Data Processing Addendum
This Data Processing Addendum (“Addendum”) is an addendum to the Memberful Terms of Service (“Agreement”) between Memberful, LLC (“Memberful”) and you, the Memberful customer (“you”).
This Addendum applies where and only to the extent that Memberful processes Personal Data on your behalf in the course of providing the Services and such Personal Data is subject to Data Protection Laws (as defined below).
By registering for and/or using the site (as that term is defined in the Agreement), you agree to be bound by this Addendum, if applicable. You enter into this Addendum on behalf of yourself and, to the extent required under Data Protection Laws, in the name and on behalf of your Authorized Affiliates. The parties agree to comply with the terms and conditions in this Addendum in connection with such Personal Data. Subject to the foregoing conditions, the parties agree as follows:
- Definitions “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with Memberful.
“Authorized Affiliate” means any entity of you that is permitted to receive or is otherwise receiving the benefit of the Services pursuant to the Agreement.
“Customer Data” means any data that Memberful and/or its Affiliates processes on your behalf in the course of providing the Services under the Agreement.
“Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of or unauthorized disclosure of or access to Personal Data.
“Data Protection Law” means all laws relating to privacy and the processing of personal data that exist in any relevant jurisdiction, including any applicable codes of practice issued by the supervisory authorities. This includes (to the extent or when effective and applicable) but is not limited to, data protection laws of the US state of California, the European Union, the European Economic Area, and its member states, Switzerland, and the United Kingdom.
“Data Subject”, “Controller”, “Processor”, “Subprocessor”, “Process”, “Processing”, “Personal Data” (whether or not capitalized) have the meanings ascribed to them by Data Protection Law in the European Union. For purposes of Data Protection Law in the US state of California, the terms (whether or not capitalized) “Customer” and “Controller” shall be interpreted as a “Business”; “Data Processor” shall be interpreted as a “Service Provider”; “Data Subject” shall be interpreted as a “Consumer”; and “Personal Data” shall be interpreted as “Personal Information”.
“Services” means any product or service provided by Memberful to you pursuant to and as more particularly described in the Agreement.
“Standard Contractual Clauses” means standard contractual clauses set out in the European Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 set out here, and in particular refers to Module Two (controller to processor), and Module One (controller to controller) in the limited circumstances provided for in section 2.4 of this Addendum with respect to Memberful Data (as defined in section 2.4).
- Relationship of the Parties 2.1 Controller and Processor. As between you and Memberful, you are the Controller of Personal Data and Memberful shall process Personal Data on your behalf as a Processor.
2.2 Your Obligations. As the Controller, you agree that (i) you shall comply with your obligations as a Controller under Data Protection Laws in respect of your processing of Personal Data and any processing instructions you issue to Memberful; and (ii) you have provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Memberful to process Personal Data and provide the Services pursuant to the Agreement and this Addendum.
2.3 Limited Processing by Memberful. As a Processor, Memberful shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement and this Addendum; (ii) processing to perform any steps necessary for the performance of the Agreement and this Addendum; and (iii) to comply with other reasonable instructions provided by you to the extent they are consistent with the terms of the Agreement and this Addendum and only in accordance with your documented lawful instructions. The Customer Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain, and improve the Services provided to you; (ii) to provide you customer and technical support; and (iii) disclosures or further processing as required by law, in which case Memberful shall to the extent permitted by the Data Protection Laws inform you of that legal requirement before the relevant disclosure or processing of that Personal Data.
2.4 Memberful Data. Notwithstanding anything to the contrary in the Agreement and/or this Addendum), you acknowledge that Memberful may use and disclose data relating to and/or obtained in connection with the operation, support, and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development, and sales and marketing (“Memberful Data”). To the extent any such data is considered Personal Data under Data Protection Laws, Memberful is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws. Nothing in the Agreement or this Addendum shall prevent Memberful from using or sharing any data that Memberful would otherwise collect and process independently of your use of the Services.
- Security 3.1 Technical and Organizational Security Measures. Memberful shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Data Breaches and to preserve the security and confidentiality of the Personal Data. For additional information, visit Memberful’s Data Protection webpage at https://memberful.com/data-protection/. You acknowledge that Memberful’s technical and organizational security measures are subject to continued development and that Memberful may update or modify them from time to time.
3.2 Confidentiality of Processing. Memberful shall ensure that any person who is authorized by Memberful to process Personal Data shall be under an appropriate obligation of confidentiality.
3.3 Data Breaches. Memberful shall, to the extent permitted by law, notify you without undue delay upon Memberful or any Subprocessor becoming aware of a Data Breach affecting your Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform data subjects of the Data Breach under the Data Protection Laws. Memberful shall co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such Data Breach.
- Subprocessing 4.1 Authorized Subprocessors. You agree that Memberful may engage Subprocessors to process Personal Data on your behalf. The Subprocessors currently engaged by Memberful and authorized by you are listed in Annex I. Memberful shall provide you reasonable advance notice (for which email shall suffice) if it adds or replaces Subprocessors. You may object in writing to Memberful’s appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Memberful promptly in writing within five (5) calendar days of receipt of Memberful’s notice in accordance herewith. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services.
4.2 Obligations Respecting Subprocessors. Memberful shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Memberful to breach any of its obligations under this Addendum.
