GDPR Obligations
4.1            Applicability. This Section 4 and the RingCentral Security Addendum  at https://netstorage.ringcentral.com/documents/trust-center-security-addendum.pdf shall apply to the processing of Customer Personal Data that is subject to the protection of the EU General Data Protection Regulation (“GDPR”).
4.2            Sub-processors. Customer agrees that RingCentral and its Affiliates may engage RingCentral Affiliates and third- party sub-processors (collectively, "Sub-processors") to process the Customer Personal Data on RingCentral's behalf. Depending on the scope and the nature of the sub-processing, RingCentral shall impose data protection terms on such Sub-processors that protect Customer Personal Data to an equivalent standard provided for by this DPA and RingCentral shall remain liable for any breach of the DPA caused by a Sub-processor. The Sub-processors engaged by RingCentral in respect of each of the Services at the time of the Agreement are noted on the RingCentral Sub-processor list available at https://netstorage.ringcentral.com/documents/RingCentral_Subprocessor_List.pdf.
4.3            Sub-processor Notification. RingCentral may, by giving reasonable notice to the Customer at the contact information that Customer has provided in the Administrative Portal, add or replace the Sub-processors. If the Customer objects to the appointment of an additional Sub-processor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of the Customer Personal Data, then the parties will discuss such concerns with a view to achieving resolution. If such resolution cannot be reached, then RingCentral will either not appoint the Sub-processor or, if this is not possible, Customer will be entitled to suspend or terminate the affected RingCentral Service without penalty with a thirty (30) day written notice to RingCentral. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a RingCentral Sub-processor failure) that can provoke a degradation or interruption of the Service, RingCentral reserves the right to immediately change the failing Sub-processor in order to maintain or restore the standard conditions of the Service. In this situation, the notification of Sub-processor change may be exceptionally sent after the change.
4.4           Cooperation and Data Subjects' Rights. It is the Customer’s responsibility to respond to any data subject request. Some of the RingCentral Services may provide direct technical means to enable Customer to fulfil its duties to respond to requests from data subjects under Applicable Data Protection Laws. If Customer is unable to address the data subject's request through such technical means, or where such functionality is not available, RingCentral shall, taking into account the nature of the processing, provide reasonable assistance to Customer, to enable Customer to respond to such data subject requests. In the event that such request is made directly to RingCentral, RingCentral shall promptly direct the data subject to contact the Customer.
4.5            Data Protection Impact Assessments. RingCentral shall, to the extent required by the GDPR, and upon Customer's request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under GDPR in relation to the scope of the Services.
4.6            International Transfers. RingCentral may transfer and process Customer Personal Data outside the European Economic Area (“EEA”), Switzerland, or the United Kingdom, in accordance with the published Sub-Processor list, to locations where RingCentral, its Affiliates or its Sub-processors maintain data processing operations. To the extent that RingCentral processes (or causes to be processed) any Customer Personal Data originating from the EEA, Switzerland, or the United Kingdom in a country that has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data, RingCentral will comply with Applicable Data Protection Laws of the European Economic Area, Swiss, and United Kingdom regarding the collection, use, transfer, retention, and other processing of Customer Personal Data from the European Economic Area, Switzerland, and the United Kingdom, and shall put in place such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, which include the execution of the EU Commission's Standard Contractual Clauses, or the putting in place of any other valid transfer mechanism under Applicable Data Protection Laws. The Customer hereby grants a general mandate to RingCentral to conclude the Standard Contractual Clauses on behalf of the Customer with its Sub-processors outside of the EEA.  
4.7            Audits.
    (a)    Both parties acknowledge that it is the parties' intention ordinarily to rely on the provision of the security reports at Section 3.7 above to verify RingCentral's compliance with this DPA.
    (b)    Additionally, upon request from Customer, but not more than once during each 12-month period, RingCentral shall complete a Customer provided information security program questionnaire, limited in scope to the actual services/environments related to the Services provided to Customer (“Security Review”). 
    (c)    After Customer’s review of RingCentral’s audit report or similar attestation, and of the completed information security questionnaire (including any changes introduced by RingCentral to address any gaps), if, to the extent required by the GDPR, additional information is reasonably necessary to demonstrate compliance with RingCentral’s obligations pursuant to Applicable Data Protection Laws and this  DPA, Customer may request in writing to perform an audit (including inspections) of RingCentral pursuant to the audit request procedure below, no more than once every twelve (12) month period, unless a supervisory authority specifically requires that an audit is carried out of RingCentral or in response to a Security Incident. 
    (d)    In order to exercise its right to audit pursuant to this section, Customer must provide RingCentral with a written, detailed request, including the explanation of gaps in RingCentral’s provided audit reports and in the Security Review that render the audit necessary to demonstrate RingCentral’s compliance with this DPA or with Applicable Data Protection Laws.
    (e)    The audit may be performed by Customer or a third-party auditor (any such third party under strict confidentiality obligations, including requirements that individual auditors appointed have not performed audits of any of RingCentral’s competitors in the previous twelve (12) months and that they will be prohibited from performing such audits in the twelve (12) months following RingCentral’s audit) solely at Customer's expense. RingCentral may object in writing to any third-party auditor if the auditor is, in RingCentral’s reasonable opinion, not suitably qualified or independent, a competitor of RingCentral, or otherwise manifestly unsuitable. Any such objection by RingCentral will require Customer to appoint another auditor or conduct the audit itself.
    (f)    RingCentral and Customer will agree in advance upon the scope and timing of the audit, to protect the confidential and proprietary Information of RingCentral and other parties, to minimize disruption to RingCentral’s business, to limit the scope to the actual services/environments related to the Services provided to Customer, and to agree on a reasonable duration of the audit.
    (g)    The audit performance will occur during regular business hours for the RingCentral personnel involved and the parties agree that RingCentral will make available material for Customer’s review, but not for Customer to retain. RingCentral may charge a reasonable fee for costs incurred in connection with any such audit based on RingCentral’s professional services rates, unless the audit shows a material breach on the part of RingCentral. RingCentral will provide Customer with details of any applicable fee, and the basis of its calculation, in advance of any such audit.
    (h)    All information provided or made available to Customer pursuant to this section shall be deemed Confidential Information of RingCentral. 
4.8            Data Disclosure Requests. If RingCentral receives a request from a law enforcement or other government authority to disclose Customer Personal Data that RingCentral is processing on the Customer's behalf, RingCentral will notify and provide the Customer with the details of the data disclosure request prior to disclosing any Customer Personal Data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
5.              Miscellaneous
5.1            Unless the above explicitly states otherwise the terms and conditions of the Agreement shall apply to the DPA. In case of any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA prevails with regard to RingCentral’s data processing activities of Customer Personal Data.
5.2            The governing law and forum that apply to the Agreement also apply to this DPA.
5.3            Contact information for privacy inquiries: privacy@RingCentral.com.