Refreshing Cloud Business Software - Freshworks Data Processing Addendum

Terms
Data Processing Addendum
Supplemental Terms
Professional Services

Freshworks Data Processing Agreement

In case you need a signed version, click here

Effective Date

May 26, 2023

For the prior version, please click here.

PLEASE READ THE DATA PROCESSING AGREEMENT (“DPA") CAREFULLY AS IT FORMS A CONTRACT BETWEEN THE CUSTOMER (“CUSTOMER” OR “CONTROLLER”) AND FRESHWORKS (“FRESHWORKS” OR “PROCESSOR”). PROCESSOR AND CONTROLLER ARE INDIVIDUALLY REFERRED TO AS “PARTY” AND COLLECTIVELY AS “PARTIES".

THE SERVICE AGREEMENT BETWEEN THE PARTIES REQUIRES THAT THE PROCESSOR ACCESSES AND PROCESSES PERSONAL DATA. THIS DPA TOGETHER WITH ITS EXHIBIT(S) SPECIFY THE OBLIGATIONS OF THE PARTIES WHEN FRESHWORKS ACTS AS A PROCESSOR

BY ACCEPTING THIS DATA PROCESSING ADDENDUM OR ACCESSING OR USING THE SERVICE, YOU ARE AGREEING TO THE TERMS AND CONDITIONS OF THIS DATA PROCESSING ADDENDUM.

THE CAPITALIZED TERMS USED IN THIS DPA BUT NOT DEFINED HEREIN SHALL HAVE THE SAME MEANING AS DEFINED IN THE SERVICE AGREEMENT. IN THE EVENT OF A CONFLICT BETWEEN THIS DPA AND THE SERVICE AGREEMENT, THIS DPA SHALL PREVAIL

IF YOU ARE USING ANY SERVICE AS AN EMPLOYEE, AGENT, OR CONTRACTOR OF A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. THE RIGHTS GRANTED UNDER THIS AGREEMENT ARE EXPRESSLY CONDITIONED UPON ACCEPTANCE BY SUCH AUTHORIZED PERSONNEL.

Modifications to this Agreement:

From time to time, Freshworks may modify this Data Processing Addendum Unless otherwise specified by Freshworks, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service Order Form after the updated version of this DPA goes into effect. Freshworks will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means.

The “Effective Date” of this DPA is the date which is the earlier of (a) Customer’s initial access to any Service through any online provisioning, registration or order process or (b) the effective date of the first Service Order Form, as applicable, referencing this DPA.

This DPA is entered into by and between Freshworks Inc., a Delaware corporation (“Freshworks" or “Processor”) and the person or entity placing an order for or accessing the Service (“Customer” or “Controller”). Processor and Controller are individually referred to as “Party” and collectively as “Parties”. In consideration of the terms and conditions set forth below, the parties agree as follows:

1. Scope of Contract and Distribution of Responsibilities

1.1) The Parties agree that, for Processing Personal Data, the Parties shall be Controller and Processor.

1.2) Processor shall Process Personal Data only on behalf of Controller and at all times only in accordance with this Data Processing Agreement.

1.3) Within the scope of the Service Agreement, each Party shall be responsible for complying with its respective obligations as Controller and Processor under Data Protection Laws.

2. Processing Instructions

2.1) Processor will Process Personal Data in accordance with Controller's instructions. This Data Processing Agreement contains Controller's initial instructions to Processor. The Parties agree that Controller may communicate any change in its initial instructions to the Processor by way of written notification to the Processor and that Processor shall abide by such instructions. The Processor shall maintain a secure, complete, accurate and up to date record of all such individual instructions.

2.2) Regardless of the foregoing prohibitions, the parties agree that Processor may, and Controller instructs Processor to, process Personal Data for the following activities that are necessary to support the Services Agreement: detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and provide, maintain, or improve the quality of the services.”

2.3) For the avoidance of doubt, any instructions that would lead to processing outside the scope of this Data Processing Agreement (e.g. because a new Processing purpose is introduced) will require a prior agreement between the Parties and, where applicable, shall be subject to the contract change procedure under the Service Agreement.

Where instructed by Controller, Processor shall correct, delete or block Personal Data.

2.4) Processor shall promptly inform the Controller in writing if, in Processor's opinion, an instruction infringes Data Protection Laws and provide an explanation of the reasons for its opinion in writing.

2.5) Processor shall not be liable for any DP Losses arising from or in connection with any processing made in accordance with Controller’s instructions following Controller’s receipt of any information provided by Processor in this Section 2.

