CallRail Data Processing Addendum for Customers
Last updated: January 2025
Definitions
“Admin” means the person listed as administrator as part of the Customer’s business subscription plan for the Services.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means CallRail’s Terms of Use, or any order form, master service agreement, or any other written agreement which is executed and signed by an authorized representative of CallRail, which governs the provision of the Services to Customer.
“Deidentified Data” means data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person, directly or indirectly, by CallRail.
“Canadian Data Protection Law” means data protection laws applicable in Canada, including the Personal Information Protection and Electronic Documents Act (SC 2000, c.5), Alberta’s Personal Information Protection Act (SA 2003, c. P-6.5), the British Columbia Personal Information Protection Act (SBC 2003, c.63) and Quebec’s Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1) (the “Québec Act”) and any binding regulations promulgated thereunder, in each case, as my be amended from time to time.
“CCPA” means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder, in each case, as may be amended from time to time.
“Customer Personal Data” means any Personal Data that CallRail Processes on behalf of Customer in the course of providing Services as either (i) a Data Processor for purposes of European Data Protection Law, (ii) a Service Provider for purposes of CCPA or Canadian Data Protection Law; or (iii) defined roles in other Data Protection Law that are substantially similar to those identified in (i) or (ii).
“Data Protection Law” means all data protection laws and regulations applicable to a Party’s Processing of Customer Personal Data under the Agreement, including, where applicable, European Data Protection Law, CCPA, Canadian Data Protection Law and the Australian Privacy Act 1988 (Cth).
“Data Controller” means an entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and includes “Business” and cognate terms under applicable Data Protection Law.
“Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller and includes “Service Provider,” “Contractor” and cognate terms under applicable Data Protection Law.
“Data Subject” means the individual to whom Personal Data relates.
“European Data Protection Law” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); UK Data Protection Laws and Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
“Europe” means the European Economic Area (“EEA”) (which comprises the member states of the European Union, Norway, Iceland and Liechtenstein), the United Kingdom and Switzerland.
“Personal Data” has the meaning set out in the applicable Data Protection Law and includes “personal information,” “personally identifiable information,” and cognate terms.
“Processing” has the meaning given to it under Data Protection Law or if not defined thereunder, the GDPR, and “process”, “processes” and “processed” will be interpreted accordingly.
“Restricted Transfer” means a transfer or an onward transfer of Customer Personal Data where such transfer would be prohibited by applicable Data Protection Law in the absence of an adequacy decision, a permitted derogation, or protection for the transferred Customer Personal Data provided by binding corporate rules, SCCs, or other mechanism specified under applicable Data Protection Law.
“Security Incident” means any unauthorized or unlawful access, loss, alteration, disclosure or destruction of Customer Personal Data or such other term under analogous and applicable Data Protection Laws. Security Incident will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Services” means any product or service provided by CallRail to Customer pursuant to the Agreement.
“Standard Contractual Clauses” or “SCCs” means, as applicable to the relevant transfer, (i) the Annex to the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council, and which sets out standard contractual clauses that fulfil the requirements for international data transfers among controllers and processors in Article 28(3) and (4) of the GDPR, the approved version of which in force at present is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as may be amended, superseded or replaced from time to time), which as they relate to the Processing under the Agreement comprise Annex D, (ii) the UK IDTA, or (iii) such other terms intended to provide adequate protection to transferred personal data pursuant to Data Protection Law; in each case, as amended or replaced from time to time under the relevant Data Protection Law. When applicable to the Processing, Annex D forms a part of this DPA. For greater clarity, Annex D does not apply to Processing for Canadian Customers except to the extent expressly required by Data Protection Law.
“Sub-processor” means any Data Processor engaged by CallRail or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or CallRail’s Affiliates but excludes CallRail employees.
“UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.
“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws.
