Calendly LLC Data Processing Addendum
Calendly LLC DPA
Updated: May 2022
1.0 Defined Terms. The following definitions are used in this DPA
1.1 “Authorized Personnel” means (a) Processor’s employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable services; and (b) Processor’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Processor to perform its obligations under the Agreement and this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.
1.2 “CCPA” means the California Consumer Privacy Act.
1.3 “Data Protection Laws” means all applicable federal, state, and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the EU Data Protection Laws and the CCPA but excluding, without limitation, consent decrees.
1.4 “EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom, applicable to the processing of Personal Data for the services under the Agreement, including (where applicable) the GDPR.
1.5 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.)
1.6 “Personal Data” means any information relating to an identified or identifiable natural person that is submitted to, or collected by, Calendly in connection with the services provided by Processor, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Data Protection Law(s).
1.7 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.8 “Security Breach” means a confirmed breach of Processor’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Data Protection Law(s) governing the particular circumstances.
1.9 “Standard Contractual Clauses” means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission ImplementingDecision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e, which clauses are incorporated herein by this reference.
2.0 Processing and Transfer of Personal Data
2.1 Customer Obligations. Customer is the Controller of Personal Data and shall (a) determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement; (b) be responsible for the accuracy of Personal Data; and (c) comply with its obligations under Data Protection Laws, including, when applicable, ensuring Cstomer has a lawful basis to collect Personal Data, providing Data Subjects with any required notices, and/or obtaining the Data Subject’s consent to process the Personal Data.
2.2 Calendly Obligations. Calendly is the Processor of Personal Data and shall Process Personal Data on Customer’s behalf in accordance with Customer’s written instructions (unless waived in a written requirement) provided during the term of this DPA. The
parties agree that the Agreement, including this DPA, together with Customer’s use of the Calendly’s services in accordance with the Agreement, constitute Customer’s complete and final written instructions to Calendly in relation to the Processing of Personal Data,
and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Customer and Calendly. In the event Calendly reasonably believes there is a conflict with any Data Protection Law and
Customer’s instructions, Calendly will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
2.3 Data Use. Except for the use of Personal Data as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Data
Protection Laws, Calendly shall not retain, use, sell, or disclose the Personal Data that is not de-identified or aggregated for analytics, for any purpose, including other commercial purposes, outside of the direct business relationship with Customer.
2.4 Location of Processing. The parties acknowledge and agree that the Services are provided in the United States, Customer’s use of the Services may therefore result in a transfer of Personal Data, and Processing may also occur in other jurisdictions outside the nation or state of a Data Subject’s residence depending on Customer’s use of the Services, and Customer is responsible for and shall comply with all notice and consent requirements for any such transfers and processing to the extent required by Data Protection Laws.
2.5 Return or Destruction of Data. Calendly shall return or securely destroy Personal Data, in accordance with Customer’s instructions, upon Customer’s request or upon termination of this DPA unless Personal Data must be retained to comply with applicable law.
3.0 EU and United Kingdom Data Protection Laws.
This Section 3 shall apply with respect to Processing of Personal Data when such
Processing is subject to the EU Data Protection Laws or UK Data Protection Laws.
3.1 Transfers of Personal Data. Customer acknowledges and agrees that Calendly is located in the United States and that Customer’s provision of Personal Data from the European Economic Area or Switzerland (“EU”) or the United Kingdom to Calendly for Processing is a transfer of Personal Data to the United States. All transfers of Customer Personal Data out of the EU (“EU Personal Data”) or the United Kingdom (“UK Personal Data”) to the United States shall be governed by the applicable Standard Contractual Clauses as follows:
3.1.1 For such transfers of EU Personal Data, the terms of Module 2 of the EU SCCs for Controller to Processor transfers, together with Annexes set out in Exhibit A to this DPA, are incorporated in this DPA, and the parties agree that the following terms apply: (a)
Clause 7 shall not apply; (b) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (c) the optional language in Clause 11(a) shall not apply; (d) the governing law shall be that of Ireland in Clause 17; (e) disputes shall be resolved by the courts of Ireland in Clause 18; and (f) the annexes are completed in Exhibit A to this DPA.
3.1.2 For such transfers of UK Personal Data, the UK SCCs shall apply and the parties hereby elect to (a) replace general and specific references to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 with the equivalent reference from the UK Data Protection Laws; (b) replace references to “Member State” in Clauses 1(e) and 4(a) with “United Kingdom”; and (c) replace references to “Member State” in Clauses 7, 9 and 11 with “country of the United Kingdom.”
3.2 GDPR Contractual Requirements. Calendly shall: (a) assist Customer, to a reasonable extent, in complying with its obligations with respect to EU Personal Data pursuant to Articles 32 to 36 of GDPR; (b) maintain a record of all categories of Processing activities
carried out on behalf of Customer in accordance with Article 30(2) of the GDPR; and (c) cooperate, on request, with an EU supervisory authority regarding the performance of the Services under the Agreement.
3.3 Sub-processors. Customer grants a general authorization to Calendly to appoint its affiliates as sub-processors, and a specific authorization to Calendly and its affiliates to appoint as sub-processors the entities set out in Exhibit A attached hereto, and for the
sub-processing activities described thereon, as it may be updated from time to time. Customer may request to be notified by email regarding updates to the sub-processor list.
