RingCentral Global Vendor Dpa Global Network User Guide
- June 15, 2024
- RingCentral
Table of Contents
RINGCENTRAL GLOBAL VENDOR DPA
If you have any questions regarding this DPA, how it is structured and how it applies to you, please email [email protected].
RINGCENTRAL
GLOBAL VENDOR DATA PROCESSING ADDENDUM
This Global Vendor Data Processing Addendum (“DPA”) forms part of the
agreement(s) between RingCentral Inc. and its affiliates (“RingCentral”) and
Vendor and its affiliates (“You” or “Your” or “Vendor”) (hereafter the
“Parties”) (the “Agreement”). The DPA reflects the Parties’ agreement with
regard to the access, processing, and storage of RingCentral Personal Data
(hereinafter also referred to as “RingCentral Data”) made available to you in
connection with Your performance of the Agreement, as more particularly
described in Annex I: Description of Data Processing. Capitalized terms,
unless expressly defined herein, shall have those meanings set forth in the
Agreement.
The DPA is constituted of the Global Data Processing Terms below in addition
to any regional or country specific privacy terms as may be applicable to Your
processing of RingCentral Data, as follows:
Global Data Processing Terms| applicable to ALL Vendors processing RingCentral
Data
---|---
EEA, UK and Switzerland Privacy Terms (Appendix 1)| applicable to Vendors
processing RingCentral Data originating from the EEA, the UK and Switzerland
US Privacy Terms (Appendix 2)| applicable to Vendors processing RingCentral
Data originating from the US
India Privacy Terms (Appendix 3)| applicable to Vendors processing RingCentral
Data originating from India
This DPA is in addition to, not in lieu of, any other contractual obligations
and applicable legal or regulatory obligations you may have with respect to
RingCentral Data. Except for the changes made by this DPA, the Agreement
remains unchanged and in full force and effect. This DPA shall replace any
existing agreement regarding the subject of this DPA or similar document that
the Parties may have previously entered into in connection with the services
covered by the Agreement. Where there is a conflict between this DPA and the
Agreement, the provisions of this DPA shall govern with regard to your
processing of RingCentral Data. Unless otherwise expressly stated, the
governing law and forum that apply to the Agreement shall also apply to the
DPA.
Any privacy related notice or inquiries shall be addressed to
[email protected].
GLOBAL DATA PROCESSING TERMS
You agree to be bound by these Global Data Processing Terms that apply to your processing of RingCentral Data irrespective of the location of the processing activities or the country of origin of the Personal Data.
-
OWNERSHIP AND CONTROL OF RINGCENTRAL DATA.
a. You understand and agree that performance of the Agreement or this DPA does not grant you any ownership interest in or title to any RingCentral Data.
b. You will process RingCentral Data on behalf of RingCentral in compliance with the terms of this DPA and Privacy Laws as applicable. -
PERMITTED PROCESSING OF RINGCENTRAL DATA.
a. You are authorized to process RingCentral Data solely in accordance with RingCentral’s documented instructions, including with regard to transfers of RingCentral Data to a third country and (i) for the purposes of providing the Services under the Agreement, in the interest and on behalf of RingCentral; or (ii) as directed by authorized personnel of RingCentral in writing in amendments to the Agreement or otherwise (collectively “Permitted Purposes”).
b. For the avoidance of doubt:
i. You acknowledge and agree that you will not publicly disseminate RingCentral Data or provide (or purport to provide) to any third party the right to process RingCentral Data in exchange for monetary or other valuable consideration (“Sale”).
ii. Any disclosure of RingCentral Data to a Subprocessor does not qualify as the Sale of RingCentral Data within the meaning of this DPA, provided that the disclosure fully complies with the terms set out in Section 5.
iii. You are prohibited from retaining, using, or disclosing RingCentral Data for any purpose other than for the specific purpose of performing the Services under the Agreement, including retaining, using, or disclosing RingCentral Data for a commercial purpose other than performing the Services under the Agreement.
c. You will comply with the terms of any applicable regional or country specific privacy terms as included in the DPA. -
COMPLIANCE.
a. You understand and agree that Privacy Laws and their application may change over time. Accordingly, you agree to make any reasonable change requested by RingCentral to this DPA, to the extent such change is reasonably related to bringing this DPA and the parties’ performance of the Agreement into full compliance with applicable law.
b. You must inform RingCentral if, in your opinion, RingCentral’s instructions would be in breach of Privacy Laws. -
SECURITY INCIDENTS.
a. Notice. In the event you discover any past or ongoing Security Incident or have reason to believe any Security Incident is likely to have occurred or is occurring, which involves RingCentral Personal Data, you shall promptly and without undue delay (and in any event, no later than 72 hours after you or any of your employees, representatives, or agents discovers the Security Incident) notify RingCentral at [email protected].