1. Roles and Scope of Processing
a. Applicability. This DPA only applies to Customer Personal Data that is subject to Data Protection Law and only to the extent that CallRail Processes Customer Personal Data on behalf of Customer in the course of providing Services. This DPA does not apply to Personal Data that CallRail Processes as a Controller or to Deidentified Data.
b. Roles of the Parties. Customer determines the purpose and means of the Processing of Personal Data and is therefore the Data Controller. CallRail will Process Customer Personal Data only as a Data Processor acting on behalf of Customer and CallRail or its Affiliates will engage Sub-processors pursuant to the requirements set forth in Section 2 “Sub-processing” below.
c. Customer Compliance. Customer agrees that (i) it will comply with all Data Protection Law in respect of its use of the Services, its Processing of Personal Data and any Processing instructions it issues to CallRail; (ii) it will ensure it has the right to transfer, or provide access to, Personal Data to CallRail for Processing pursuant to the Agreement and this DPA; (iii) it has provided all notices and obtained all consents required under applicable Data Protection Law to disclose Personal Data to CallRail, and for CallRail to process such information, as contemplated by the Agreement and this DPA; and (iv) it will have sole responsibility for the accuracy, quality and legality of Customer Personal Data and the means by which Customer acquired such Customer Personal Data.
d. Purpose Limitation. CallRail shall Process Customer Personal Data only (i) in accordance with Customer’s documented lawful instructions as set forth in the Agreement and this DPA including Annex A attached hereto; (ii) as required by Data Protection Law; and (iii) as further documented in any other written instructions given by Customer and acknowledged by CallRail as constituting instructions for purposes of this DPA. The Parties agree that this DPA and the Agreement, and any further written instructions by Customer, set out Customer’s complete instructions to CallRail in relation to the Processing of Customer Personal Data, and Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. When CallRail is aware of an instruction that conflicts with Data Protection Law, it will promptly notify Customer thereof. In addition, when CallRail is under a legal obligation to Process Customer Personal Data outside of Customer instructions, it will immediately notify Customer thereof unless CallRail is legally prohibited from doing so.
e. Prohibited Data. Except as otherwise agreed by the Parties in writing, in which case, the parties will enter into a separate agreement, (i) Customer will not provide (or cause to be provided) any Personal Data that would impose additional statutory requirements on CallRail such as non-public personal information governed by the Gramm-Leach-Bliley Act, protected health information governed by the Health Insurance Portability and Accountability Act, or Personal Data that otherwise falls within the definition of “special categories of data" or “sensitive personal information” under Data Protection Law, and (ii) CallRail will have no liability whatsoever for such special categories of data or sensitive personal information, whether in connection with a Security Incident or otherwise.
2. Sub-processing
Sub-processors. CallRail will enter into a written agreement with the Sub-processor(s) imposing data protection obligations that protect Customer Personal Data to the standard required by applicable Data Protection Law. Customer generally authorizes and agrees that CallRail may engage the Sub-processors listed at https://www.callrail.com/subprocessors/, which may be updated from time to time. Customer may object in writing to CallRail’s appointment or replacement of a Sub-processor within ten (10) days, provided that such objection is based on reasonable grounds. In such event, the Parties will discuss such concerns in good faith with a view to achieving a resolution. If the Parties do not find a solution within ten (10) days, either Party may terminate the portions of the Agreement and this DPA upon which the objected-to Sub-processor depends with immediate effect (without prejudice to any fees incurred by Customer prior to the termination of the Agreement and this DPA).
3. Security
a. Confidentiality Obligations. CallRail will ensure that any personnel authorized by CallRail to Process Customer Personal Data will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). To the extent the Quebec Act applies, authorized personnel shall be limited to those who are required to process Customer Personal Data for the purposes of providing the Services pursuant to the Agreement. The obligation of confidentiality shall include the obligation to process the Customer Personal Data solely for the purposes of providing the Services or ensuring compliance with the obligations of this DPA.
b. Security Measures. CallRail will maintain appropriate technical and organizational measures to secure Customer Personal Data as outlined in Annex C attached hereto, including measures to protect against Security Incidents. These measures refer to a suitable level of security, taking into account the state of the art and the costs of implementation, as well as the risks inherent in data processing proposed by CallRail and the nature of Customer Personal Data. CallRail may update or modify such measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.
