Optimizely Logo

Details of Processing, Categories of Data and Data Subjects

Optimizely DPA Exhibit 1

  1. PARTIES

1.1 The parties to this DPA and the roles of Data Exporter and Data Importer are set out in the Agreement.

1.2 The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of Personal Data in connection with the Software Services further described in this Exhibit 1 and in the Agreement. The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in this Exhibit 1 and in the Agreement.

2. DESCRIPTION OF TRANSFER

2.1 Data Subjects. Unless provided otherwise by the data exporter, transferred Personal Data relates to the following categories of Data Subjects: employees, contractors, Business Partners or other individuals of Customer having Personal Data stored, transmitted to, made available to, accessed or otherwise processed by the data importer.

2.2 Data Categories. The transferred Personal Data concerns the following categories of data: Customer determines the categories of data and/or data fields which could be transferred per Optimizely Service as stated in the relevant Agreement. For Software Services, Customer can configure the data fields during implementation of the Software Service or as otherwise provided by the Software Service. The transferred Personal Data typically relates to the following categories of data: name, phone numbers, e-mail address, address data, system access / usage / authorization data, company name, contract data, invoice data, plus any application-specific data transferred or entered into the Software Service by Authorized Users.

2.3 Special Data Categories (if agreed)

2.3.1 The transfer of certain special categories of personal data (“Sensitive Data”) may trigger the application of additional restrictions or safeguards if necessary to take into consideration the nature of the data and the risk of varying likelihood and severity for the rights and freedoms of natural persons, which may include: (a) additional training of personnel; (b) encryption of data in transit and at rest; (c) system access logging and general data access logging, and (d) other technical and organisational measures as are appropriate for the Sensitive Data.

2.3.2 For Optimizely support and other professional services relevant to the Software Services: The transferred Personal Data is subject to the basic processing activities as set out in the Agreement which may include: (a) accessing systems containing Personal Data in order to provide those support and professional services, (b) use of Personal Data to provide those services, (c) continuous improvement of service features and functionalities provided as part of the Software Services, including automation, transaction processing and machine learning, (d) Processing of Personal Data in accordance instructions of Customer under the Agreement, and (e) storage of Personal Data in accordance with the Agreement.

2.3.3 For Optimizely Support: Optimizely or its Sub-processors provide support when a Customer submits a support ticket because the Software Services is not available or not working as expected. They respond to requests from Customer authorized agents and perform basic troubleshooting, and handle support tickets in a tracking system. They may respond to automated alerts on behalf of the Customer.

2.3.4 For Optimizely-provided (or managed) professional services associated with the Customer’s Software Service: Optimizely and its Sub-processor provide those services subject to the applicable order form and/or statement of work.

2.4 The purpose of the transfer is to provide and support the relevant Software Service, Support or associated professional service, Optimizely and its Sub-processors may provide or support the Software Service remotely.

2.5 The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal Data will be transferred on an ongoing basis for the duration of the Agreement.

2.6 The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained by Optimizely as set out in above.

2.7 For transfers to Sub-processors, also specify subject matter, nature and duration of the processing: Optimizely will transfer Personal Data to Sub -processors as stated in the applicable List of Sub-processors for the duration of the Agreement.

3. COMPETENT SUPERVISORY AUTHORITY

3.1 Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

3.2 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

3.3 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/).