You shall cooperate with RingCentral in any communication efforts, including legally required notifications to law enforcement agencies, data protection authorities and/or impacted customers and individuals, resulting from or relating to the Security Incident. You agree that any decision to notify individuals or public authorities of the Security Incident shall be made between both parties, and any notice, public or otherwise, relating to such Security Incident shall be reviewed in advance by RingCentral.
b. Response. You shall use your commercially reasonable efforts to cooperate with RingCentral in responding to a Security Incident, including without limitation providing copies of all relevant log, IDS, and security event data to RingCentral, making your staff with information security experience available to work with RingCentral in understanding the details of any Security Incident, and allowing RingCentral forensic investigation personnel and/or RingCentral audit personnel to work directly with your staff in joint investigation activities, or to conduct audits of RingCentral Data security and control measures. You shall do and perform, or cause to do and perform, such further acts and things as RingCentral requests in responding to the Security Incident.
c. Costs. You agree to indemnify and hold RingCentral harmless for any and all claims, losses, costs, expenses, damages, or other liabilities (including reasonable legal fees) suffered or incurred by RingCentral as a result of the accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure of, or access to RingCentral Data as caused by you or your Subprocessors. -
SUBCONTRACTING AND THIRD PARTY TRANSFERS.
a. You will: (i) provide to RingCentral an up-to-date list of your then- current affiliates or third party contractors (“Subprocessors”) upon signature of this DPA and upon request thereafter; and (ii) provide at least twenty- eight (28) days’ prior notice of the addition or removal of any Subprocessors, including the categories of data processed, details of the subprocessing to be performed, the location of the subprocessing, and upon request, a copy of any data protection/privacy related provisions within your contract with such Subprocessors. If RingCentral refuses to consent to your appointment of a Subprocessor on reasonable grounds relating to the protection of RingCentral Data, then RingCentral may elect to suspend or terminate this Agreement without penalty.
b. You shall not subcontract any processing of the RingCentral Data to any Subprocessor without entering into a written agreement with the Subprocessor that imposes upon the Subprocessor legal obligations for the processing of RingCentral Data that are at least as protective of RingCentral Data as the legal obligations you have undertaken pursuant to this DPA.
c. You remain fully liable for any breach of this DPA that is caused by an act, error, or omission of your Subprocessors.
d. You will not disclose or transfer or allow access to RingCentral Data by any third party except (i) to a Subprocessor in a manner that complies with the terms of this Section 5; and (ii) as required by applicable law, provided that, you will promptly notify RingCentral of such a required disclosure (save where prohibited by law), make all reasonable attempts to delay disclosure to the degree necessary for RingCentral to meaningfully participate in your response (save where prohibited by law), and will cooperate with RingCentral to contest or minimize the scope of the disclosure. -
CROSS BORDER TRANSFERS.
You will inform RingCentral of the location of the processing activities you carry out on behalf of RingCentral and you will at all times comply with any requirements applicable to cross border transfer of personal data under Privacy Laws. -
DISCLOSURE OF DPA.
You acknowledge that RingCentral may disclose this DPA and any relevant privacy/data protection provisions in the Agreement to (i) the US Department of Commerce, the Federal Trade Commission, or any other data protection authority of competent jurisdiction upon their request, (ii) to RingCentral Customers, (iii) in connection with any legal suit to which the existence and terms of this DPA are relevant, and (iv) as required and in compliance with any applicable laws. Any such disclosure shall not be deemed a breach of any confidentiality provisions contained in this DPA or the Agreement. -
COOPERATION.
