This Data Processing Addendum (“DPA”) forms part of the Main Services Agreement or other written or electronic agreement between SevenRooms and Client for the purchase of Services from SevenRooms (the “Agreement”) and reflects the parties’ agreement with regard to the Processing of Client Personal Data.
By signing the Agreement, Client enters into this DPA on behalf of itself and, to the extent permitted under applicable laws, in the name and on behalf of its Affiliates, if and to the extent SevenRooms Processes Personal Data for which such Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Client” shall include Client and its Affiliates. All capitalized terms used but not defined herein shall have the meanings ascribed to such terms in the Agreement.
In the course of providing the Services to Client pursuant to the Agreement, SevenRooms will Process Client Personal Data, and the Parties agree to comply with the following provisions with respect to the Processing of Client Personal Data, each acting reasonably and in good faith. For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules.
1. DEFINITIONS
“Affiliate” means with respect to a party an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with such party. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise.
“Client Personal Data” means all Personal Data Processed by SevenRooms or its Sub-processors on behalf of Client or its Affiliates pursuant to or in connection with the Agreement. For the avoidance of doubt, information that has been anonymized (to the standard required by the GDPR) or deidentified (as defined in the CCPA) shall not be Client Personal Data hereunder.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Privacy Law” means, as applicable, European Data Protection Laws, the CCPA and all other applicable laws, rules and regulations relating to the Processing of Personal Data and data privacy or data protection that may exist in any jurisdiction directly applicable to SevenRooms’ Processing of Client Personal Data under the Agreement.
“Data Subject” means the identified or identifiable natural person to whom Client Personal Data relates.
“European Data Protection Laws” means (i) the GDPR; (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) the United Kingdom’s Privacy and Electronic Communications (EC Directive) Regulations 2003.
“European Data” means Client Personal Data that is subject to European Data Protection Laws.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to the Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case, any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing.
“Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar terms defined in applicable Data Privacy Laws.
“Personal Data Breach” means a breach of SevenRooms’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in SevenRooms’ possession, custody or control.
“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
“Restricted Transfer” means the disclosure, grant of access or other transfer of Client Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
“Sub-processor” means any person (including any third-party and any Affiliate of SevenRooms, but excluding an employee of SevenRooms) appointed by or on behalf of SevenRooms or any of its Affiliates to Process Client Personal Data.
“UK Transfer Addendum” means the template Addendum B.1.0 issued by the UK’s Information Commissioner’s Office and laid before the UK Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
The terms, “Commission”, “Data Protection Impact Assessment”, “Member State”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. PROCESSING OF PERSONAL DATA
2.1 Details of the Processing. The parties acknowledge and agree that with regard to the Processing of Client Personal Data, Client is the Controller, SevenRooms is the Processor. The subject matter, duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
2.2 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data, including through its engagement of SevenRooms as Processor, in accordance with the requirements of Data Privacy Law. For the avoidance of doubt, Client’s instructions for the Processing of Client Personal Data shall comply with Data Privacy Law. This DPA and the Agreement are, at the time of signature of the Agreement, Client’s complete documented instructions to SevenRooms for the Processing of Client Personal Data. Any additional or alternate instructions must be agreed upon and documented pursuant to a written amendment to this DPA. Client shall have sole responsibility for (a) the accuracy of Client Personal Data, (b) the means by which Client acquired such Client Personal Data and (c) ensuring that all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as required by Data Privacy Law, relating to the Processing by SevenRooms of Client Personal Data.
2.3 SevenRooms’s Processing of Client Personal Data. SevenRooms shall not Process Client Personal Data other than on Client’s written instructions or as required or permitted by applicable laws (including Data Privacy Law). Client instructs SevenRooms to Process Client Personal Data to provide the Services to Client and in accordance with the Agreement. SevenRooms will Process Client Personal Data in compliance with Data Privacy Law, provided however that SevenRooms shall not be in violation of this contractual obligation in the event that SevenRooms’s Processing of Client Personal Data in breach of Data Privacy Law is attributable to the documented instructions of Client or is otherwise due to acts or omissions of Client; provided further, that SevenRooms shall inform Client if, in SevenRooms’s opinion, any instruction given by the Client violates or is otherwise non-compliant with Data Privacy Law. Where SevenRooms is compelled by applicable laws to Process Client Personal Data, SevenRooms shall promptly notify Client before performing the Processing so compelled unless applicable laws prohibit SevenRooms from notifying Client.