3. Processor Personnel

Processor will restrict its personnel from Processing Personal Data without authorization. Processor will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

4. Disclosure to Third Parties; Data Subjects Rights

4.1) Processor will not disclose Personal Data to any third party (including any government agency, court, or law enforcement) except as set forth in this Data Processing Agreement or with written consent from Controller or as necessary to comply with applicable mandatory laws. If Processor is obliged to disclose Personal Data to a law enforcement agency or third party, Processor agrees to give Controller reasonable notice of the access request prior to granting such access, to allow Controller to seek a protective order or other appropriate remedy. If such notice is legally prohibited, Processor will take reasonable measures to protect the Personal Data from undue disclosure as if it were Processor’s own confidential information being requested and shall inform Controller promptly as soon as possible if and when such legal prohibition ceases to apply.

4.2) In case Controller receives any request or communication from Data Subjects which relates to the Processing of Personal Data ("Request"), Processor shall provide the Controller with full cooperation, information and assistance ("Assistance") in relation to any such Request where instructed by Controller.

4.3) Where Processor receives a Request, Processor shall (i) not directly respond to such Request, (ii) forward the request to Controller within 3 (three) business days of identifying the Request as being related to the Controller and (iii) provide Assistance according to further instructions from Controller.

5. Assistance

5.1) The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Processor.

5.2) Where a Data Protection Impact Assessment ("DPIA") is required under applicable Data Protection Laws for the Processing of Personal Data, Processor shall provide upon request Controller with reasonable cooperation and assistance needed to fulfill Customer’s obligation to carry out a DPIA related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and such information is available to Freshworks.

5.3) The Controller shall pay the Processor reasonable charges mutually agreed between the parties for providing the assistance in Section 5, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

6. Information Rights and Audit

6.1) Processor shall, in accordance with Data Protection Laws, make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws.

6.2) Freshworks has obtained third-party certifications and audits set forth on our security page. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Service Agreement, Freshworks will make available to Controller a copy of Freshworks’ then most recent third-party certifications or audits, as applicable.

6.3) Processor shall, upon reasonable notice, allow for and contribute to inspections of the Processor's Processing of Personal Data, as well as the TOMs (including data processing systems, policies, procedures and records), during regular business hours and with minimal interruption to Processor's business operations. Such inspections are conducted by the Controller, its affiliates or an independent third party on Controller's behalf (which will not be a competitor of the Processor) that is subject to reasonable confidentiality obligations.

6.4) Controller shall pay Processor reasonable costs of allowing or contributing to audits or inspections in accordance with Section 6.3 where Controller wishes to conduct more than one audit or inspection every 12 months. Processor will immediately refer to Controller any requests received from national data protection authorities that relate to the Processor’s Processing of Personal Data.

6.5) Processor undertakes to cooperate with Controller in its dealings with national data protection authorities and with any audit requests received from national data protection authorities. Controller shall be entitled to disclose this Data Processing Agreement or any other documents (including contracts with subcontractors) that relate to the performance of its obligations under this Data Processing Agreement (commercial information may be removed).

7. Data Incident Management and Notification

In respect of Customer data incident Processor shall:

7.1) notify Controller of a Personal Data Breach involving Processor or a subcontractor without undue delay (but in no event later than 72 hours after becoming aware of the incident);

7.2) make reasonable efforts to identify the cause of such incident and take those steps as Processor deems necessary and reasonable in order to remediate the cause of the incident to the extent that it is within Freshworks’ reasonable control.

7.3) provide reasonable information, cooperation and assistance to Controller in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.

The obligations contained in Section 7 should not apply to data incidents that are caused by Customer or Customer’s users.

8. International Data Transfer

8.1) Data that Freshworks processes for the Customer as a Processor may be stored in the EU or outside of the EU depending on the Freshworks product.

8.2) Freshworks may also process certain data about Customer or its users as a data controller, including in countries outside of the EU, in accordance with Freshworks privacy notice available at https://www.freshworks.com/privacy

8.3) Where there is international transfer of Personal Data to the Processor in countries which do not ensure an adequate level of data protection the following applies

a. The Parties enter into Standard Contractual Clauses (Exhibit 1) for the transfer of Personal Data in countries which do not ensure an adequate level of data protection in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. The Standard Contractual Clauses will apply to Personal Data originating from Controller (who, for the purposes of the Standard Contractual Clauses shall be deemed the "Data Exporter") that is processed by Processor (who, for the purposes of the Standard Contractual Clauses shall be deemed the "Data Importer"). If there is any conflict between the Standard Contractual Clauses and this Data Processing Agreement, the Standard Contractual Clauses shall prevail.

b. At Controller's request, the Standard Contractual Clauses shall be replaced and the Parties shall execute new standard contractual clauses for transfers to data processors in third countries adopted pursuant to Art. 46 (2) c) or d) GDPR.

c. If and as long as the country where Personal Data is transferred to a country which is subject to an adequacy decision according Article 45 (3) GDPR, no Standard Contractual Clauses are required. Once the adequacy decision is repealed or suspended, a) and b) shall automatically apply.