You will provide all assistance reasonably requested by RingCentral to enable RingCentral to respond to, comply with, or otherwise resolve any data protection requests, questions or complaints received from any individual, household, RingCentral customer, data protection authority, law enforcement or other regulatory body. In the event that any such communication is received directly by you, you will immediately inform RingCentral and will not respond to such communication unless required by law or expressly authorized by RingCentral. -
DATA RETENTION.
Upon termination or expiration of the Agreement, or at any time upon RingCentral’s request, you will promptly (and in no event more than thirty (30) days post termination, expiry or request) cease to process RingCentral Data and will promptly return or destroy the RingCentral Data (including all copies) in your possession or control (including any RingCentral Data held by Subprocessors) as instructed by RingCentral. Upon request, you will certify to RingCentral in writing that all RingCentral Data has been destroyed. This requirement shall not apply to the extent that you are required by applicable laws to retain some or all of the RingCentral Data, in which event you shall isolate and protect the RingCentral Data from any further processing except to the extent required by such law. -
DATA SECURITY.
You shall ensure that any person that you authorize to process the RingCentral Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty). You shall implement appropriate technical and organizational measures to protect RingCentral Data from Security Incidents. At a minimum, such measures shall include the measures identified in Annex II. -
AUDITS.
Following a Security Incident, upon request from a data protection authority, or, upon RingCentral’s reasonable request not to exceed one such request in a 12-month period, you agree that RingCentral (or its appointed representatives) may, upon reasonable notice, during regular business hours and without unreasonably interrupting your business operations, carry out an on-site inspection and audit of your compliance with this DPA. You shall permit RingCentral (or RingCentral’s appointed third party auditors) to audit your compliance with this DPA, and shall make available to RingCentral all information, systems, staff and on-site facilities necessary for RingCentral (or RingCentral’s third party auditors) to conduct such audit. -
MISCELLANEOUS.
a. Conflict. In case of conflict between these Global Data Processing Terms and the terms of the EEA, UK and Switzerland Privacy Terms (Appendix 1), the US Privacy Terms (Appendix 2) or the India Privacy Terms (Appendix 3), the latter shall prevail as regards to their respective subject matter.
b. Consideration. The Parties have exchanged good and valuable consideration, the sufficiency of which is acknowledged by the parties, in connection with entering into this DPA. Notwithstanding the foregoing, nothing in this DPA shall be construed to alter any amounts owed by RingCentral to Vendor pursuant to the Agreement.
c. Survivability. For the avoidance of doubt, this DPA shall survive the termination of the Agreement to the extent and for as long as you or any Subprocessor have access to or possession of any RingCentral Data. -
DEFINITIONS.
a) “RingCentral Personal Data” or “RingCentral Data” shall mean any and all Personal Data processed by Vendor as part of the performance of the services, as specified under the Master Vendor Services Agreement. RingCentral Personal Data may include customer user data, employee data, communications content data, or service usage data.
b) “Personal Data” shall have the meaning given to the terms “personal data” and “personal information” under Privacy Laws.
c) “Process” means any operation or set of operations which is performed on RingCentral Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) “Privacy Laws” shall be defined as all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement.
e) “Security Incident” means any destruction, loss, alteration, disclosure of, or access to RingCentral Data that is accidental, unlawful, or unauthorized.
ANNEX I – DESCRIPTION OF PROCESSING
This Annex I forms part of the Agreement and describes the processing that
Vendor will perform on behalf of RingCentral.
Scope, nature and purpose of the processing
The Personal Data will be processed to perform the Services as specified in
the Agreement.
Duration of the processing
The Personal Data will be processed for the term specified under the
Agreement.
Data subjects
The Personal Data to be processed concern the categories of data subjects
specified in the Agreement.
Categories of Personal Data
The Personal Data to be processed concern the categories of data specified in
the Agreement.
Special categories of Personal Data (if applicable)
Unless expressly specified in the Agreement, Vendor shall not process special
categories of personal data.
The frequency of the transfer (e.g. whether the data is transferred on a one-
off or continuous basis).
The frequency of the transfer is set out in the Agreement.
Nature of the processing
The nature of the processing activities is described in the Agreement.
The period for which the personal data will be retained, or, if that is not
possible, the criteria used to determine that period
The retention period applicable to the personal data is specified in the
Agreement.