2.4 General. Taking into account the nature of the Processing of Client Personal Data and information available to SevenRooms, subject to the specific provisions of this DPA, SevenRooms shall provide such information and assistance to Client as Client may reasonably request (insofar as such information is available to SevenRooms and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Personal Data Processed by SevenRooms) to help Client meet its obligations under Data Privacy Law. SevenRooms shall make available to the Client such information as Client may reasonably request for SevenRooms to demonstrate compliance with Data Privacy Law and this DPA, to the extent SevenRooms is in possession of such information.
3. PLATFORM ANALYSIS
3.1 General. In connection with the provision of its Services to its clients, SevenRooms may, and Client hereby authorizes SevenRooms to, Process certain Personal Data comprised within log-level / event-level records for the purposes of user behavior analysis, which may be used to develop, enhance and/or improve SevenRooms’ security, products, and services, including certain aggregation, anonymization, de-identification or pseudonymization of such data (“Platform Analysis”).
3.2 GDPR Considerations. Where the GDPR applies to Platform Analysis, SevenRooms acts as an independent Controller in respect of such Processing for the purposes of Platform Analysis, and shall (a) comply with GDPR in respect of such Processing; (b) safeguard Personal Data subject to Platform Analysis with security measures that are no less protective than those required by this DPA; and (c) not disclose any Personal Data subject to Platform Analysis that identifies Client and/or any relevant Data Subjects to any third parties (other than its affiliates and Processors) unless permitted under the Agreement and/or this DPA, and/or the disclosure is required in order to comply with applicable law.
3.3. Client Warranty. Client warrants and represents on an ongoing basis that Platform Analysis is ‘compatible’ (having regard to the factors and considerations outlined in Article 5(1)(b) and Article 6(4) of the GDPR) with the purpose(s) for which the Personal Data subject to Platform Analysis was initially collected.
4. SEVENROOMS PERSONNEL
4.1 Confidentiality. Where required by Data Privacy Law, SevenRooms shall ensure that its personnel engaged in the Processing of Client Personal Data have either executed written confidentiality agreements committing them to holding Client Personal Data in confidence or are under an appropriate statutory obligation of confidentiality.
4.2 Limitation of Access. SevenRooms shall take commercially reasonable steps to ensure that SevenRooms’ personnel’s access to Client Personal Data is strictly limited to those personnel requiring such access to perform the Services in accordance with the Agreement.
5. DATA SUBJECT REQUESTS
5.1 Data Subject Requests. Taking into account the nature of the Processing, SevenRooms shall assist Client by providing appropriate technical and organizational measures to assist Client in the fulfillment of Client’s obligation to respond to requests from Data Subjects to exercise their rights under applicable Data Privacy Law (“Data Subject Requests”).
5.2 Client Controls. The Services provide Client with a number of controls that Client may use to retrieve, correct, delete or restrict Client Personal Data which Client may use to assist it in connection with its obligations under Data Privacy Law, including its obligations relating to responding to Data Subject Requests. To the extent that Client is unable to independently address a Data Subject Request through the Services, then, upon Client’s written request, SevenRooms shall provide reasonable assistance to Client to respond to any Data Subject Requests.
5.3 Data Subject Requests to SevenRooms. If a Data Subject Request is made directly to SevenRooms, it shall, to the extent legally permitted and to the extent SevenRooms is able to identify that the Data Subject Request comes from a Data Subject whose Personal Data was submitted to the Services by or on behalf of Client, promptly notify Client. SevenRooms shall not respond to a Data Subject Request without Client’s prior written instruction to do so except (a) to confirm that such Data Subject Request relates to Client, to which Client hereby agrees, and (b) as required by applicable law, in which case SevenRooms shall, to the extent permitted by applicable law, inform Client of that legal requirement before SevenRooms responds to the Data Subject Request. Client shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Client Personal Data.
