Directly Terms & Policies
Exhibit to the MSA: Data Protection Addendum (“DPA")
This Data Protection Addendum (“DPA” or "Addendum") is incorporated into the Master Subscription Agreement or “MSA” (collectively, the “Agreement”) between the parties identified in the applicable Directly Order Form for the provision of the Directly Platform and related services (collectively, the “Services”). If there is any conflict between this DPA and the Agreement regarding the parties’ respective privacy and security obligations, the provisions of this DPA shall control.
1. Definitions and Scope
1.1. Terms such as “Processing”, “Personal Data”, “Data Controller” and “Processor” shall have the meaning ascribed to them in the EU Data Protection Law.
1.2. "Applicable Data Protection Law" shall mean all data protection and privacy laws and regulations applicable to personally identifiable data under this Agreement, including data protection law in the European Economic Area (for example, EU Regulation 2016/679, i.e., GDPR).
1.3 “Customer Account Data” shall mean personal data of individuals residing in the European Economic Area (“EEA”) that relates to a Customer’s access to the Services by authorized Customer personnel, such as the names and/or contact information of individuals authorized by Customer to access the Services and billing information of individuals that Customer has associated with its Directly accounts.
1.4 “Customer Data” shall mean all training and other data provided by Customer relating to individuals residing in the EEA, as specified in an Order Form for the purposes of providing the Services under the Agreement, including training AI systems, updating Customer’s knowledge database, answering customer service questions.
1.5 “Privacy Shield Framework” shall mean the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce.
1.6 “Privacy Shield Principles” shall mean the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles).
1.7. Scope. Insofar as the Data Processor will be processing Personal Data subject to Applicable Data Protection Law on behalf of the Data Controller in the course of the performance of the Agreement with the Data Controller the terms of this Data Protection Agreement shall apply. An overview of the categories of Personal Data, the types of Data Subjects, and purposes for which the Personal Data are being processed is provided in Annex 1.
1.8. Relationship of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Data, Customer is a controller or processor, as applicable, and Directly is a processor. With regard to the processing of Customer Account Data, Customer is a controller or processor, as applicable, and Directly is an independent controller, not a joint controller with Customer. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Personal Data.
2. Details of the processing.
2.1 Subject Matter: Directly’s provision of the Services to Customer.
2.2 Purpose of the Processing: The purpose of the data processing under this Addendum is the provision of the Directly Services as specified by Customer in the applicable Order Form(s).
2.3 Categories of Data: Data relating to Customer end user service questions and answers provided by Customer to Directly via the Platform and Services.
2.4 Categories of Data Subjects: Data subjects may include Customer’s customers, employees, suppliers and end users about whom data is provided to Directly via the Platform and Services by (or at the direction of) Customer.
2.5 Duration of the Processing: The Data Processor shall process Personal Data until the date of termination of the agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.
3. Customer Instructions. Customer appoints Directly as a processor to process Customer Data on behalf of, and in accordance with, Customer’s instructions as set out in the Agreement and this Addendum, as otherwise necessary to provide the Services, or as otherwise agreed in writing. Customer shall ensure that its instructions comply with all laws, regulations and rules applicable to the Customer Data, and that Directly’s processing of the Customer Data in accordance with Customer’s instructions will not cause Directly to violate any applicable law, regulation or rule, including Applicable Data Protection Law. Directly agrees not to access or use Customer Data, except as necessary to maintain or provide the Services, or as necessary to comply with the law or other binding governmental order.
4. Responding to Third Party Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory or third party is made directly to Directly in connection with Directly’s processing of Customer Data, Directly shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Directly shall not respond to any such request, inquiry or complaint without Customer’s prior consent except to confirm that the request relates to the customer or end user to which Customer hereby agrees.
5. Confidentiality Obligations of Directly Personnel. Directly will ensure that any person it authorizes to process the Customer Data shall protect the Customer Data in accordance with Directly's confidentiality obligations under the Agreement.
6. Subcontracting. Customer consents to Directly engaging third party sub-processors to process Customer Data under this DPA provided that:
6.1 A current list of sub-processors, including the identity of each of those sub-processors and its country location, has been provided to Customer or is available at: https://www.directly.com/legal/subprocessors (“Sub-processor List”). Directly will either send Customer an email informing Customer of any new sub-processors or Directly will enable Customer to receive notifications of new sub-processors by e-mailing email@example.com with the subject “Subscribe”. If Customer objects to a new sub-processor (which objection must be reasonable, based on specific written details, and made, if at all, within 30 days after Directly has first included the proposed new sub-processor), the parties will work in good faith to resolve the objection in accordance with subsection 6.2 below.