c. Security Incidents. Upon becoming aware of a Security Incident, CallRail will notify Customer without undue delay and will provide such information as Customer may reasonably require, including to enable Customer to fulfill its data breach reporting obligations under applicable Data Protection Law. CallRail’s notification of or response to a Security Incident will not be construed as an acknowledgement by CallRail of any fault or liability with respect to the Security Incident. To the extent that a Security Incident is caused by Customer, Customer Affiliate, or anyone acting for Customer, CallRail will inform the Customer of the Security Incident and provide information it discovers up to the stage it identifies the breach is caused by the Customer, Customer Affiliate, or anyone acting for the Customer. Further assistance to investigate and remediate such a Security Incident is subject to the commercially reasonable prior agreement of the parties acting in good faith and CallRail reserves the right to charge Customer a reasonable administrative fee for assistance in such circumstances. For Personal Data that is subject to the Québec Act, the notification to advise of a Security Incident includes a situation where there has been an attempted violation by any person of any obligation concerning the confidentiality of the Personal Data.
d. Customer’s Appropriate Use of Services. Customer agrees that, without prejudice to CallRail’s obligations under this DPA, (i) Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (ii) CallRail has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of CallRail’s and/or its Sub-processors’ systems.
4. International Transfers
a. Location of Processing. Customer acknowledges and agrees that CallRail may transfer, store and Process Customer Personal Data anywhere in the world where CallRail, its Affiliates or its Sub-processors maintain data processing operations. The Parties will at all times ensure that such transfers are made in compliance with the requirements of Data Protection Law and will enter into supplementary documents as necessary.
b. European Transfer Mechanism. The SSCs, incorporated herein by reference in Annex D, will apply to any Restricted Transfer of Customer Personal Data to locations outside the EEA and the UK. Clause 7 of the SCCs and the optional language in Clause 11(a) shall not apply. Clause 9(a): Option 1 (general written authorization for the engagement of sub-processors) is elected with the time period being ten (10) days. The Supervisory Authority for Clause 13(a) shall be determined by the place of establishment of the data exporter and the SCCs shall be governed by the law of, and subject to the jurisdiction of, the courts of Ireland for the GDPR and the United Kingdom for the UK IDTA unless otherwise agreed by the Parties.
For Restricted Transfers of Customer Personal Data to locations outside the United Kingdom, the Parties shall enter into the UK IDTA. For purposes of the tables in the UK IDTA – (i) in Table 1, the Parties are CallRail and Customer; (ii) for Table 2, the SCCs referenced in Annex D shall apply, (iii) for Table 3, the Annexes are deemed completed with the relevant information contained in Annex I – III of Annex D; and (iv) for Table 4, neither Party shall have the right of termination for purposes of Section 19 of the UK IDTA.
For Restricted Transfers of Customer Personal Data to locations outside of Switzerland, the Parties agree that the SCCs referenced in Annex D shall apply as amended and adapted to ensure the Swiss Federal Data Protection and Information Commissioner is the listed supervisory authority, data subjects in Switzerland are not precluded from exercising their rights, and references to the GDPR shall include reference to the equivalent provisions of the Swiss Federal Act on Data Protection (as amended or replaced).
Notwithstanding the foregoing, the SCCs (or obligations the same as those under the SCCs) or UK IDTA will not apply if CallRail has adopted, at its sole discretion, an alternative, recognized compliance standard for the lawful transfer of Personal Data outside the EEA, the United Kingdom or Switzerland. If the SCCs referenced in Annex D or the UK IDTA are updated, superseded or replaced and such change may have a material effect on the rights or obligations of the Parties under this DPA, then CallRail may require, and Customer may request, that the Parties enter into a replacement set of SCCs or UK IDTA in accordance with EU or United Kingdom Data Protection Law.