For transfers to (sub-)processors, also specify subject matter, nature and
duration of the processing
The list of the subprocessors used by the Vendor is specified in the
Agreement.
ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF
THE DATA
The Vendor shall maintain appropriate technical and organizational security
measures to safeguard the security of RingCentral Data. Such measures shall at
a minimum be as set out in the RingCentral Vendor Security Addendum.
This Annex II forms part of the Agreement and sets out the minimum technical
and organizational measures that Vendor will implement to protect RingCentral
Data.
Note: The information provided herein is deemed to constitute Annex II of
the EU Standard Contractual Clauses and Swiss Standard Contractual Clauses
/Appendix 2 of the UK International Data Transfer Addendum if and as
applicable.
APPENDIX 1 EEA, UK AND SWITZERLAND PRIVACY TERMS
These EEA, UK and Switzerland Privacy Terms (“European Terms”) apply to the
processing by the Vendor of RingCentral Data originating from the European
Economic Area (EEA), the United Kingdom (UK) and Switzerland, and are
supplemental to the Global Data Processing Terms. The Global Data Processing
Terms and these European Terms constitute the DPA as appended to the
Agreement, executed between the Parties, for the provision of the Services by
Vendor to RingCentral.
Capitalized terms used but not defined in these European Terms shall have the
same meanings as set out elsewhere in the DPA.
-
PERMITTED PROCESSING OF RINGCENTRAL DATA.
a. It is agreed that under the DPA and as relevant to the Services:
i. You will process RingCentral Data on behalf of RingCentral as a Processor in compliance with the terms of this DPA; or
ii. You will process RingCentral Data as an independent Controller in compliance with your obligations as Controller under Privacy Laws and the terms of this DPA as applicable.
b. When acting as processor, You are authorized to process RingCentral Data solely in accordance with RingCentral’s documented instructions, including with regard to transfers of RingCentral Data to a third country and (i) for the purposes of providing the Services under the Agreement, in the interest and on behalf of RingCentral; or (ii) as directed by authorized personnel of RingCentral in writing in amendments to the Agreement or otherwise (collectively “Permitted Purposes”). -
INTERNATIONAL TRANSFERS.
You will at all times provide an adequate level of protection for RingCentral Data, wherever processed, in accordance with the requirements of Privacy Laws. You will not process or transfer any RingCentral Data in or to a territory outside of the European Economic Area, United Kingdom or Switzerland (nor permit RingCentral Data to be so processed or transferred) unless you take such measures as are necessary to ensure the transfer is in compliance with Privacy Laws. In particular, if you process RingCentral Data in a country that has not been recognized by the relevant authorities as affording adequate protection to Personal Data, you agree to be bound by the Standard Contractual Clauses as follows:
a. In the event that you process Personal Data acting as a processor for RingCentral: 1.
if the Services involve the export of Personal Data from the European Economic Area (EEA), or Switzerland, to a country that has not been recognized by the relevant authorities as providing an adequate level of protection for personal data, Module 2 (when Vendor is acting as processor to RingCentral acting as controller) of the EU Standard Contractual Clauses will apply;
if the Services involve the export of Personal Data from the UK, to a country that has not been recognized by the relevant authorities as providing an adequate level of protection for Personal Data, the UK International Data Transfer Addendum to the relevant EU Standard Contractual Clauses Module 2.
b. In the event that you process Personal Data acting as a controller for RingCentral:
1. If the Services involve the export of Personal Data from the European Economic Area (EEA), or Switzerland, to a country that has not been recognized by the relevant authorities as providing an adequate level of protection for Personal Data, Module 1 of the EU Standard Contractual Clauses will apply;
2. if the Services involve the export of Personal Data from the United Kingdom, to a country that has not been recognized by the relevant authorities as providing an adequate level of protection for Personal Data, the UK International Data Transfer Addendum to Module 1 of the EU Standard Contractual Clauses will apply.
c. In respect of personal data originating from Switzerland, the EU Standard Contractual Clauses are deemed amended so that any references to the GDPR shall refer to the Federal Act on Data Protection (“FADP”), the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses, and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP.