9. Reference to Provisions of the Standard Contractual Clauses

For the technical and organizational measures (TOMs), reference is made to and Annex II of the Standard Contractual Clauses.

For sub-processing, reference is made to Annex III of the Standard Contractual Clauses. In event of objection by the Controller to the appointment or replacement of any sub processor, Processor will either not appoint or replace the sub processor or, if this is not possible, Controller may suspend or terminate the Service(s) (without prejudice to any fees incurred by Controller prior to such suspension or termination).

10. Term and Termination

10.1) This Data Processing Agreement becomes effective upon signature. It shall continue to be in full force and effect as long as Processor is processing Personal Data according to Exhibit 1 Annex I and shall cease automatically thereafter.

10.2) The Controller may terminate the Data Processing Agreement as well as the Service Agreement for cause, at any time upon reasonable notice or without notice, as selected by Controller, if the Processor is in material breach of the terms of this Data Processing Agreement.

10.3) Where amendments are required to ensure compliance of this Data Processing Agreements with Data Protection Laws, the Parties shall agree on such amendments upon request of Controller and, for the avoidance of doubt, with no additional costs to Controller. Where the parties are unable to agree upon such amendments, either party may terminate the Service Agreement and this Data Processing Agreement with 90 days written notice to the other party.

11. Data Export and Retention

Controller may export all Customer Data prior to the termination of the Customer’s Account. In any event, following the termination of the Customer’s Account and the Service Agreement, Customer Data will be retained in accordance with the Data Retention Period as defined in the Service Agreement.

12. Miscellaneous

12.1) In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of any other agreement with Processor.

12.2) The limitation of liability stated in the Service Agreement apply to the breach of the Data Processing Agreement.

12.3) No Party shall receive any remuneration for performing its obligations under this Data Processing Agreement except as explicitly set out herein or in another agreement.

12.4) Where this Data Processing Agreement requires a "written notice" such notice can also be communicated per email to the other Party. Notices shall be sent to the contact persons set out in Exhibit 1 Annex I.

12.5) Any supplementary agreements or amendments to this Data Processing Agreement must be made in writing and signed by both Parties.

12.6) Should individual provisions of this Data Processing Agreement become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.

12.7) If Freshworks is processing Personal Data within the scope of the CCPA, Freshworks makes the following additional commitments to Customer. Freshworks will process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the DPA and as permitted under the CCPA, including under any “sale” exemption. In no event will Freshworks sell any such data.

13. Definitions

"Data Protection Laws" shall mean the data protection laws of the country in which Controller is established, including the GDPR, CCPA, CPRA and any data protection laws applicable to Controller in connection with the Service Agreement.

“CCPA” The California Consumer Privacy Act is a data privacy law that provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the “sale” of their personal information.

“CPRA” The California Privacy Rights Act is a data privacy law that amends and expands upon the CCPA.

“DP Losses” means all liabilities, including:

costs (including legal costs);
claims, demands, actions, settlements, charges, procedures, expenses, losses and damages (whether material or non-material, and including for emotional distress);
to the extent permitted by applicable law:
i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a data protection authority or any other relevant Regulatory Authority;
ii) compensation to a Data Subject ordered by a data protection authority to be paid by Processor;
iii) the costs of compliance with investigations by a data protection authority or any other relevant Regulatory Authority.

"GDPR" shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data.

"Personal Data" shall mean any information relating to an identified or identifiable natural person as defined by the General Data Protection Regulation of the European Union ("GDPR" EC-2016/679) that is Processed by Processor as part of providing the services to Controller as described in Exhibit 1.

"Service Agreement" shall mean the Terms of Service available at https://www.freshworks.com/terms or a master services agreement executed between the Parties.

"Standard Contractual Clauses " mean the standard contractual clauses set forth in Exhibit 1 for the transfer of Personal Data from a Data Controller in the European Economic Area to Processors established in third countries in the form set out in the Annex of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended by incorporating the description of the Personal Data to be transferred and the technical and organizational measures to be implemented as set out in the Appendix.

"Controller", "Data Subject", "Personal Data Breach", "Processor" and "Process"/”Processing” shall have the meaning given to them in the GDPR.