- International Transfers 5.1 Processing Locations. Memberful stores and processes European Data (as defined in section 5.2) in data centers located outside the European Economic Area, the United Kingdom and Switzerland. All Customer Data may be transferred and processed in the United States and anywhere in the world where Memberful, its Affiliates, and/or its Subprocessors maintain data processing operations. Memberful shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.
5.2 Transfer Mechanism. Notwithstanding Section 5.1, to the extent Memberful processes or transfers Personal Data under this Addendum from the European Economic Area, the United Kingdom and/or Switzerland (“European Data”) in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, the parties agree that Memberful shall be deemed to provide appropriate safeguards for such data by virtue of employing appropriate Standard Contractual Clauses (as defined in section 1), and relevant details are provided in Annex II.
Memberful adheres to the EU-U.S. Data Privacy Framework Principles and the Swiss-U.S. Data Privacy Framework Principles and complies with the associated EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, sharing, and retention of personal data transferred from the European Union (including EFTA States), the United Kingdom, and Switzerland to the United States. As applicable, we do not, however, rely solely on the EU-US Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-US Data Privacy Framework as our lawful basis to transfer personal data from the European Union, EFTA States, or the United Kingdom. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
You hereby authorize any transfer of European Data to, or access to European Data from, such destinations outside the European Economic Area, the United Kingdom and Switzerland, subject to the measures detailed in this section having been taken.
- Cooperation 6.1 Response to Requests. To the extent Memberful is required under Data Protection Laws, Memberful shall (at your expense) provide reasonably requested information regarding Memberful's processing of Personal Data under the Agreement and/or this Addendum to enable you to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
6.2 Correction or Erasure by You. Memberful shall comply with any commercially reasonable request by you to correct, amend, block, or delete Personal Data, as required by Data Protection Laws, to the extent Memberful is legally permitted to do so.
6.3 Access. To the extent that you are unable to independently access the relevant Personal Data within the Services, Memberful shall (at your expense) taking into account the nature of the processing, provide reasonable cooperation to assist you, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement and/or this Addendum. In the event that any such request is made directly to Memberful, Memberful shall not respond to such communication directly without your prior authorization, unless legally compelled to do so. If Memberful is required to respond to such a request, Memberful shall promptly notify you and provide it with a copy of the request unless legally prohibited from doing so.
6.4 Exercise of Rights by Data Subjects. Taking into account the nature of the processing, Memberful shall assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligations, as reasonably understood by you, to respond to requests by data subjects to exercise rights under the Data Protection Laws. To the extent legally permitted, you shall be responsible for any costs arising from Memberful’s provision of such assistance (to the extent the provision of such assistance is not included in the Services to which you are entitled under the Agreement).
6.5 Return of Deletion of Data Upon Termination. Upon the end of the provisions of Services to you, all Personal Data shall be deleted, save that this requirement shall not apply to the extent Memberful is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data Memberful shall securely isolate and protect from any further processing, except to the extent required by applicable law. For additional information, visit Memberful’s Data Protection webpage at https://memberful.com/data-protection/.
- Miscellaneous 7.1 Conflict. The provisions of the Agreement govern the provision of the Services to you, to the extent those provisions do not conflict with this Addendum and the Standard Contractual Clauses (if applicable). If there is any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of that conflict. If there is any conflict between any applicable Standard Contractual Clauses and the Addendum and/or Agreement, the applicable Standard Contractual Clauses shall prevail to the extent of that conflict.
7.2 Liability. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Agreement, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitations of liability’ section of the Agreement. For the avoidance of doubt, Memberful’s total liability for all claims arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.
7.3 Governance. This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
Annex I
Available upon request.
Annex II
A. Memberful details
Name: Memberful, LLC Address: 600 Townsend Street Suite 500, San Francisco, CA 94103, US Contact: info@memberful.com Activities: Memberful collects from its customers in connection with its provision of a cloud-based software as a service Date: the effective date of the Agreement
B. Details regarding Module Two and One of the Standard Contractual Clauses
Where Module Two of the Standard Contractual Clauses applies: (i) in Clause 7, the optional docking clause will apply; (ii) in Clause 9, Option 2 will apply, as indicated in section 4 of this Addendum; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 13(a), the Data Protection Commissioner of Ireland shall act as supervisory authority; (v) in Clause 17, Option 1 will apply, and these Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this Addendum and the details provided to Memberful by its customer; (viii) customer confirms compliance with Annex II of the Standard Contractual Clauses; and (ix) Annex III of the Standard Contractual Clauses shall be deemed completed with the information provided pursuant to section 4 of this Addendum.
Where Module One of the Standard Contractual Clauses applies:
(i) in Clause 7, the optional docking clause will apply;
(ii) in Clause 11, the optional language will not apply;
(iii) in Clause 13(a), the Data Protection Commissioner of Ireland shall act as supervisory authority;
(iv) in Clause 17, Option 1 will apply, and these Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vi) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this Addendum and the details provided to Memberful by its customer; and
(vii) customer confirms compliance with Annex II of the Standard Contractual Clauses.
Changelog
- June 27, 2022: Updates to certain provisions that reflect changes in European and Californian law.
- March 15, 2024: Updates to Section 6.2 to replace Privacy Shield Principles and Framework with Data Privacy Framework and Principles.