6.2 Customer may object to Directly's appointment or replacement of a sub-processor within ten (10) days of Directly informing Customer of such appointment or replacement (as described in Section 6.1), provided such objection is in writing and based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercial reasonably alternative solutions in good faith. If the parties do not reach resolution within ten (10) days of Customer’s objection, and Directly does not remove the new or replacement sub-processor, Customer may suspend or terminate the Agreement. Directly imposes data protection terms on any sub-processor it appoints that require it to protect the Customer Data to the standard required by Applicable Data Protection Law. Directly remains liable for any breach of this Addendum that is caused by an act, error or omission of its sub- processor.
7. Data Subject Right Requests. Directly can provide company customers with API self-service features, where each participating customer can submit requests to delete user data. To assist in the implementation of these automated features, please refer to our API documentation here:
- If you look down the left column toward the bottom, you'll see the option to POST
- The messaging api uses oauth2 authentication, so it is actually a two step call -- one to get a Bearer token and two to make the call above.
In addition, Directly will provide reasonable additional and timely assistance (at Customer’s expense) to the extent the self-service features of the Services do not sufficiently enable Customer to comply with its obligations with respect to data subject rights under Applicable Data Protection Law. For example, if Customer needs to submit such a request while Customer implements that API, Customer can send any delete requests to Directly at firstname.lastname@example.org, Directly will log a request through our JIRA system for the Directly engineering team to execute the deletion request.
8. Return or Deletion of Customer Data. Following termination or expiration of the Agreement, Directly will provide a reasonable opportunity for Customer to obtain a copy of its Customer Data and delete the same. This requirement shall not apply to the extent that Directly is required by law to retain some or all of the Customer Data, or to Customer Data it has archived on backup systems, which Directly shall securely isolate and protect from any further processing except to the extent required by law.
9. Directly Audit Program. The parties acknowledge that Customer must be able to assess Directly’s compliance with its obligations under Applicable Data Protection Law, insofar as Directly is acting as a processor on behalf of Customer. For the purpose of verifying Directly’s compliance with Applicable Data Protection Law and the Agreement and upon reasonable notice of no less than thirty (30) days, Directly agrees to permit Customer, at Customer’s cost and no more than once annually, to conduct audits through a Directly approved third party auditor. However, Directly agrees to allow audits to be conducted directly by Customer where, under Applicable Data Protection Law, (a) Customer has the right to conduct audits directly; and (b) such right cannot be contractually waived by Customer. Directly agrees to cooperate in good faith with the audit and promptly (i) provide access to books, records (including, but not limited to, security scan records), and other information necessary for the audit, and (ii) at Customer’s request enable access to Directly’s premises if absolutely necessary to properly conduct the audit or required under Applicable Data Protection Law. Customer agrees to (x) schedule audits to minimize disruption to Directly’s business, (y) require any third party it employs to sign a non-disclosure agreement, and (z) make the results of the audit available to Directly. Customer will only disclose the results of the audit to third parties if such disclosure is (A) required to demonstrate Customer’s own compliance, or (B) otherwise required under applicable laws.
10. Violations of Applicable Data Protection Law. Directly will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.
11. Cooperation and Data Subject Rights Regarding Customer Account Data. In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Account Data; (collectively, "Correspondence") then, where such Correspondence relates (or also relates) to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Data Protection Law.
12. Transparency. The parties acknowledge that Directly does not have a direct relationship with Customer’s end users whose personal data Directly may process in connection with Customer’s use of the Services. Customer shall be responsible for ensuring its end users are provided adequate notice of Directly’s processing activities. Directly will provide Customer with sufficient information regarding its processing activities to allow Customer to provide such notice.
13.1. Security Measures. Directly has implemented and will maintain appropriate technical and organizational measures to protect Customer Account Data and Customer Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the such data (a "Security Incident"). The measures Directly takes to protect Customer Data from a Security Incident include those described at https://www.Directly.com/legal/security.
13.2 Configuration of Directly technology: Customer is responsible for properly configuring and implementing the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Services.
13.3 Security Incident Notification - Customer Data: Directly shall, to the extent permitted by law, promptly notify Customer of any Security Incident of which Directly becomes aware. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by Directly, Directly shall make reasonable efforts to identify and remediate the cause of such Security Incident. Directly shall provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a supervisory authority or any data subjects of the Security Incident.