6. SUB-PROCESSORS
6.1 Use of Sub-processors. Client acknowledges and agrees that (a) SevenRooms’s Affiliates may be retained as Sub-processors; and (b) SevenRooms and SevenRooms’s Affiliates, respectively, may engage third-party Sub-processors for the provision of the Services and related Processing of Client Personal Data. Where SevenRooms engages any Sub-processor as described in this Section 6:
(i) SevenRooms will restrict the Sub-processors’ access to Client Personal Data only to what is necessary to maintain the Services or to provide the Services to Client and its Users;
(ii) SevenRooms will enter into a written agreement with the Sub-processor containing data protection obligations not less protective than those in this DPA with respect of Client Personal Data and to the extent applicable to the nature of the services provided by such Sub-processor; and
(iii) SevenRooms will remain liable for any acts or omissions of all Sub-processors under or in connection with this DPA to the same extent SevenRooms would be liable under the terms of this DPA if performing such services itself directly.
6.2 List of Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors is available at https://www.sevenrooms.com/en/subprocessors/ (“Sub-processor Site”). Client hereby agrees to subscribe to the mechanism in the Sub-processor Site that allows Client to receive notifications of additional or replacement Sub-processors. Such Sub-processor Site includes the identities of SevenRooms’ Sub-processors, their country of location as well as the type of Processing they perform. Client may object to SevenRooms’ use of a new Sub-processor by notifying SevenRooms in writing within ten (10) business days after receipt of a notification in accordance with the mechanism set out in this Section 6.2. SevenRooms shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and where such a change cannot be made within thirty (30) calendar days from receipt by SevenRooms of Client’s notice, notwithstanding anything in the Agreement, Client may by written notice to SevenRooms with immediate effect terminate those Services which require the use of the proposed Sub-processor objected to by Client.
7. SECURITY
7.1 Controls for the Protection of Client Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of Data Subjects, SevenRooms shall maintain appropriate technical and organizational measures for protection of the security (including protection against Personal Data Breach), confidentiality and integrity of Client Personal Data, including (without limitation) those measures set out in Article 32 of the GDPR, and as described in Schedule 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, SevenRooms may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures, and provided those Security Measures comply with Data Privacy Law. Client agrees that the Services, the Security Measures, and SevenRooms’ commitments under this DPA are adequate to meet Client’s needs, including with respect to any security obligations of Client under Data Privacy Law, and provide a level of security appropriate to the risk in respect of Client Personal Data.
7.2 Third Party Certifications. Upon Client’s written request at reasonable intervals (as provided below), and subject to the confidentiality obligations set forth in the Agreement, SevenRooms shall allow for and contribute to audits and inspections (“Audits”) conducted by Client (or Client’s independent, third-party auditor that is not a competitor of SevenRooms and that is subject to confidentiality obligations at least as restrictive as those set forth in the Agreement) by providing any information reasonably necessary to demonstrate SevenRooms’s compliance with the obligations set forth in this DPA in the form of a copy of SevenRooms’s then most recent third-party audits or certifications, as applicable, that SevenRooms makes available to its clients generally.
7.3 Right to Audit. SevenRooms shall maintain complete and accurate records and information to demonstrate its compliance with this DPA, and Client (or its permitted third-party auditor as provided above) may perform an Audit remotely or on-site, up to one (1) time per calendar year, with at least three (3) weeks’ advance written notice, unless otherwise required by Client’s regulators or applicable law. If Client requests an on-site Audit, the following terms shall apply: (a) such Audit shall be limited to facilities operated by SevenRooms and shall not exceed one (1) business day; (b) before the commencement of any such on-site Audit, Client and SevenRooms shall mutually agree upon the scope and timing of, and procedures relating to, the Audit with a view towards minimizing the disruption of SevenRooms’s business; (c) Client shall reimburse SevenRooms for actual expenses and costs incurred in connection with such Audit; and (d) Client shall promptly notify SevenRooms with reasonably detailed information regarding any non-compliance discovered during the course of an Audit. Client shall not conduct any scans or technical or operational testing of SevenRooms’ applications, websites, services, networks or systems without SevenRooms’ prior approval (which shall not be unreasonably withheld). Any information obtained by Client in connection with an audit or inspection conducted under this Section 7.3 shall constitute the confidential information of SevenRooms, which Client shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Client’s obligations under Data Privacy Law.