This Section 4 shall apply with respect to Processing of Personal Data when such Processing is subject to the CCPA. Calendly acts as Customer’s service provider with respect to such Processing. Calendly shall Process such Personal Data only for the purpose of providing the services to Customer, and shall not sell such Personal Data. For purposes of this Section 4, the terms “service provider” and “sell” shall have the meanings given to them under the CCPA.
5.0 Customer Representation and Warranty
Customer represents and warrants on behalf of itself and its employees that the Personal
Data provided to Calendly for processing under the Agreement and this DPA is collected and/or validly obtained and utilized by Customer and its employees in compliance with all Data Protection Laws, including without limitation the disclosure, informed affirmative consent and targeted advertising provisions of the CCPA, UK GDPR, and EU Data Protection Laws, including without limitation Chapter II of the GDPR, and Customer shall defend, indemnify and hold harmless Calendly from and against all loss, expense (including reasonable out-of-pocket attorneys’ fees and court costs), damage, or liability arising out of any claim arising out of a breach of this Section 5.
6.0 Data Protection
6.1 Data Security. Calendly will utilize commercially reasonable efforts to protect the security, confidentiality, and the integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Notwithstanding the generality of the foregoing, Calendly shall: (a) employ reasonable administrative, physical, and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with Data Protection Laws as would be appropriate based on the nature of the Personal Data; (b) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data; and (c) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by Calendly’s retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes.
6.2 Authorized Personnel; Sub-processors. Calendly shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA. In addition, Calendly is authorized to use sub-processors provided that Calendly shall enter into an agreement with any such sub-processor containing data protection obligations that are at least as restrictive as the obligations under this DPA.
6.3 Security Breaches. In the event of a confirmed Security Breach, Calendly will promptly: (a) notify Customer of the Security Breach; (b) investigate the Security Breach; (c) provide Customer with necessary details about the Security Breach as required by applicable
law; and (d) take reasonable actions to prevent a recurrence of the Security Breach. Calendly agrees to cooperate in Customer’s handling of the matter by: (a) providing reasonable assistance with Customer’s investigation; and (b) making available relevant records, logs, files, data reporting, and other materials related to the Security Breach’s effects on Customer, as required to comply with Data Protection Laws.
7.0 Data Subjects Request
Calendly shall reasonably assist Customer with the fulfilment of Customer’s obligations to Data Subjects exercising rights afforded by Data Protection Laws, including Chapter III of GDPR. Calendly will correct Personal Data as soon as reasonably practicable upon receiving a request from Customer to correct an error or omission in the Personal Data that is in Calendly’s possession or under Calendly’s control.
Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, Calendly shall make available to Customer (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate Calendly’s compliance with the obligations set forth in this DPA.
9.1 Conflict. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data.
9.2 Amendments. This DPA shall not be modified except by a written instrument signed by the parties. To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with Data Protection Laws or changes to Data Protection Laws, Customer and Calendly agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Data Protection Laws.
9.3 Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means
this DPA including its exhibits and appendices.
9.4 Entire Agreement. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. This DPA, together with the Agreement, is the final, complete and exclusive agreement of the
Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with the respect to subject matter.
Exhibit A: Standard Contractual Clauses
This Annex forms part of the Standard Contractual Clauses
Data exporter is Customer.
Address: the Customer’s address set out in the Agreement.
Contact person’s name, position, and contact details: the Customer’s contact details as set out in the Agreement/order form.
Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Agreement.
The data importer is Calendly.
Address: 88 N Avondale Road #603, Avondale Estates, GA 30002
Contact person’s name, position, and contact details:
Frank Russo, CISO
Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Agreement.
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to Calendly, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: (i) the data exporter’s end-users which may include its employees, contractors, representatives, business partners, collaborators, and customers, and (ii) persons with whom data exporter is scheduling appointments through use of data importer’s Services which may include its representatives, business partners, collaborators, customers, and potential customers.
Categories of personal data transferred
Data exporter may submit Personal Data to Calendly, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) Connection data; (g) Localisation data; and (h) other data in an electronic form used by Customer in the context of the Services.
Sensitive data transferred (if applicable)
The Frequency of the Transfer
Nature of the processing
The processes may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination, or otherwise making available data exporter’s data as necessary to provide the Services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).
Purpose(s) if the data transfer and further processing
The objective of the processing of Personal Data by the data importer is the performance of the contractual services related to the Agreement with the data exporter.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
Personal data is retained for so long as is reasonably necessary to fulfill the purposes for which the data was collected, to perform our contractual and legal obligations, and for any applicable statute of limitations periods for the purposes of bringing and defending claims
Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13
Irish Data Protection Commission
Annex II: Technical And Organisational Measures Including Technical And Organisational Measures To Ensure The Security Of The Data
The description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) can be found at https://calendly.com/security.
Annex III: Processor’s Sub-Processors
The Customer has authorised the use of the listed Sub-processors effective as of the date of this DPA and can be found here: Calendly Sub-processors
We take the work out of connecting with others so you can accomplish more.