13.4 Security Incident Notification - Customer Account Data: If Directly becomes aware of a confirmed Security Incident involving Customer Account Data containing the personal data of data subjects with whom Directly does not have a direct relationship, for example Customer’s end users, and Directly determines that the incident must be reported to a regulatory authority, Directly will notify the Customer of the incident and of its obligation and intent to notify the regulatory authority. If the impacted data subjects are required to be notified of the Security Incident, Customer will provide reasonable assistance to Directly to effectuate appropriate notice to the impacted data subjects.
14. International Transfers of Data
14.1 General. Customer acknowledges that, as of the Effective Date of this Addendum, Directly’s primary processing facilities are in the United States. To the extent that Customer’s use of the Services requires transfer of personal data out of the European Economic Area ("EEA"), Directly will take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures include (without limitation) transferring the Customer Account Data or Customer Data to a recipient that has executed a DPA with Standard Contractual Clauses adopted or approved by the European Commission or pursuant to Directly’s EU-US and Swiss-US Privacy Shield Framework self-certifications. The Standard Contractual Clauses as set forth in Annex 3 to this Addendum.
14.2 Privacy Shield: The Privacy Shield Framework will be the lawful transfer mechanism of Customer Account Data and Customer Data from the EEA or Switzerland to Directly in the United States, only to the extent such transfer is not covered by the SCCs annexed to this Addendum. Directly represents that it is self-certified to the Privacy Shield Framework and agrees, with respect to Customer Account Data and Customer Data that it shall comply with the Privacy Shield Principles when handling any such data.
14.3 Standard Contractual Clauses: The parties further agree that the Standard Contractual Clauses in Annex 3 to this Addendum will apply to personal data within Customer Data that is transferred from the European Economic Area and/or Switzerland to outside the European Economic area and Switzerland, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive) and (ii) not covered by the Privacy Shield certification pursuant to Section 14.2 (Privacy Shield) of this Addendum.
15. Entire Agreement; Conflict. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Directly and Customer. If there is any conflict between this Addendum and any agreement, including the Agreement, the terms of this Addendum shall control.
ANNEX 1 - DETAILS OF THE PROCESSING
Description of Data Exporter - This Annex 1 forms part of the SCCs and must be completed and signed by the parties.
Data exporter - The “data exporter” is identified in the Order Form to which this Agreement is incorporated. Data Exporter provides (please briefly specify your activities relevant to the transfer):
The data exporter is (i) the legal entity that has executed the Agreement and/or these Standard Contractual Clauses as a data exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) and Switzerland that have purchased SCC Services on the basis of one or more Order Form(s).
Data importer - The data importer is (please specify briefly activities relevant to the transfer):
Directly, Inc. Data importer’s services are the provision of a marketplace technology platform for customer support (“SCC Services”) which after configuration by the data exporter processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.
Data subjects - The personal data transferred concern the following categories of data subjects (please specify):
- The Data Subjects are customer users of Data Exporter Customer authorized by it to use the SCC Services.
- Employees, agents, advisors, freelancers of Data Exporter (who are natural persons)
Categories of data - The personal data transferred concern the following categories of data (please specify)
Data exporter may submit Personal Data to the SCC Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, subject to the data exporter configuration of Directly’s technology, the following categories of Personal Data:
- Customer User first and last name
- Customer User email address/and/or mobile number
- Customer User request information (e.g., text of request thread)
- Customer User ID data (ID number – internal/external)
- Customer User log data (e.g., IP address, browser type, mobile network information).
- Data about question type (question category and language type)
- Customer Employee contact information (company, email, phone, physical business address)
Special categories of data (if appropriate) - The Personal Data transferred concern the following special categories of data (please specify):
None as of the Effective Date.
Processing operations - The Personal Data transferred will be subject to the following basic processing activities (please specify):
The objective of Processing of Personal Data by data importer is the performance of the SCC Services pursuant to the Agreement. Specific processing operations are described in Section 2 of the Addendum to which these Clauses are attached. ANNEX 2 - TO MSA & THE STANDARD CONTRACTUAL CLAUSES
ANNEX 2 - TO MSA & THE STANDARD CONTRACTUAL CLAUSES
This Annex forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(c) and 5(c) (or document/legislation attached):
See Section 13 of the Addendum to which these Clauses are attached.
ANNEX 3 (To the Directly MSA); Model Clauses; Standard Contractual Clauses
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of Personal Data to processors established in third countries that do not ensure an adequate level of data protection.
Name and information of the data exporting organisation can be found in the applicable Order Form incorporated into the Agreement to which these Clauses are attached.
(the data exporter)
Name of the data importing organization:
Address: 333 Bryant Street, San Francisco, CA 94107
Other information needed to identify the organization: ………………………………………………………………..