The parties agree that the EU Standard Contractual Clauses (i) shall not include any clauses marked as optional; (ii) in Module 2, Clause 9, Option 2 shall apply (as detailed in Section 5 of the Global Data Processing Terms); (ii) shall be shall be governed by the laws of France (Clause 17 – Governing Law); (iv) shall be subject to the jurisdiction of the Courts of France (Clause 18 – Choice of forum and jurisdiction), and (v) shall be deemed to be completed with the information provided in the Annexes I and II to these European Terms. The UK International Data Transfer Addendum shall be interpreted as follows: (i) Table 1 shall be completed with the information provided in Annex I of these European Terms; (ii) Table 2 shall be completed as described in this Section 2; (iii) Table 3 shall be completed with Annexes I and II of these European Terms; and (iv) in Table 4, only the Exporter may terminate the UK International Data Transfer Addendum. The Standard Contractual Clauses form an integral part of these European Terms and by entering into the DPA the parties agree to be bound by the Standard Contractual Clauses as specified above in the event that the transfer of RingCentral Data to a non-adequate country is required as part of the Services performed by the Vendor under the Agreement.
Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between RingCentral and Vendor, RingCentral is the “data exporter” (Controller) and Vendor is the “data importer” (Processor or Controller) as appropriate.
If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail.
If and to the extent the parties sign standalone Standard Contractual Clauses to govern the transfer of RingCentral Data involved in the provision of Services under the Agreement, then these standalone Standard Contractual Clauses shall prevail over the terms of this Section 2. -
COOPERATION.
a. You will provide all assistance reasonably requested by RingCentral to enable RingCentral to respond to, comply with, or otherwise resolve any data protection requests, questions or complaints received from any individual, household, RingCentral customer, data protection authority, law enforcement or other regulatory body. In the event that any such communication is received directly by you, you will immediately inform RingCentral and will not respond to such communication unless required by law or expressly authorized by RingCentral.
b. You shall provide all such reasonable and timely assistance as RingCentral may require in order to conduct a data protection impact assessment.
c. You shall consult with any relevant data protection authority, where required under applicable Privacy Laws. Where allowable under applicable law, before engaging in such consultation, you shall undertake reasonable efforts to inform RingCentral in a manner that reasonably allows RingCentral the opportunity to dispute or narrow the scope of your consultation with any data protection authority. -
MISCELLANEOUS
Unless the above explicitly states otherwise, the terms and conditions of the Agreement, and of the DPA, shall apply to these EEA, UK and Switzerland Privacy Terms. In case of any conflict between the terms of the Agreement, the DPA, and the terms of these EEA, UK and Switzerland Privacy Terms, these EEA, UK and Switzerland Privacy Terms prevail with regard to the processing of RingCentral Data originating from the EEA, the UK and Switzerland. -
DEFINITIONS.
a) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined under applicable Privacy Laws.
b) “EU Standard Contractual Clauses” means the means the standard contractual clauses approved by the European Commission’s Implementing Decision (EU) 2021/914 available at https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj.
c) “Privacy Laws” shall be defined as all data protection and privacy laws and regulations applicable to the Processing of Personal Data originating from the EEA, UK and Switzerland, including but not limited to, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR and the Swiss Federal Act on Data Protection.
d) “Processor” means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
e) “Standard Contractual Clauses” means the EU Standard Contractual Clauses, the Swiss Standard Contractual Clauses and the UK International Addendum as described in Section 2 of these European Terms, including Annexes I (description of the transfer), II (security measures) of the DPA.
f) “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information
Commissioner under S119A Data Protection Act 2018, which can be found at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the- general-data-protection-regulation-gdpr/international-data-transfer-agreement- and-guidance.
Annex I to the Standard Contractual Clauses
A. List of the Parties
Incorporated by reference herein the Signature Page of the Agreement. RingCentral, Inc. and its Affiliates are the data exporter and Vendor is the data importer.
B. Further descriptions of the data processing are provided below:
Scope, nature and purpose of the processing
The Personal Data will be processed to perform the Services as specified in the Agreement.
Duration of the processing
The Personal Data will be processed for the term specified under the Agreement.
Data subjects
The Personal Data to be processed concern the categories of data subjects specified in the Agreement.
Categories of Personal Data
The Personal Data to be processed concern the categories of data specified in the Agreement.
Special categories of Personal Data (if applicable)
Unless expressly specified in the Agreement, Vendor shall not process special categories of personal data.
