Data Processing Agreement

This Caspio Data Processing Agreement (“DPA”) forms part of, and is subject to the provisions of, the Caspio Terms of Service. Capitalized terms not defined in this DPA have the meanings set forth in the Terms of Service.

For inquiries pertaining to this DPA, contact Caspio at https://www.caspio.com/contact-caspio-privacy.

DEFINITIONS

The following definitions apply solely to this DPA. Capitalized terms not defined below have the meanings set forth in the Terms of Service Definitions section.

“Applicable Data Protection Law” means any data protection or data privacy law or regulation applicable to Customer Data, including the GDPR, the UK GDPR, the e-Privacy Directive 2002/58/EC, and the Swiss Federal Act on Data Protection.

“Data Controller,” “Data Subject,” “Personal Data,” “Process,” “Processing,” “Processor,” and “Data Processor” have the meanings given in the Applicable Data Protection Law.

“GDPR” means the EU General Data Protection Regulation 2016/679.

“Security Incident” means an actual breach of security of the Service or Caspio’s systems used to process Customer Data that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

“Sub-Processor” means an entity engaged by Caspio to process Customer Data.

“UK GDPR” means the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018.

APPLICABILITY

This DPA applies to the extent that Caspio processes Customer Data containing Personal Data on behalf of Customer and such processing is subject to Applicable Data Protection Law. Caspio is not responsible for Personal Data that Customer has elected to process through third-party services or outside of the Service, including through third-party cloud services, offline, or on-premises storage.

DETAILS OF DATA PROCESSING

Subject Matter. The processing of Personal Data by Caspio on behalf of Customer in connection with the provision of the Service.

Duration. For the duration of the Agreement between Customer and Caspio, as determined by Customer’s use of the Service.

Purpose. The provision of the Service as initiated and configured by Customer.

Nature of the Processing. Computing, storage, application hosting, and such other processing as necessary to provide the Service at Customer’s instruction.

Type of Personal Data. Customer Data relating to End Users, Customer’s staff, or other individuals whose Personal Data is processed through Customer’s Account.

Categories of Data Subjects. End Users and any other individuals whose Personal Data Customer uses the Service to process.

PROCESSING ROLES

This DPA applies when Customer Data is processed by Caspio. In this context, Caspio will act as “Data Processor” or “Sub-Processor” to Customer, who may act either as “Data Controller” or “Data Processor” with respect to Customer Data, as defined by Applicable Data Protection Law.

Where Customer operates a HIPAA Account, processing of Protected Health Information is governed by the Business Associate Agreement between the parties, which takes precedence over this DPA to the extent of any conflict.

DESCRIPTION OF PROCESSING ACTIVITIES

Caspio will process Customer Data for the purpose of providing Customer with the Service, as may be used, configured, or modified from within Customer’s Account. For example, depending on how Customer uses the Service, Caspio may process Customer Data in order to (a) collect, organize, report, or analyze data from End Users through forms and applications deployed from Customer’s Account; (b) email End Users on Customer’s behalf at Customer’s instruction; (c) authenticate authorized End Users so they can access data and applications that Customer controls; or (d) analyze Customer Data using AI Tools at Customer’s election. There may be other processing activities undertaken by Caspio pursuant to the manner in which Customer designs or employs the Service.

Caspio will process Customer Data in accordance with the Terms of Service and instructions Customer provides through Customer’s Account. Customer agrees that the Terms of Service and the instructions given through Customer’s Account are Customer’s complete and final instructions to Caspio in relation to Customer Data. Additional instructions outside the scope of this DPA require prior written agreement between Customer and Caspio, including agreement on any additional fees payable by Customer for carrying out such instructions.

Categories of data subjects may include Customer’s employees, contractors, end users, and any other individuals whose data Customer collects or processes through the Service. Types of personal data processed depend on Customer’s use of the Service and may include names, contact information, identification numbers, IP addresses, and any other personal data Customer collects through forms and applications deployed from Customer’s Account. Processing will continue for the duration of the Agreement unless otherwise required by applicable law.