(the data exporter)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the Personal Data specified in Annex 1.
Clause 1 Definitions For the purposes of the Clauses:
- ‘Personal Data,’ ‘special categories of data,’ ‘process/processing,’ ‘controller,’ ‘processor,’ ‘data subject,’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data;
- ‘the data exporter’ means the controller who transfers the Personal Data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter Personal Data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer Personal Data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of Personal Data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organizational security measures’ means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 Details of the transfer The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Appendix 1, which forms an integral part of the Clauses.
Clause 3 Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 Obligations of the data exporter The data exporter agrees and warrants that:
- the processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- it has instructed and throughout the duration of the Personal Data processing services will instruct the data importer to process the Personal Data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
- after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- it will ensure compliance with the security measures;
- if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- it will forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- it will make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the Personal Data and the rights of data subject as the data importer under the Clauses; and
- it will ensure compliance with Clause 4(a) to (i).
Clause 5 Obligations of the data exporter The data exporter agrees and warrants that:
- It will process the Personal Data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- It has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- It has implemented the technical and organizational security measures specified in Appendix 2 before processing the Personal Data transferred;
- It will promptly notify the data exporter about:
- any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- any accidental or unauthorized access, and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
- It will deal promptly and properly with all inquiries from the data exporter relating to its processing of the Personal Data subject to the transfer and abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- At the request of the data exporter, it will submit its data processing facilities for audit of the processing activities covered by the Clauses, which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- It will make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- In the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
- The processing services by the subprocessor will be carried out in accordance with Clause 11;
- It will send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6 Liability
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor, is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7 Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case, the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 Governing Law The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely the United States.
Clause 10 Variation of the contract The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
Clause 11 Subprocessing
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor, which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement, the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer, because they have factually disappeared or have ceased to exist in law or have become insolvent, and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely the United States.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12 Obligation after the termination of Personal Data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the Personal Data transferred and the copies thereof to the data exporter, or shall destroy all the Personal Data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
5.1. General. You represent and warrant that, unless otherwise agreed in writing by Directly or the Customer for which you provide Expert Content, you are not an employee or agent of Directly or such Customer. You expressly disclaim any employment relationship with Directly and such Customer. You agree to act as an independent contractor. Nothing about your participation with Directly, its Customers or other Experts is intended to, or should be construed to, create a partnership, agency, joint venture or employment relationship.
5.2. Control When Completing Tasks. In the event you elect to respond to requests to provide Expert Content, in no event shall Directly or our Customers have control over your work or methods of contribution or provision. You will: set your hours of work and amount of time worked; determine your own patterns and methods of work; use your own devices, supplies, tools and equipment, including internet access; perform work for any third parties of your choosing; and perform all work independently. You will not: use any property or equipment of Directly or Customers; perform any services on any premises of Customers; be required to provide any reports, written or oral, to Customers; or be integrated into the business operations or dealings of Directly’s Customers. Customers will not: pay for your expenses; provide instructions or direction to you on the location, time, methods or means of performance of services; or supervise you in any form, fashion or manner.
6.1. Rewards. As a qualified Expert, you will be able to earn rewards for performing tasks, including but not limited to, providing Expert Content. Directly and/or the applicable Customer shall have complete discretion to determine the completeness of all tasks and Expert Content for the purpose of reward eligibility and amount. Please consult the Expert Hub area for guidance on rewards and other details.
6.3. Taxes. If you provide Expert Content, you are solely responsible for, and will file, on a timely basis, all tax returns and payments required to be filed with, or made to, any federal, state or local tax authority with respect to receipt of rewards in connection with completing tasks and receiving payments therefor. Directly, the payment processor or the applicable Customer will report (and may withhold withholding taxes with respect to (to the extent required by law)) payments to you to the Internal Revenue Service (or other taxing authorities) as required by law.
7. Confidential Information
7.2. Confidential Information Duties.
7.2.1. You will keep all Confidential Information in strictest confidence and will not collect, use, store, disclose or otherwise process any Confidential Information, except as instructed to do so in writing by Directly, or to provide Expert Content, and in accordance with Directly instructions and applicable law.
7.2.2. You will not disclose, process or otherwise use any Confidential Information in a manner that violates any applicable law and you agree to notify Directly in writing immediately if you believe that any instruction given by Directly would violate any applicable law.
7.2.3. You agree to notify Directly in writing immediately if you learn of any collection, use, storage, disclosure or other processing of any Confidential Information in a manner not permitted by this Section or these Terms.