7.4 Audits Pursuant to SCCs. The parties agree that the audits described in Clause 8.9 of the SCCs shall be carried out in accordance with the foregoing Sections 7.2 and 7.3.
7.5 Personal Data Breaches. SevenRooms will notify Client without undue delay after it becomes aware of any Personal Data Breach and shall provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Client. At Client’s request, SevenRooms will promptly provide Client with such reasonable assistance as necessary to enable Client to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if and to the extent Client is required to do so under Data Privacy Law. SevenRooms’ notification of or response to a Personal Data Breach shall not be construed as SevenRooms’ acknowledgment of any fault or liability with respect to the Personal Data Breach. If Client determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental entity, any Data Subject(s), the public or others under Data Privacy Law, to the extent such notice directly or indirectly refers to or identifies SevenRooms, where permitted by applicable laws, Client agrees to (i) notify SevenRooms in advance, and (ii) in good faith, consult with SevenRooms and consider any clarifications or corrections SevenRooms may reasonably recommend or request to any such notification which relate to SevenRooms’ involvement in or relevance to such Personal Data Breach.
8. DATA TRANSFERS
8.1 Transfers Generally. Client acknowledges and agrees that SevenRooms may access and Process Client Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Client Personal Data will be transferred to and Processed by SevenRooms in the United States and to other jurisdictions where SevenRooms and its Affiliates and Sub-processors have operations. SevenRooms shall ensure such transfers are made in compliance with the requirements of Data Privacy Law.
Transfers from SevenRooms
8.2 Transfer Mechanisms for European Data. SevenRooms shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, to a recipient that has executed appropriate standard contractual clauses adopted or approved by a competent authority, or transferring data in accordance with certain derogations under the GDPR.
Transfers to SevenRooms
8.3 Order of Preference. In the event the Services are covered by more than one transfer mechanism, the transfer of personal data will be subject to a single transfer mechanism, as applicable, and in accordance with the following order of precedence: (a) the EU-US Data Privacy Framework , the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth in Section 8.4 (“Data Privacy Framework”); (b) the EU Standard Contractual Clauses as set forth in 8.5; (c) the UK Transfer Addendum as set forth in Section 8.6; and, if neither (a), (b), (c), nor (d) is applicable, then (e) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
8.4 Data Privacy Framework. To the extent SevenRooms processes any personal data via the Services originating from the EEA, UK or Switzerland, SevenRooms represents that it. is self-certified under the Data Privacy Framework and complies with the associated Data Privacy Principles when processing any such personal data. To the extent that Client is (a) located in the United States of America and is self-certified under the Data Privacy Framework or (b) located in the EEA, UK or Switzerland, SevenRooms further agrees (i) to provide at least the same level of protection to any personal data as required by the Data Privacy Principles; (ii) to apply an alternative transfer mechanism in accordance with the order of precedence in 8.3 if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated; and (iii) upon written notice, to work with Client to take reasonable and appropriate steps to stop and remediate any unauthorized processing of personal data.
8.5 EEA Restricted Transfers and SCCs. Pursuant to the order of preference in 8.3, to the extent that any Processing of European Data under this DPA involves an EEA Restricted Transfer from Client to SevenRooms, the parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i) populated in accordance with Part 1 of Schedule 3; and (ii) entered into by the parties and incorporated by reference into this DPA.
8.6 UK Transfer Addendum. Pursuant to the order of preference in 8.3, to the extent that any Processing of European Data under this DPA involves a UK Restricted Transfer from Client to SevenRooms, the parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i) varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Schedule 3; and (ii) entered into by the parties and incorporated by reference into this DPA.
8.7 Adoption of New Transfer Mechanism. SevenRooms may on notice vary this DPA and replace the relevant SCCs with: (i) any new form of the relevant SCCs or any replacement therefore prepared and populated accordingly; or (ii) another transfer mechanism, other than the SCCs, that enables the lawful transfer of European Data by Client to SevenRooms under this DPA in compliance with the GDPR.