The frequency of the transfer (e.g. whether the data is transferred on a one- off or continuous basis).
The frequency of the transfer is set out in the Agreement.
Nature of the processing
The nature of the processing activities is described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The retention period applicable to the personal data is specified in the Agreement.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing The list of subprocessors used by the Vendor is specified in the Agreement.
C. Competent Supervisory Authority
The competent supervisory authority for the Data Exporter is:
| EU Standard Contractual Clauses| Swiss Standard Contractual Clauses| UK IDTA
---|---|---|---
Competent supervisory authority| Competent authority for the data exporter:
TSA 80715 75334 PARIS CEDEX 07 France
Tel: +33 (0)1.53.73.22.22
Fax: +33 (0)1.53.73.22.00| For the purposes of Annex I.C under Clause 13: 1.
If the data transmission is exclusively subject to the FADP: Federal Data
Protection and Information Commissioner (FDPIC).
2. If the data transfer is subject to both the FADP and the GDPR: a) FDPIC,
insofar as the data transfer is governed by the FADP. b) CNIL insofar as the
data transfer is governed by the
GDPR.| The Information Commissioner for the
United Kingdom
Annex II to the Standard Contractual Clauses
The terms of “ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE
SECURITY OF THE DATA” of the DPA are deemed incorporated herein to constitute
Annex II of the EU Standard Contractual Clauses and Swiss Standard Contractual
Clauses /Appendix 2 of the UK International Data Transfer Addendum.
APPENDIX 2 UNITED STATES PRIVACY TERMS
These United States Privacy Terms (“US Privacy Terms”) apply to the processing
by the Vendor of RingCentral Data originating from the US , and are
supplemental to the Global Data Processing Terms. The Global Data Processing
Terms and these US Privacy Terms constitute the DPA as appended to the
Agreement, executed between the Parties, for the provision of the Services by
Vendor to RingCentral. Capitalized terms used but not defined in these US
Privacy Terms shall have the same meanings as set out elsewhere in the DPA.
-
Definitions
1.1. Customer Proprietary Network Information shall have the meaning set forth under 47 U.S.C. § 222 and regulations and guidance promulgated pursuant thereto (“CPNI”). CPNI includes information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier. CPNI does not include subscriber list information.
1.2. Personal Information shall mean and refer to any information relating to an identified or identifiable person or individual and also includes personal data, as defined by applicable US State Privacy Laws.
1.3. RingCentral Personal Information shall mean any Personal Information that the Vendor processes in the course of performing the Services under the Agreement.
1.4. Sell shall have the same meaning as set forth in California Privacy Law.
1.5. Service(s) shall mean the service(s) performed by the Vendor under the Agreement.
1.6. Share shall have the same meaning as set forth in California Privacy Law.
1.7. Service Provider shall mean and refer to a service provider or subcontractor, as defined by applicable US State Privacy Laws, that processes RingCentral Personal Information on RingCentral ’s behalf.
1.8. US State Privacy Laws shall mean and refer to all United States data protection and privacy laws which may be applicable to Vendor in the processing of RingCentral Personal Information as part of the performance of the Services, including but not limited to the California Consumer Privacy Act of 2018 and its implementing regulations, the California Privacy Rights Act of 2020 and its implementing regulations, the Virginia Personal Information Privacy Act of 2021 and its implementing regulations, the Colorado Privacy Act of 2021 and its implementing regulations, etc. -
Scope of US Privacy Terms
These US Privacy Terms apply to the Vendor acting as Service Provider processing RingCentral Personal Information under US State Privacy Laws, where such processing is described in Annex I of the DPA. -
Roles and Responsibilities
3.1 Vendor Obligations.
3.1.1 Purpose Limitation. Vendor shall process the RingCentral Personal Information for the purposes of the performance of the Services as described in the Agreement except where otherwise required or permitted by US State Privacy Laws.