7.2.4. You agree to notify Directly in writing immediately if you learn of any collection, use, storage, disclosure or other processing of any Confidential Information in a manner not permitted by this Section or these Terms.
7.2.5. You will not engage any other individual or entity to assist in providing Expert Content unless you are instructed to do so in writing by Directly.
7.2.6. You agree to make available to the Directly all information necessary to demonstrate compliance with the obligations set forth in this Section and applicable law regarding the Confidential Information and to allow Directly to conduct audits, including inspections, of your compliance with the obligations set forth in this Section.
7.2.7. Upon the termination, cancellation or expiration of your Directly Account for any reason, or upon Directly’s request at any time, you will destroy all Confidential Information together with any copies that may be authorized herein.
7.2.8. Nothing herein is intended to or shall grant to you any license or other right of any nature to the use of any Confidential Information except as permitted in this Section. Nothing in these Terms shall be deemed to restrict you from providing the same or similar services in connection with third-party platforms, regardless of whether any such third party directly or indirectly competes with Directly, except that you shall not use, in the provision of such services, any Confidential Information or other non-public information pertaining to Directly’s business that is either designated and/or marked as confidential when disclosed to you, or which you knew or reasonably should have known, under the circumstances, was considered confidential or proprietary by Directly even if not designated or marked as such.
The Services are provided “as-is,” and as available. We expressly disclaim any and all representations, warranties and conditions of any kind, whether express or implied, including those of merchantability, fitness for a particular purpose, title, quiet enjoyment, accuracy or non-infringement. We make no warranty that the Services or any content therein: (a) will meet your requirements; (b) will be available on an uninterrupted, timely, secure or error-free basis; or (c) will be accurate, reliable, complete, legal or safe. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you.
9. Limitation of Liability
In no event shall we (and our Customers, Customer users or Third-Party Providers (collectively, “Partners”) be liable to you or any third party for any lost profit or any indirect, consequential, exemplary, incidental, special or punitive damages arising from these Terms or your use of, or inability to use, the Services, even if we have been advised of the possibility of such damages. Access to, and use of, the Services are at your own discretion and risk.
Notwithstanding anything to the contrary contained herein, our (and our Partners’) liability to you for any damages arising from or related to the Services (for any cause whatsoever and regardless of the form of the action), will at all times be limited to the greater of: (a) Fifty U.S. Dollars (US $50) or (b) amounts we have paid you in the prior 12 months (if any).
Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you and you may also have other legal rights that vary from jurisdiction to jurisdiction.
10.1 By You. You agree to indemnify and hold us, our parents, subsidiaries, affiliates, any related companies, our Partners, suppliers, licensors, and the officers, directors, employees, agents and representatives of each of them harmless, including costs and attorneys’ fees, from any claim or demand made by any third party due to or arising out of: (i) your use of the Services, (ii) your Expert Content, or (iii) your violation of these Terms. We reserve the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate with our defense of these claims. You agree not to settle any matter without our prior written consent. We will use reasonable efforts to notify you of any such claim, action, or proceeding upon becoming aware of it.
10.2 By Us. We will (1) defend, or at our option settle, any suit filed by a third party against you (a “Suit”) to the extent such Suit claims that your use of the Services, as permitted in these Terms, constitutes infringement or misappropriation by you of such third party’s intellectual property rights; and (2) pay (i) any final judgment or award directly resulting from such Suit or (ii) those damages agreed to by us in a monetary settlement of such Suit. If any portion of the Services becomes, or in our opinion is likely to become, the subject of a claim of infringement, we may, at our option: (a) procure for you the right to continue using the Services; (b) replace the Services with non-infringing software or Services, which do not materially impair the functionality of the Services; (c) modify the Services so that it becomes non-infringing; or (d) terminate these Terms and refund any fees actually paid by you to us for the remainder of the term then in effect, and upon such termination, you will immediately cease all use of the Services. Notwithstanding the foregoing, we shall have no obligation under this section or otherwise with respect to any infringement claim that would not have arisen but for (x) any use of the Services not in accordance with these Terms; (y) any use of the Services in combination with other products, equipment, software, or data not supplied by us; or (z) any modification of the Services by any person other than us or our authorized agents. This subsection states your sole and exclusive remedy and the entire liability of Directly, or any of our officers, directors, employees, shareholders, contractors or representatives, for infringement claims and activity.