5. Cooperation and Audits
a. Data Subject Rights. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Services, CallRail will provide Customer with commercially reasonable cooperation and assistance insofar as this is possible, at Customer’s expense, to enable Customer to respond to requests from Data Subjects seeking to exercise their rights under Data Protection Law. In the event such request is made directly to CallRail, CallRail will promptly inform Customer of the same.
b. Data Protection Impact Assessments. To the extent required under applicable Data Protection Law, CallRail will (taking into account the nature of the Processing and the information available to CallRail) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Law; provided, however, that CallRail will not be liable for any failure of Customer to comply with Customer’s own obligations related thereto.
c. Audits. Upon Customer’s reasonable written request, and no more than once per calendar year, unless more frequent audits are explicitly permitted or required under applicable Data Protection Law, CallRail will make available for Customer’s inspection and audit, copies of certifications, records or reports demonstrating CallRail’s compliance with this DPA. While it is the Parties’ intention ordinarily to rely on the provision of the documentation to demonstrate CallRail’s compliance with this DPA and the provisions of Article 28 of the GDPR, in the event that Customer reasonably determines that it must inspect CallRail’s premises or equipment for purposes of this DPA, then no more than once per calendar year, unless more frequent audits are explicitly permitted or required under applicable Data Protection Law, any audits described in this Section 5(c) will be conducted, at Customer’s expense, through a qualified, independent third-party auditor (“Independent Auditor”) designated by Customer. Before the commencement of any such on-site inspection, the Parties will mutually agree on reasonable timing, scope, and security controls applicable to the audit (including without limitation restricting access to CallRail’s confidential information, trade secrets and data belonging to other customers). Any inspection will be of reasonable duration and will not unreasonably interfere with CallRail’s day-to-day operations. All Independent Auditors are required to enter into a non-disclosure agreement containing confidentiality provisions reasonably acceptable to CallRail and intended to protect CallRail’s and its customers’ confidential and proprietary information.
6. Deletion or Return of Customer Data
a. Upon request by Customer at the termination or expiration of the Agreement, CallRail will delete or return Customer Personal Data and copies thereof to Customer that are in CallRail’s possession. Notwithstanding the foregoing, CallRail may retain copies of Customer Personal Data: (i) to the extent CallRail has a separate legal right or obligation to retain some or all of the Customer Personal Data; (ii) that is incorporated into CallRail business records such as email and accounting records, and (iii) in backup systems until the backups have been overwritten or expunged in accordance with CallRail’s backup policy; provided, however, in each case the confidentiality obligations and use restrictions in the Agreement and this DPA will continue to apply to such Customer Personal Data for the duration of the retention. The Parties agree that the certification of deletion of Personal Data that is described in Clause 16(d) of the SCCs will be provided by CallRail to Customer only upon Customer’s request.
7. CCPA
a. Scope. This Section 7 will apply only with respect to Personal Data that is subject to the protection of the CCPA. For purposes of this Section 7, the terms “Business,” “sell,” “share,” “Third Party” and “Service Provider” have the meanings given in the CCPA.
b. Roles of the Parties. With respect to Customer Personal Data as to which CCPA applies, the Parties acknowledge and agree that: (i) CallRail is a “Service Provider” and not a “Third Party”; (ii) Customer is a “Business;” and (iii) each Sub-processor is CallRail’s “Service Provider”. The Parties agree that Customer will disclose to CallRail the Customer Personal Data as to which CCPA applies for the business purpose of enabling CallRail to perform the Services in accordance with the Agreement and subject to the requirements of this DPA, including without limitation those set forth in Section 7(c) (No Sale).
c. No Sale or Sharing. CallRail will not: (i) “sell” or “share” Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services; (iii) retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Services; or (iv) retain, use, or disclose Customer Personal Data outside of the direct business relationship between CallRail and the Customer.
d. Combining Personal Data. CallRail will not combine Customer Personal Data with Personal Data CallRail receives from, or on behalf of, another purpose unless permitted by the CCPA.
e. Deidentified Data. CallRail will not attempt to re-identify Deidentified Data, and will implement reasonable measures to ensure such data remains deidentified.
f. Notice if Compliance is Not Possible. If CallRail determines it can no longer meet its obligations under the CCPA, it shall promptly notify Customer of this fact.
g. Certification. If CallRail is considered a Contractor as defined under the CCPA, CallRail certifies that it understands these restrictions and will comply with them.
