Data Processing Agreement
(GDPR, Standard Contractual Clauses, Optimizely Processor Binding Corporate Rules) – 17 July 2021
The Data Processing Agreement (“DPA”) forms part of the Master Services Agreement or other written or electronic agreement between Optimizely and Customer for the purchase of online services from Optimizely (identified either as “Software Services” or otherwise in the applicable agreement, and hereinafter defined as “Software Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
By signing this Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Optimizely processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement, end-user services agreement (“EUSA”) and service level agreement (“SLA”).
In the course of providing the Software Services to Customer pursuant to the Agreement, Optimizely may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
How to execute this DPA
- This DPA consists of two parts: the main body of the DPA and Exhibits 1 (including the Appendix), 2 and 3.
- If this DPA is attached to an Agreement or Order which is signed and executed, the DPA will become legally binding between the Parties as part of the Agreement or Order.
- If this DPA was not attached to an Agreement or Order, then this DPA has been pre-signed on behalf of Company and Customer must follow Step 4 below. The Standard Contractual Clauses in Exhibit 1 have been pre-signed by Company as the data importer.
- To complete this DPA when not attached to an Agreement or Order, Customer must:
- Complete the information in the signature box and sign on Page 7
- Take note that different Sub-processors apply to different Services on Page 16.
- Send the completed and signed DPA to Company by email or webform, indicating the Customer’s Account Name (as set out on the applicable Company Agreement, Order or invoice), which will be addressed to firstname.lastname@example.org. Upon receipt of the validly completed DPA by Company at this email address or webform, this DPA will become legally binding.
How this DPA applies
If Customer entering into this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the Company entity that is party to the Agreement is party to this DPA.
If Customer’s Affiliate entering into this DPA has executed an Order with Company or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order and applicable renewal Orders, and the Company entity that is party to such Order is party to this DPA.
If the Customer entity signing the DPA is not a party to an Order nor a Master Services Agreement directly with Company but is instead a customer indirectly via an authorized reseller of Company services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.
This DPA shall not replace any additional terms relating to Processing of Customer Data contained in any Amendment(s) to Customer’s Agreement, however shall replace any existing standard data processing agreement between the Parties.
If an entity signing this DPA is neither a party to an Agreement nor an Order, this DPA is not valid and is not legally binding. Such entity should request that a Customer entity who is a party to the Agreement executes this DPA on their behalf.
*Note: If Customer is using Episerver Managed Services (formerly Everweb or Ektron Holding), this DPA is not valid and is not legally binding unless written confirmation from Company has been received stating that the minimum GDPR technical and organizational measures on Customer’s environment have been met.
After the DPA is executed, a copy will be emailed to you.
Please click on the link to sign our DPA. Optimizely Customer DPA
For your review you can see the DPA here.
For further information, please see the Optimizely Trust Center here.