You hereby release Directly, our officers, employees, agents and successors from claims, demands any and all losses, damages, rights, claims, and activity of any kind including personal injuries, death and property damage, that is either directly or indirectly related to or arises from any interaction with, Expert Content from, or conduct of, Experts, Customers, users or Third-Party Providers. You hereby waive California Civil Code section 1542 in connection with the foregoing, which states: “A general release does not extend to claims that the creditor or releasing party does not know or suspect to exist in his or her favor at the time of executing the release and that, if known by him or her, would have materially affected his or her settlement with the debtor or released party.”
12. Term and Termination
We may (a) suspend or limit your rights to use or access the Services (including your Directly Account), or (b) terminate these Terms, at any time for any reason at our sole discretion, including (i) for any use of the Services in violation of these Terms; or (ii) if while providing Expert Content, you do not meet, or cease to meet, the guidelines set forth in your supplemental agreement with a Customer. Upon termination of these Terms, your Directly Account and right to access and use the Services will terminate immediately. You understand that any termination of your Directly Account may involve deletion of your content associated therewith. We will not have any liability whatsoever to you for any termination of these Terms, including for termination of your Directly Account or deletion of your content. Even after these Terms are terminated, the following provisions of these Terms will remain in effect: Sections 1.3, 2.2 - 2.6, 3 - 5, 6.3, and 7 -15.
13. Copyright Policy
We respect the intellectual property of others and require that Partners who access and use our Services do the same. In connection with our Services, we have adopted and implemented a policy respecting copyright law that provides for the removal of any infringing materials and for the termination, in appropriate circumstances, of Experts who violate our terms or infringe on intellectual property rights, including copyrights. If you believe that one of our Experts is, through the use of our Services, unlawfully infringing the copyright(s) in a work and wish to have the allegedly infringing material removed, the following information in the form of a written notification (pursuant to 17 U.S.C. 512(c)) must be provided to us:
- Your physical or electronic signature;
- Identification of the copyrighted work(s) that you claim to have been infringed;
- Identification of the material on our Services that you claim is infringing and that you request us to remove;
- Sufficient information to permit us to locate such material;
- Your address, telephone number and e-mail address;
- A statement that you have a good faith belief that use of the objectionable material is not authorized by the copyright owner, its agent or under the law; and
- A statement that the information in the notification is accurate, and under penalty of perjury, that you are either the owner of the copyright that has allegedly been infringed or that you are authorized to act on behalf of the copyright owner.
Please note that, pursuant to 17 U.S.C. 512(f), any misrepresentation of material fact (falsities) in a written notification automatically subjects the complaining party to liability for any damages, costs and attorney’s fees incurred by us in connection with the written notification and allegation of copyright infringement.
Our designated copyright agent to receive such claims can be reached as follows:
c/o Directly, Inc.
333 Bryant Street #250
San Francisco, CA, 94107
By email: email@example.com
14. Agreement to Arbitrate: Arbitration Terms
14.1. Effect of Agreement to Arbitration Terms.
- By agreeing to the Terms, and unless you opt-out as provided immediately below, you agree that you are required to resolve any claim that you may have against Directly on an individual basis in arbitration, as set forth in this Section 14, “Agreement to Arbitrate: Arbitration Terms” (hereinafter “Arbitration Terms”). By agreeing to the Arbitration Terms both you and Directly waive the right to resolve any such disputes through a trial by jury or judge or through an administrative proceeding.
- Your agreement to the Arbitration Terms will preclude you from bringing any class, collective or representative action against Directly, and also preclude you from participating in or recovering relief under any current or future class, collective, consolidated or representative action brought against Directly by someone else.
14.2. Right to Opt Out of Arbitration Terms. You may opt out of these Arbitration Terms and your agreement to arbitrate. If you do so, neither you nor Directly can require the other to participate in an arbitration proceeding. You may opt out by emailing us at firstname.lastname@example.org or sending us written notification at Directly, Inc., Attention: Legal, 333 Bryant Street, Suite 250, San Francisco, CA 94107. You must notify us by emailing or posting within thirty (30) days of the date that you first became subject to this arbitration provision, and your notification must include your name and residence address, the email address you use for your account (if you have one) and a clear statement that you want to opt out of these Arbitration Terms. Your decision to opt out of these Arbitration Terms will have no adverse effect on your relationship with us. Unless you choose to opt out, this dispute resolution provision in Section 14 shall survive termination of the Terms.
14.3. Waiver of Jury Trial and Class Actions. You acknowledge and agree that you and Directly are each waiving the right to a trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding. Unless both you and Directly otherwise agree in writing, any arbitration will be conducted only on an individual basis and not in a class, collective, consolidated or representative proceeding. This means the dispute will not be consolidated with any other matters or joined with any other cases or parties. However, you and Directly each retain the right to bring an individual action in small claims court and the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents or other intellectual property rights.