8.8 Provision of full-form SCCs. In respect of any given Restricted Transfer under the SCCs, if requested by Client by a Supervisory Authority or Data Subject – on specific written request and accompanied by suitable supporting evidence of the relevant request, SevenRooms shall provide Client with an executed version of the relevant set(s) of SCCs responsive to the request made of Client (amended and populated in accordance with Part 1 of Schedule 3 in respect of the relevant Restricted Transfer) for countersignature by Client, onward provision to the relevant requestor, and/or storage to evidence Client’s compliance with Data Privacy Laws.
9. LIMITATIONS OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement including this DPA; provided that nothing in this Section 9 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
10. TERMINATION
The term of this DPA will end simultaneously and automatically at the later of (i) the date of expiration or termination of the Agreement and (ii) the first date when all Client Personal Data is deleted from SevenRooms’s systems, without prejudice to the terms of this Section 10. After the termination of this DPA, SevenRooms will delete or return all Client Personal Data (including copies thereof) promptly upon its receipt of written notice from Client specifying whether it chooses for such Client Personal Data to be deleted or returned, save that this requirement shall not apply to the extent SevenRooms is required by applicable law to retain some or all of the Client Personal Data.
11. CALIFORNIA CONSUMER PRIVACY ACT OF 2018
The following applies to any Personal Information (as defined under the CCPA) Processed on behalf of Client:
11.1 It is the parties’ intent that with respect to any Personal Information, SevenRooms is a service provider with respect to its Processing of such Personal Information. SevenRooms (a) acknowledges that Personal Information is disclosed by Client only for limited and specified purposes described in the Agreement ; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) shall notify Client in writing, no later than five (5) business days, of any determination made by SevenRooms that it can no longer meet its obligations under the CCPA; and (d) agrees that Client has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
11.2 SevenRooms agrees that Client may conduct audits, in accordance with Section 7.3 of the DPA, to help ensure that SevenRooms’s use of Personal Information is consistent with SevenRooms’s obligations under the CCPA.
11.3 SevenRooms shall not (a) sell or share any Personal Information; (b) retain, use or disclose any Personal Information for any commercial purpose other than for the business purpose of providing the Services specified in the Agreement, or as otherwise permitted by the CCPA, (c) retain, use or disclose the Personal Information outside of the direct business relationship between SevenRooms and Client, or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from SevenRooms’s own interaction with any Consumer to whom such Personal Information pertains. SevenRooms hereby certifies that it understands its obligations under this Section 11.3 and will comply with them.
11.4 SevenRooms’ notice to Client of Sub-Processor engagements in accordance with Section 6 of the DPA shall satisfy SevenRooms’ obligation under the CPRA to give notice of such engagements.
11.5 The parties acknowledge that SevenRooms’s retention, use and disclosure of Personal Information authorized by Client’s instructions documented in the Agreement are integral to SevenRooms’s provision of the Services and the business relationship between the parties.
12. GENERAL
12.1 SevenRooms may update the terms of this Addendum from time to time; provided, however, SevenRooms will provide at least thirty (30) days prior written notice to Client when an update is required as a result of (a) changes in applicable Data Privacy Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.
12.2 For the purposes of this DPA the contact information of each party are set forth below but may be updated by either party upon written notice to the other:
For SevenRooms:
privacy@sevenrooms.com
For Client:
See Order Form
12.3 This DPA represents the entire understanding of the parties relating to the Agreement arising out of the Processing of Personal Data and their relationship under Data Privacy Law.
12.4 The parties to this DPA hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims that arise under this DPA, without prejudice to the choice of law and jurisdiction stipulated in the SCCs.
Personal Data Processing Details
SEVENROOMS / ‘DATA IMPORTER’ DETAILS
Name:
Address:
Contact Details for Data Protection:
Client Activities:
Role:
SevenRooms, Inc.