COMPLIANCE WITH LAWS

Customer will ensure that its instructions comply with all laws, regulations, and rules applicable to Customer Data, and that Customer Data is collected lawfully by or on behalf of Customer and provided to Caspio in accordance with such laws, regulations, and rules. Customer will also ensure that the processing of Customer Data in accordance with Customer’s instructions will not cause or result in either party breaching any applicable laws, regulations, or rules, including Applicable Data Protection Law.

Customer is responsible for reviewing the information available from Caspio relating to data security pursuant to this Agreement, and for making an independent determination as to whether the Service meets Customer’s requirements and legal obligations, including obligations under this DPA. Caspio will not access or use Customer Data except as provided in this Agreement, as necessary to maintain or provide the Service, or as necessary to comply with the law or a binding order of a governmental, law enforcement, or regulatory body.

Customer is responsible for any liability or expenses arising from Caspio’s compliance with Customer’s instructions or requests pursuant to the Terms of Service that fall outside the standard functionality of the Service, including the cost of transferring Customer Data to third-party services outside of the Service. If Caspio determines that a processing instruction from Customer infringes on Applicable Data Protection Law, Caspio will promptly notify Customer.

NOTIFICATION OF SECURITY INCIDENT

Caspio will (a) notify Customer without undue delay after becoming aware of and confirming the occurrence of a Security Incident for which notification is required under Applicable Data Protection Law; and (b) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident. Caspio will deliver such notification to one or more of Customer’s Account administrators by any means Caspio selects, including email. Caspio will provide Customer with such information about the Security Incident as Caspio is reasonably able to disclose, taking into account the nature of the Service, the information available to Caspio, and any confidentiality restrictions.

Customer will cooperate with Caspio’s investigation of any Security Incident as reasonably requested.

Caspio’s obligation to report or respond to a Security Incident under this section shall not be construed as an acknowledgment of any fault or liability on the part of Caspio. Caspio’s obligations under this section do not apply to incidents caused by Customer, activity in Customer’s Account, or third-party services.

REASONABLE ASSISTANCE WITH COMPLIANCE

To the extent that Customer cannot reasonably do so through the Service or Customer’s Account, Caspio will provide reasonable assistance to Customer in the event of an investigation by a data protection regulator or similar competent authority, if and to the extent that such investigation relates to the processing of Customer Data by Caspio on Customer’s behalf under this DPA. Caspio may charge Customer a reasonable fee for such assistance, except where the investigation arises from a breach by Caspio of the Terms of Service or this DPA.

SECURITY MEASURES

Caspio will maintain commercially reasonable technical and organizational measures designed to protect Customer Data in accordance with Applicable Data Protection Law. Caspio maintains industry-recognized security certifications and will provide details of its then-current certifications upon Customer’s written request.

Upon Customer’s written request, Caspio will provide a description of its then-current security measures, subject to Customer’s prior execution of a non-disclosure agreement with Caspio.

Caspio may update its security measures from time to time, provided that such updates do not materially diminish the overall security of Customer Data.

Caspio will ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and process Customer Data only in accordance with Caspio’s instructions, except where otherwise required by applicable law.

SUB-PROCESSORS

Caspio may engage Sub-Processors to process Customer Data in connection with providing the Service. Caspio will impose contractual obligations on each Sub-Processor that provide at least the same level of data protection as those set forth in this DPA in all material respects, and will require each Sub-Processor to impose equivalent obligations on any further sub-contractors engaged to process Customer Data.

Caspio’s current Sub-Processors are:

• Amazon Web Services, Inc.
• Twilio, Inc.
• OpenAI OpCo, LLC

Caspio will notify Customer at least thirty (30) days in advance of any addition or replacement of a Sub-Processor, except for emergency replacements or removal of a Sub-Processor without replacement.

If Customer reasonably objects to a new or replacement Sub-Processor on data protection grounds, Caspio will use commercially reasonable efforts to provide Customer a means of avoiding processing by the objected-to Sub-Processor. If Caspio is unable to do so within a reasonable period, Caspio will notify Customer, and Customer may terminate the affected portion of the Service or, where that is not feasible, the Agreement. Any such termination will be subject to the termination provisions in the Terms of Service.