8. Liability
a. Indemnification. Each Party (the “Indemnifying Party”) will indemnify the other Party (the “Indemnitee”) from and against all third party claims (including investigations and actions by data protection authorities or regulatory bodies), liabilities, costs, damages, judgments, expenses and losses (including reasonable attorneys’ fees and costs) arising from any breach by the Indemnifying Party of this DPA; provided however, under no circumstances will the Indemnifying Party be liable for any breaches of this DPA or violations of Data Protection Law to the extent that they are caused by the Indemnitee. Any such indemnification obligation is contingent upon:
i. The Indemnitee promptly notifying Indemnifying Party in writing of any claim which could give rise to an indemnification obligation;
ii. The Indemnifying Party being given the option to control the defense of any litigation and to settle or compromise all claims which could give rise to this indemnification obligation (provided that the Indemnitee may always appoint advisory counsel at its own expense to assist the Indemnifying Party in the defense of such claim);
iii. The Indemnitee cooperating in all reasonable respects and at its own expense with the Indemnifying Party in the defense of the claim.
b. Exception. This clause is without prejudice to the liability of each Party to Data Subjects that cannot lawfully be limited or disclaimed and the obligations of both Parties to indemnify Data Subjects as set out in Article 82 of the GDPR and in Clause 12 of the SCCs.
c. Assistance. Where CallRail is obliged to provide assistance to Customer or third parties at the request of Customer (including submission to an audit hereunder and/or the provision of information) in connection with this DPA or the Data Protection Law, such assistance will be provided at the sole cost and expense of Customer, save where such assistance directly arises from CallRail’s breach of its obligations under this DPA, in which event the costs of such assistance will be borne by CallRail.
d. Limitation of Liability. Subject to subclause b, each Party’s total liability to the other taken together in the aggregate, arising out of or related to this DPA (including the SCCs), whether in contract, tort, extra-contractual liability, or under any other theory of liability, is subject to the exclusions and limitations of liability set forth in the Agreement and any reference in such sections to the liability of a Party means aggregate liability of that Party and all of its Affiliates under the Agreement (including this DPA). Under no circumstances will CallRail be liable for any violations of this DPA or violations of Data Protection Law that are caused by Customer.
9. Miscellaneous
a. Effective Date. This DPA will become effective on the latest signed date by both Parties below (“Effective Date”). If CallRail has already Processed Personal Data within the scope of the Agreement prior to the Effective Date, the DPA will apply retroactively from the start of the Processing of Personal Data by CallRail on behalf of Customer.
b. Agreement. Except as amended by this DPA, the Agreement will remain in full force and effect.
c. Priority. If there is a conflict between this DPA and the Agreement, the DPA will control. If there is a conflict between the terms of the DPA and the SCCs, the SCCs will prevail.
d. Modifications. Customer agrees that CallRail may modify this DPA in order (i) to incorporate any new version of the SCCs (or similar model clauses) that may be adopted under applicable Data Protection Law or (ii) to comply with applicable law (including Data Protection Law), applicable regulation, a court order or guidance issued by a governmental regulator or agency.
e. Governing Law. This DPA will be governed by and construed in accordance with the governing law stated in the Agreement, unless required otherwise by applicable Data Protection Law.
f. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
IN WITNESS WHEREOF, CallRail and Customer have executed this DPA as of the Effective Date, either by signing below or alternatively by agreeing to comply with this DPA in the Agreement.
Annex A
Description of processing
Subject Matter
- CallRail’s provision of the Services to Customer as described in the Agreement and the DPA
Categories of Data Subjects
- Customer’s end-users whose Personal Data are Processed via the Services
- Customer’s account admins and other users of the Services
Categories of Recipients
- CallRail Sub-processors
Categories of Personal Data transferred
Categories of Personal Data Processed may include, depending on the Services used by Customer:
- Contact information such as name, physical address, e-mail address, phone number
- Government identifiers such as social insurance or national registration numbers
- Health information (for applicable accounts), such as patient name and contact information where applicable (If applicable, the Parties shall enter into additional documentation including, for example, a Business Associate Agreement.)