228 Park Avenue South, PMB 33706, New York, New York 10003-1502, US
privacy@sevenrooms.com
SevenRooms is a software-as-a-service platform that helps hospitality operators create customer experiences designed to increase profitability and repeat business
Processor
CLIENT / ‘DATA EXPORTER’ DETAILS
Name:
Address:
Contact Details for Data Protection:
Client Activities:
Role:
As set out in the Order Form
As set out in the Order Form
As set out in the Order Form
Client’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations
Controller where Client is a Controller of Client Personal Data in its own right
Processor where Client is a Processor acting on behalf of any other person (including its Affiliates if and where applicable)
DATA PROCESSING DETAILS
SUBJECT MATTER:
DURATION OF PROCESSING:
The subject matter of the Processing under this DPA is Client Personal Data.
As between SevenRooms and Client the duration of the Processing under this DPA is determined by Client; provided that, generally the duration of the Processing of Client Personal Data shall be for the duration of the Agreement and for the minimum period thereafter required to wind-down the parties’ relationship under the Agreement and properly return or dispose of Client Personal Data.
NATURE OF THE PROCESSING:
Computing, storing and such other Services as described in the Agreement.
CATEGORIES OF DATA SUBJECTS, TYPES OF CLIENT PERSONAL DATA AND PURPOSE OF PROCESSING ORGANIZED BY SEVENROOMS SERVICE
SevenRooms Service
Categories of Data Subjects
Type of Client Personal Data
Purpose of the Processing
Concierge
Venue Guests
Concierge Staff
First Name
Last Name
IP Address (of user)
Email Address (optional)
Phone Number (optional)
Special Occasion (optional)
Occupation (optional)
– Booking and fulfilling reservations as requested by the guest
– User account definition, privilege level, and access to use the platform
– Provide visibility over guest reservations within Client’s restaurant group (including Affiliates)
Contactless Order and Pay
Venue Guests
Venue Staff
First Name
Last Name
Job/Title (optional)
IP Address (Activity logs)
– Capture Guest’s order for Venue fulfillment
– User account definition, privilege level, and access to use the platform
CRM
Venue Guests
Venue Staff
First Name
Last Name
IP Address (of user)
Email Address (optional)
Phone Number (optional)
Membership Number
Dietary Restrictions (optional)
Birthday (optional)
Special Occasion (optional)
Address (optional)
Occupation (optional)
Social ID (optional)
Picture (optional)
Free Form Data Entry
– Managing Client profile data (CRM)
– Correcting information as requested by the guest, and capturing Guest preferences or special requests
– Building a profile for Guests at the inception of our Clients’ use of the platform
– Provide visibility over guest reservations within Client’s restaurant group (including Affiliates)
Guest Satisfaction
Venue Staff
First Name
Last Name
Job/Title (optional)
IP Address (Activity logs)
– User account definition, privilege level, and access to use the platform
Marketing Automation
Venue Staff
First Name
Last Name
Job/Title (optional)
IP Address (Activity logs)
– User account definition, privilege level, and access to use the platform
Online Ordering
Venue Guests
Venue Staff
First Name
Last Name
Email Address (optional)
Phone Number (optional)
Address (optional)
– Capture Guest’s order for Venue fulfillment
Reservations
Venue Guests
Venue Staff
First Name
Last Name
Email Address
Phone Number
Membership Number
IP Address (of API user)
Dietary Restrictions (optional)
Birthday (optional)
Social ID (optional)
Special Occasion (optional)
Picture (optional)
Server Full Name
– Booking and fulfilling reservations and requests as requested by the Guest
– Transactional messaging
– Confirming an in-advance booking
– Guest may supply more details about their party or themselves for Venue accommodation
– Building a profile for Guests at the inception of our Clients’ use of the platform
– Managing server rotations during Venue operation
– Capturing POS server during Venue operation
– User account definition, privilege level, and access to use the platform.