14.4. Notices. Before either party may seek arbitration, the party must first send to the other party a written Notice of Dispute (“Notice”) describing the nature and basis of the claim or dispute and the requested relief. A Notice to Directly should be sent to: ATTN: Legal, Directly, Inc., 333 Bryant Street, Suite 250, San Francisco, CA 94107. Any Notice to the applicable Customer should be sent to that Customer’s principal offices. After the Notice is received, you and Directly (or the applicable Customer) may attempt to resolve the claim or dispute informally. If you and Directly (or the applicable Customer) do not resolve the claim or dispute within thirty (30) days after the Notice is received, either party may begin an arbitration proceeding. The amount of any settlement offer made by any party may not be disclosed to the arbitrator until after the arbitrator has determined the amount of the award, if any, to which either party is entitled.
14.5. Arbitration Terms. To ensure the timely and economical resolution of disputes that may arise between you and Directly, both you and Directly mutually agree that pursuant to the Federal Arbitration Act, 9 U.S.C. §1-16, and to the fullest extent permitted by applicable law, you will submit solely to final, binding and confidential arbitration any and all disputes, claims or causes of action arising from or relating to: (i) the negotiation, execution, interpretation, performance, breach or enforcement of the Terms; or (ii) your work with Directly and your Directly Account (including but not limited to all statutory claims); or (iii) the termination of your relationship with Directly and any Directly Account on the Services (including but not limited to all statutory claims); provided, however, that this Section shall not apply to any claim or cause of action brought in court by you pursuant to the California Private Attorneys General Act of 2004 as amended. Arbitration shall be initiated through JAMS, an established alternative dispute resolution provider that offers arbitration as set forth in this section, or if JAMS is not available to arbitrate, the parties shall agree to select an alternative provider (“ADR Provider”). The Terms and the rules of the ADR Provider shall govern all aspects of the arbitration, including but not limited to the method of initiating and/or demanding arbitration, except to the extent such rules are in conflict with the Terms (“Arbitration Rules”). The arbitration shall be conducted by a single, neutral arbitrator. Any claims or disputes where the total amount of the award sought is less than Ten Thousand U.S. Dollars (US $10,000.00) may be resolved through binding non-appearance-based arbitration, at the option of the party seeking relief. For claims or disputes where the total amount of the award sought is Ten Thousand U.S. Dollars (US $10,000.00) or more, the right to a hearing will be determined by the Arbitration Rules. Any hearing will be held in a location within 100 miles of your residence, unless you reside outside of the United States, and unless the parties agree otherwise. If you reside outside of the U.S., the arbitrator shall give the parties reasonable notice of the date, time and place of any oral hearing. Any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. If the arbitrator grants you an award that is greater than the last settlement offer that Directly or the applicable Customer made to you prior to the initiation of arbitration, Directly (or the applicable Customer) will pay you the greater of the award or 130% of the settlement offer. Directly will pay any portion of the other party's arbitration costs in excess of those that you would have paid were the dispute brought in court.
14.6. Additional Rules for Non-Appearance Based Arbitration. If non-appearance based arbitration is elected, the arbitration shall be conducted by telephone, online and/or based solely on written submissions; the specific manner shall be chosen by the party initiating the arbitration. The arbitration shall not involve any personal appearance by the parties or witnesses unless otherwise agreed by the parties.
14.7. Time Limits. If you or Directly (or the applicable Customer) pursues arbitration, the arbitration action must be initiated and/or demanded within the statute of limitations (i.e., the legal deadline for filing a claim) and within any deadline imposed under the Arbitration Rules for the pertinent claim.
14.8. Authority of Arbitrator. If arbitration is initiated, the arbitrator shall have the sole and exclusive authority to determine whether a dispute, claim or cause of action is subject to arbitration under this Section 14 and to determine any procedural questions which grow out of such disputes, claims or causes of action and bear on their final disposition. Without limiting the generality of the foregoing, the arbitrator shall have the authority to grant motions dispositive of all or part of any claim; shall have the authority to award monetary damages, and to grant any non-monetary remedy or relief available to an individual under applicable law, the ADR Provider’s rules and the Terms. The arbitrator shall issue a written award and statement of decision describing the essential findings and conclusions on which the award is based, including the calculation of any damages awarded. The arbitrator has the same authority to award relief on an individual basis that a judge in a court of law would have. The award of the arbitrator is final and binding upon you and Directly (or the applicable Customer).