3.1.2 CPNI. Unless otherwise agreed to in writing by RingCentral, you shall process CPNI for the sole purposes of providing Services to RingCentral pursuant to the Agreement and in accordance with RingCentral instructions. It is your duty to keep CPNI safe from improper disclosure and to train personnel on proper CPNI handling procedures. You must take reasonable measures to discover and protect against improper handling of CPNI. In particular, CPNI should be distributed within your organization only on a “need to know” basis. Only disclose CPNI to personnel if they have been trained on CPNI procedures and they have a legitimate business need to know the information disclosed. Except as otherwise expressly provided in your Agreement with RingCentral, you must obtain express approval from RingCentral before disclosing CPNI outside of your organization.
3.1.3 Obligations. Vendor will:
(a) Operate exclusively as a Service Provider and comply with the applicable US State Privacy Law obligations.
(b) Provide the same level of privacy protection as required by the applicable US State Privacy Law.
(c) Notify RingCentral if it can no longer meet its US State Privacy Law obligations.
(d) Not Sell or Share RingCentral Personal Information including, for the avoidance of doubt, not use RingCentral Personal Information for cross-context behavioral advertising.
(e) Not retain, use, or disclose RingCentral Personal Information for any other purpose other than as agreed upon in the Agreement, outside the direct business relationship between the Parties, or as permitted by applicable US State Privacy Law.
(f) Not combine RingCentral Personal Information it receives from, or on behalf of, RingCentral with Personal Information it receives from, or on behalf of, another person, or collects from its own interaction with the End User, subject to the exceptions under applicable US State Privacy Law.
(g) Cooperate with RingCentral, upon RingCentral’s reasonable notice, to determine reasonable and appropriate steps to stop and remediate unauthorized use of RingCentral Personal Information.
3.1.4 Cooperation. The Vendor will cooperate with RingCentral to make available all information in its possession to demonstrate compliance with US State Privacy Laws.
3.2 RingCentral rights. RingCentral may take reasonable and appropriate steps to ensure that Vendor uses RingCentral Data in a manner consistent with RingCentral’s obligations under US State Privacy Laws. -
Miscellaneous
Unless the above explicitly states otherwise, the terms and conditions of the Agreement, and of the DPA, shall apply to the US Privacy Terms. In case of any conflict between the terms of the Agreement, the DPA, and the terms of these US Privacy Terms, these US Privacy Terms prevail with regard to data processing activities subject to US State Privacy Laws.
APPENDIX 3 INDIA PRIVACY TERMS
These India Privacy Terms (“India Terms”) apply to the processing by the
Vendor of RingCentral Data originating from India and are supplemental to the
Global Data Processing Terms. The Global Data Processing Terms and these India
Terms constitute the DPA as appended to the Agreement, executed between the
Parties, for the provision of the Services to RingCentral involving the
processing of RingCentral Data originating from India and subject to India
Privacy Laws.
Capitalized terms used but not defined in these India Terms shall have the
same meanings as set out elsewhere in the DPA.
-
PERMITTED PROCESSING OF RINGCENTRAL DATA.
a. It is agreed that under this DPA and as relevant to the Services, You will process RingCentral Data on behalf of RingCentral as a Data Processor in compliance with the terms of this DPA.
b. You acknowledge and agree that by virtue of Your being in possession of the RingCentral Data for performance of its obligations under the Agreement, your obligations under Privacy Laws shall be no less than that of a Data Fiduciary. You are authorized to process RingCentral Data solely in accordance with RingCentral’s documented instructions, including with regard to transfers of RingCentral Data to a third country and (i) for the purposes of providing the Services under the Agreement, in the interest and on behalf of RingCentral; or (ii) as directed by authorized personnel of RingCentral in writing in amendments to the Agreement or otherwise (collectively “Permitted Purposes”). Any violation thereof of RingCentral instructions by You shall, in addition
to other remedies available to RingCentral under law and equity, entitle RingCentral for indemnification under the Agreement. Notwithstanding anything contained anywhere in this Agreement, the indemnification obligations for the purposes of this DPA shall not be limited by any limitation of liability except for any indirect or consequential damages.
c. You shall not process any RingCentral Data without Data Principal’s consent and shall use such RingCentral Data to the limited extent for which the Data Principal has given his / her consent.