Except as set forth in this section or as otherwise authorized by Customer, Caspio will not permit any Sub-Processor to access Customer Data.

Caspio remains responsible for acts or omissions of its Sub-Processors (and their further sub-contractors) to the extent such acts or omissions cause Caspio to breach its obligations under this DPA, subject to the limitations of liability set forth in the Terms of Service.

Third-party services that Customer independently connects to its Account through available platform integrations (such as payment processors, communication tools, or automation services) are not Caspio Sub-Processors. Customer’s use of such services is governed by Customer’s own agreements with those providers.

CONFIDENTIALITY

Caspio will not disclose Customer Data to any government or other third party except (a) as authorized under the Sub-Processors section of this DPA, (b) as expressly permitted by Customer, or (c) as necessary to comply with applicable law or a valid and binding order of a law enforcement agency. Where legally permitted, Caspio will notify Customer of any such legally compelled disclosure before it occurs.

INFORMATION REQUESTS

Caspio will make available to Customer information reasonably necessary to demonstrate Caspio’s compliance with its obligations under this DPA.

Upon Customer’s written request and no more than once per twelve-month period, Caspio will allow for and contribute to audits of its data processing practices, subject to reasonable advance notice and conducted during normal business hours. Where Caspio’s existing security certifications or audit reports (such as SOC 2) reasonably address Customer’s audit requirements, Caspio may provide those in lieu of a separate audit.

Caspio will assist Customer with any legally required data protection impact assessments and related supervisory authority consultations, taking into account the nature of processing and the information available to Caspio.

Caspio may charge a reasonable fee for assistance with information requests, audits, or impact assessments, as permitted by applicable law.

DATA SUBJECT REQUESTS

Customer is responsible for handling any requests or complaints from data subjects with respect to personal data processed by Caspio as Customer Data under this DPA. If Caspio receives any such request or complaint, Caspio will promptly notify Customer, unless prohibited by applicable law. Caspio will not respond directly to a data subject unless instructed by Customer or required by applicable law.

Caspio will provide Customer with reasonable assistance in responding to data subject requests, taking into account the nature of processing. Caspio may charge a reasonable fee for assistance beyond initial notification.

DATA TRANSFERS

Customer Data is stored in the infrastructure region selected by Customer. Caspio will not transfer Customer Data outside the selected region except as necessary to provide the Service or as authorized by Customer.

Where the provision of the Service requires transfer of Customer Data outside the country in which it was originally collected, Caspio will ensure that any such transfer is made pursuant to a lawful transfer mechanism recognized under Applicable Data Protection Law as providing an adequate level of protection, including, where applicable, the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

If any transfer mechanism relied upon by Caspio is invalidated or otherwise ceases to provide an adequate basis for transfer, Caspio will use commercially reasonable efforts to adopt an alternative lawful transfer mechanism.

RETURN OR DELETION OF CUSTOMER DATA

The Service provides features that allow Customer to download and delete Customer Data during the term of the Agreement. Customer is responsible for retrieving any Customer Data it wishes to retain prior to termination.

Upon termination of Customer’s Account for any reason, Caspio will delete Customer Data, including backup copies, within thirty (30) days, subject to Caspio’s applicable legal obligations. System logs that may contain fragments of Customer Data will be retained in accordance with Caspio’s data retention policies and applicable regulatory requirements, including where extended retention is required for compliance purposes. Retrieval of Customer Data after termination may be available at Caspio’s discretion and subject to applicable fees.

Customer’s requests to delete Customer Data may not be fulfilled to the extent Caspio is required to retain such data under applicable law or Applicable Data Protection Law.

LIMITATIONS OF LIABILITY

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

Any regulatory penalties, fines, or third-party claims incurred by Caspio arising from or in connection with Customer’s failure to comply with its obligations under this DPA or Applicable Data Protection Law will count toward and reduce Caspio’s aggregate liability to Customer under the Terms of Service.

CONFLICT AND TERMINATION

In the event of a conflict between this DPA and the Terms of Service, this DPA will prevail. This DPA will remain in effect for the duration of the Terms of Service and will automatically terminate upon completion of Caspio’s data deletion obligations under this DPA.