14.9. Waiver of Jury Trial. The parties hereby waive their constitutional and statutory rights to go to court and have a trial in front of a judge or a jury, instead electing that all claims and disputes shall be resolved by arbitration under these arbitration section terms. Arbitration procedures are typically more limited, more efficient and less costly than rules applicable in a court and are subject to very limited review by a court. In the event any litigation should arise between you and Directly (or the applicable Customer) in any state or federal court in a suit to vacate or enforce an arbitration award or otherwise, you and Directly (or the applicable Customer) waive all rights to a jury trial, instead electing that the dispute be resolved by a judge.
14.10. Waiver of Class or Consolidated Actions. All claims and disputes within the scope of this Arbitration Terms must be arbitrated or litigated on an individual basis and not on a class basis, and claims of more than one User cannot be arbitrated or litigated jointly or consolidated with those of any other user or third party (including but not limited to Experts, users or Customers.
14.11. Severability. If any provision of these Arbitration Terms is, for any reason, held to be invalid or unenforceable, the other provisions of these Arbitration Terms will be unimpaired and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.
14.12. Right to Waive. Any and all of the rights and limitations set forth in this section may be waived by the party against whom the claim is asserted. Such waiver shall not waive or affect any other portion of these terms.
14.13. Survival of Terms. The Arbitration Terms will survive the termination of your relationship with Directly (or the applicable Customer).
14.14. Small Claims Court. Notwithstanding the foregoing, either you or Directly (or the Applicable Customer) may bring an individual action in small claims court.
14.15. Emergency Equitable Relief. Notwithstanding the foregoing, either party may seek emergency equitable relief before a state or federal court in order to maintain the status quo pending arbitration. A request for interim measures shall not be deemed a waiver of any other rights or obligations under this Arbitration Terms.
14.16. Courts. In any circumstances where the foregoing Arbitration Terms permits the parties to litigate in court, the parties hereby agree to submit to the personal jurisdiction of the courts located within San Francisco County, California for such purpose.
15.1. Changes to Terms. These Terms are subject to revision, and if we make any substantial changes, we will notify you by sending you an email to the last e-mail address you provided to us (if any) and/or by prominently posting notice of the changes on our Services so it is visible when you visit and/or log-on to the Services for the first time after the change is posted. Such changes will not retroactively modify agreed dispute resolution provisions for any then-pending disputes. Your continued use of the Services after the changes have been posted shall constitute your acceptance of the changes. If you do not agree to the updated Terms, you must cease your use of the Services. Any changes to these Terms will be effective immediately following our posting of notice of the changes on our Services. You are responsible for providing us with your most current email address. In the event that the last e-mail address that you have provided us is not valid, or for any reason is not capable of delivering to you the notice described above, our dispatch of the e-mail containing such notice will nonetheless constitute effective notice of the changes described in the notice.
15.2. Electronic communications. The communications between you and us use electronic means, whether you visit the Services or send emails, or whether we post notices on the Services or communicate with you via email. For contractual purposes, you (a) consent to receive communications from us in an electronic form; and (b) agree that all terms and conditions, agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications would satisfy if it were in writing. The foregoing does not affect your statutory rights.
15.3. Entire Agreement. These Terms (which include any other rules posted on the Services) constitute the entire agreement between you and us regarding the use of the Services. Our failure to exercise or enforce any right or provision of these Terms shall not operate as a waiver of such right or provision. The section titles in these Terms are for convenience only and have no legal or contractual effect. The word “including” means “including without limitation.” If any provision of these Terms is, for any reason, held to be invalid or unenforceable, the other provisions of these Terms will be unimpaired and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. These Terms, and your rights and obligations herein, may not be assigned, subcontracted, delegated or otherwise transferred by you without our prior written consent, and any attempted assignment, subcontract, delegation or transfer in violation of the foregoing will be null and void. We may freely assign these Terms. The terms of these Terms shall be binding upon assignees.
15.4. System Outages and Changes to Services. You acknowledge and agree there will be occasions when the Services will be interrupted for scheduled maintenance or upgrades, for emergency repairs, or due to failure of telecommunications links and equipment that are outside of our control, and that we will have no liability for your inability to access and/or use the Services, or any portion thereof, during any of the foregoing events. We reserve the right to change, alter or vary the Services or Services offered on or through the Services at any time without notice.
15.5. Third Party Beneficiary. Directly and you acknowledge and agree that each Customer is a third-party beneficiary of these Terms, and that, upon you accepting the terms and conditions of these Terms, each such Customer will have the right (and will be deemed to have accepted the right) to enforce these Terms against you as a third-party beneficiary thereof.