Where there is a conflict for which Data Principal consented to and Your obligations under this DPA and the Agreement, You shall immediately notify RingCentral and You shall in any event always act based on the approach that is most conservative.
d. For the avoidance of doubt, You acknowledge and agree that except as strictly permitted under this DPA, You are prohibited from copying, retaining, using, manipulating, merging, combining, disseminating or disclosing RingCentral Data, in any manner including electronic, digital or manual, for any purpose other than the Permitted Purposes, including attempting to do so or assisting any person or party in doing so or attempting to do so, whether electronically, digitally or manually.
e. Upon notice from RingCentral, You shall immediately stop processing any data of the Data Principal.
f. You shall ensure completeness, accuracy and consistency of RingCentral Data collected and processed by You.
g. You shall not represent yourself to the Data Principal with whom you come in contact with for purposes of its performance under the Agreement in any capacity other than as outlined under the Agreement and this DPA. -
COMPLIANCE.
a. You undertake to perform the Services and Your obligations under the Agreement in compliance with Privacy Laws and to provide RingCentral with all assistance for RingCentral to comply with Privacy Laws.
b. You understand and agree that Privacy Laws and their application may change over time. Accordingly, You agree to make any reasonable change requested by RingCentral to this DPA, to the extent such change is reasonably related to bringing this DPA and the parties’ performance of the Agreement into full compliance with applicable law.
c. You must inform RingCentral if, in Your opinion, RingCentral’s instructions would be in breach of Privacy Laws. -
SECURITY INCIDENTS.
a. Notice. In the event You discover any past or ongoing Security Incident or have reason to believe any Security Incident is likely to have occurred or is occurring, which involves RingCentral Personal Data, You shall immediately notify RingCentral at [email protected] of such Security Incident in such form and manner as may be prescribed under Privacy Laws. Such notice shall be earlier of the notice prescribed under the Digital Personal Data Protection Act, 2023 or the Indian Computer Emergency Response Team Directions dated April 28, 2022 (‘CERT-In 2022’) and shall be such that allows RingCentral sufficient time to comply with the requirements applicable to RingCentral as a Data Fiduciary and / or being the telecommunications licensee under the Indian Telegraph Act, 1885.
b. Cooperation. You shall cooperate with RingCentral in any communication efforts, including legally required notifications to law enforcement agencies, data protection authorities and/or impacted customers and individuals, resulting from or relating to the Security Incident. You agree that any decision to notify individuals or public authorities of the Security Incident shall be made between both parties, and any notice, public or otherwise, relating to such Security Incident shall be reviewed in advance by RingCentral.
c. Response. You shall use Your commercially reasonable efforts to cooperate with RingCentral in responding to a Security Incident, including without limitation providing copies of all relevant log, IDS, and security event data to RingCentral, making Your staff with information security experience available to work with RingCentral in understanding the details of any Security Incident, and allowing RingCentral forensic investigation personnel and/or RingCentral audit personnel to work directly with Your staff in joint investigation activities, or to conduct audits of RingCentral Data security and control measures. You shall do and perform, or cause to do and perform, such further acts and things as RingCentral requests in responding to the Security Incident.
d. Costs. You agree to indemnify and hold RingCentral harmless for any and all claims, losses, costs, expenses, damages, or other liabilities (including reasonable legal fees) suffered or incurred by RingCentral as a result of the accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure of, or access to RingCentral Data as caused by You or Your Subprocessors. -
CROSS-BORDER TRANSFERS.
You will at all times provide an adequate level of protection for RingCentral Data, wherever processed, inaccordance with the requirements of Privacy Laws. You shall comply with any restrictions or requirements applicable to any cross-border transfer of RingCentral as prescribed by Privacy Laws. -
MISCELLANEOUS.
Unless the above explicitly states otherwise, the terms and conditions of the Agreement, and of the DPA, shall apply to these India Privacy Terms. In case of any conflict between the terms of the Agreement, the DPA, and the terms of these India Privacy Terms, these India Privacy Terms prevail with regard to the processing of RingCentral Data originating from India. -
DEFINITIONS.
a) “Data Fiduciary” shall have the meaning given to the term “Data Fiduciary” under India Privacy Laws.
b) “Data Principal” shall have the meaning given to the term “Data Principal” under India Privacy Laws .
c) “Data Processor” or “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Fiduciary, as defined under applicable India Privacy Laws.
d) “India Privacy Laws” shall be defined as all applicable data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to, the Digital Personal Data Protection Act, 2023 (DPDP Act).