- Telephonic and digital communications, such as call recordings, call transcripts, chat transcripts, caller ID information, and voicemail messages
- Account information
- Personal identifiers: name, email, telephone, avatar
- Electronic identifiers: Device ID, IP address, tracking ID
- Financial data (as applicable): credit card information (Processed through a payment processor.), billing information and/or transaction information
- Professional data: company name, company domain
Sensitive personal data transferred
Depending on the Services used by Customer, sensitive personal data transferred to CallRail for Processing may include:
- Health information as noted in the categories of Personal Data transferred above
- Financial information as noted in the categories of Personal Data transferred above
Frequency of the transfers
- Health information transfers occur occasionally while using the service
- Financial data transfers occur occasionally while providing payment information and during monthly transaction processing
Nature and purposes of the data transfers and processing and further processing
- Providing Customers with, as elected by Customer, call tracking, customer conversation, lead management and data collection services and other services identified on the CallRail website located at https://www.callrail.com/
- Data transfers to CallRail for the purpose of performing its obligations under the Agreement, including the Services and any related technical support requested by the Customer in accordance with the Agreement and this DPA
Annex B — List of CallRail Sub-processors
The Sub-processors currently engaged by CallRail are listed at the following URL, which may be updated by CallRail from time to time by notice to Customer: https://www.callrail.com/subprocessors/.
Annex C — Technical and Organizational measures
CallRail’s SOC II Type II attestation report is available upon request.
CallRail will:
- Ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in Annex A of this DPA.
- Take reasonable measures to prevent unauthorized access to the Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for Personal Data processing, and implementing procedures for monitoring the use of Personal Data processing facilities;
- Build in system and audit trails.
- Use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
- Account for risks that are presented by Processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, access or disclosure of Personal Data;
- Ensure pseudonymisation and/or encryption of Personal Data, where appropriate;
- Maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures designed to ensure the security of the Processing of Personal Data;
- Monitor compliance on an ongoing basis;
- Implement measures to identify vulnerabilities with regard to the Processing of Personal Data in systems used to provide Services to the Data Controller;
- Provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.
Annex D — SCCs
Controller to Processor (incorporated herein by reference)
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The data exporter is the Customer identified in the DPA (and the Customer’s Affiliates if authorized to use the Services).
The activities relevant to the data transferred under these Clauses are those activities related to Customer’s use of the data importer’s Services as described in the Agreement between them, which includes personal data provided by or on behalf of the Customer for processing by the data importer upon the Customer’s instructions and in accordance with the Agreement and this DPA.
The identity and contact details of the data exporter are the Customer details described in the Agreement and the DPA, and the data exporter’s contact person with responsibility for data protection under these Clauses is the Customer Admin as defined in the DPA.
The Customer is the data controller of the personal data that is subject to the DPA.
Data importer(s): The data importer is CallRail Inc.
The activities relevant to the data transferred under these Clauses are CallRail’s provision of the Services as described in the Agreement with the data exporter, under which CallRail is authorized to process personal data on the Customer’s behalf and upon the Customer’s instructions in accordance with the Agreement and this DPA.
The identity and contact details of the data importer and the data importer’s contact person with responsibility for data protection is:
Name: CallRail Inc.
Address: 100 Peachtree St NW STE 2700 Atlanta, GA 30303
Contact person’s name, position and contact details: Kurdeen Karim, Sr. Director IT and Security, security@callrail.com
CallRail is the data processor of the personal data that is subject to the DPA.
B. DESCRIPTION OF TRANSFER
The description of the transfer of personal data as of the Effective Date is attached to the DPA as Annex A.
C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority of the Member State in which the data subject whose personal data is transferred under these Clauses in relation to the offering of goods or services to him or her, or whose behaviour is monitored, shall act as competent supervisory authority.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer will implement and maintain appropriate technical and organizational measures designed to ensure an appropriate level of security for the Customer Personal Data, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. The specific technical and organizational measures employed by the data importer as of the Effective Date are attached to the DPA as Annex C.
ANNEX III
LIST OF SUB-PROCESSORS
The Sub-processors currently engaged by CallRail are listed at the following URL, which may be updated by CallRail from time to time by notice to Customer: https://www.callrail.com/subprocessors/.