– Provide visibility over guest reservations within Client’s restaurant group (including Affiliates)
Table Management
Venue Guests
Venue Staff
First Name
Last Name
IP Address (of user)
Email Address (optional)
Phone Number (optional)
Dietary Restrictions (optional)
Birthday (optional)
Address (optional)
Occupation (optional)
Spend (optional)
Server Full Name
– Booking and fulfilling reservations and requests as requested by the Guest
– Transactional messaging
– Confirming an in-advance booking
– Guest may supply more details about their party or themselves for Venue accommodation
– Building a profile for Guests at the inception of our Clients’ use of the platform
– Managing server rotations during Venue operation
– Capturing POS server during Venue operation
– User account definition, privilege level, and access to use the platform
Waitlist
Venue Guests
Venue Staff
First Name
Last Name
Email Address
Phone Number
IP Address (of guest)
Dietary Restrictions (optional)
Birthday (optional)
Social ID (optional)
Special Occasion (optional)
Picture (optional)
– Booking and fulfilling reservations and requests as requested by the Guest
– Transactional messaging
– User account definition, privilege level, and access to use the platform
Support Requests (Email)
Venue Staff
Concierge Staff
First Name
Last Name
Venue/Concierge Staff emailing into support@sevenrooms.com for assistance with the platform
SCHEDULE 2
SECURITY MEASURES
SevenRooms is committed to the protection of Personal Data and employs industry standards of technological internet and web application security to prevent security incidents from occurring. SevenRooms also maintains organizational and physical policies and procedures to enforce these standards.
SevenRooms maintains organizational policies and standards in the following areas:
SevenRooms technical infrastructure follows best practices for data protection and security:
Technical and organizational measures by which assistance shall be provided by SevenRooms to Client in respect of Data Subject Requests
SCHEDULE 3
POPULATION OF THE SCCs
PART 1: EEA RESTRICTED TRANSFERS
1. Signature of the SCCs. Where the SCCs apply in accordance with Section 8.5 of the DPA, each of the parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
2. Modules. The following Modules of the SCCs apply in the manner set out below (having regard to the role(s) of Client set out in Schedule 1 of the DPA:
1. Module Two of the SCCs applies to any EEA Restricted Transfer involving Processing of Client Personal Data in respect of which Client is a Controller in its own right; and
2. Module Three of the SCCs applies to any EEA Restricted Transfer involving Processing of Client Personal Data in respect of which Client is a Processor acting on behalf of any other person (including its Affiliates if and where applicable).
3. Population of the Body of the SCCs. For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
1. In Clause 7: the ‘Docking Clause’ is not used.
2. In Clause 9: ‘OPTION 2: GENERAL WRITTEN AUTHORISATION’ applies, and the minimum time period for advance notice of the addition or replacement of Sub-processors shall be the advance notice period set out in Section 6.2 of the DPA.
3. In Clause 11: the optional language is not used.
4. In Clause 13: all square brackets are removed and all text therein is retained.
5. In Clause 17: ‘OPTION 1’ applies, and the parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer.
6. In Clause 18(b): the parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland.
4. Population of the Annexes to the Appendices of the SCCs. The Annexes of the SCCs shall be populated as follows:
1. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Schedule 1 to the DPA, with: Client being ‘data exporter’; and SevenRooms being ‘data importer’.
2. Part C of Annex I to the Appendix to the SCCs is populated as below:
- The competent Supervisory Authority shall be determined as follows:
- Where the Client is established in an EU Member State: the competent Supervisory Authority shall be the Supervisory Authority of that EU Member State in which Client is established.
- Where the Client is not established in an EU Member State, Article 3(2) of the GDPR applies and Client has appointed an EU representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which Client’s EU representative relevant to the Processing hereunder is based (from time-to-time).
- Where the Client is not established in an EU Member State, Article 3(2) of the GDPR applies, but Client has not appointed an EU representative under Article 27 of the GDPR, the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State notified in writing to privacy@sevenrooms.com, which must be an EU Member State in which the Data Subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
3. Annex II to the Appendix to the SCCs is populated as below:
PART 2: UK RESTRICTED TRANSFERS
1.1 Where relevant in accordance with Section 8.6 of the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below
–
Part 1 to the UK Transfer Addendum. The parties agree: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Schedule 1 of the DPA and Part 1 of this Schedule 3 (subject to the variations effected by the UK Mandatory Clauses described in Paragraph 4.2 below); and (ii) Table 4 to the UK Transfer Addendum is completed by the box labeled ‘Data Importer’ being deemed to have been ticked.
Part 2 to the UK Transfer Addendum. The parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
1.2 As permitted by section 17 of the UK Mandatory Clauses, the parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in this Schedule 3; provided that the parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in section 3 of the UK Mandatory Clauses).
1.3 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in this Part 2 of Schedule 3.