GLOO DATA PROTECTION ADDENDUM

This Gloo Data Protection Addendum (Addendum) supplements the Gloo Services Terms of Service (Terms) between Gloo, LLC (Gloo) and you, the person or organization to whom Gloo has agreed to provide certain services, software and content (Offerings) pursuant to an order of yours that Gloo has accepted (Order). This Addendum forms a part of the Terms. If there is any conflict between this Addendum and the Terms, this Addendum will prevail to the extent of the conflict.

  1. Definitions. The following terms shall have the meanings set out below.
    1. The term “Applicable Data Privacy Law” means all laws and regulations that apply to a party’s processing of personal information in connection with the provision or receipt of Offerings, including the California Consumer Privacy Act of 2018 (“CCPA”), the General Data Protection Regulation (EU 2016/679) (“GDPR”), and any other substantially similar data protection laws.
    1. The term “personal information” means information about an identified or identifiable individual (the “data subject”), and includes information protected as “personal information”, “personal data” or any analogous term by Applicable Data Privacy Law.
    1. A “controller”, with respect to certain personal information, means an entity that determines the purposes and means of processing of the personal information.
    1. A “processor”, with respect to certain personal information, means an entity that processes the personal information on behalf of, and pursuant to the instructions, of a controller of the personal information.
    1. To “process” data means to perform any operation or set of operations on the data, including collecting, using, storing and disclosing it.
    1. Received Personal Information” means any personal information that Gloo receives from you or your representatives, or on your or your representatives’ behalf, in connection with Gloo’s provision of Offerings.
    1. Your Account Data” means personal information that relates to your relationship with Gloo, including your or your representatives’ names, contact information, billing information, and information about your and their use of Gloo’s online services, and includes personal information described in Gloo’s Entity Representative Privacy Statement.
  1. The Obligations of the Parties. Depending on the Offerings that Gloo provides, Gloo acts as either a controller or processor with respect to the Received Personal Information. By default, Gloo acts as an independent controller with respect to all Received Personal Information, but in the cases of the following Offerings: Church Analytics, EveryCampus and Marketing Services with first party data, Gloo shall provide such Offerings on a processor-only basis, and Gloo shall only act as a processor with respect to Received Personal Information that Gloo receives in connection with providing such Offerings. Gloo also acts as a controller with respect to Your Account Data. Wherever Gloo acts as a controller with respect to Received Personal Information, the provisions set forth in Section 3 below shall apply. Wherever Gloo acts as a processor with respect to Received Personal Information, the provisions set forth in Section 4 below shall apply. Regardless of whether Gloo acts as a controller or processor, Section 5 below shall apply to you and Gloo.
  1. Terms that Apply where Gloo is a Controller. Wherever Gloo acts as a controller with respect to Received Personal Information, Gloo will process the personal information in accordance with Applicable Data Privacy Law and all privacy notices and privacy policies that Gloo has provided to the data subjects of the personal information explaining the circumstances and manner in which Gloo processes their personal information. With regards to any transfers of personal information under this Addendum from the United Kingdom, Switzerland or European Economic Area to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Privacy Law, the personal information will be transferred, and Gloo will process the personal information (other than Your Account Data, which Gloo will process in accordance with Applicable Data Privacy Law) in accordance with the Standard Contractual Clauses for controller-to-controller transfers approved by the European Commission in decision 2004/915/EC, which are hereby incorporated by reference. Details required under the Standard Contractual Clauses’ Annex B are set forth in Exhibit 1 to this Addendum.
    1. Barna ChurchPulse. With respect to the Barna ChurchPulse survey specifically, we will collect information provided in responses to the survey. Individuals are not required to provide any identifiable information to participate in the survey. Results are shared to third parties in aggregate form only.
  1. Terms that Apply where Gloo is a Processor. Wherever Gloo acts as a processor with respect to Received Personal Information, Gloo will comply with the following obligations with respect to the personal information.
    1. General Limitation. Gloo will only process the personal information on your documented instructions or as permitted or required by Applicable Data Privacy Law. Without limiting the generality of the foregoing, Gloo agrees that it will not sell any of the personal information, as the term “sell” is defined in the CCPA, and will not, except as permitted or required by applicable laws and regulations, collect, retain, share, disclose, or use any of the personal information: (i) for any purpose other than for the specific purpose of providing the Offerings that Gloo agreed to provide in your Order in respect of which Gloo acts as a processor; or (ii) outside the direct business relationship between you and Gloo. You agree that your Order, the Terms, and any other contracts between you and Gloo form part of your documented instructions to us to process the personal information. The subject matter and details of the processing are described in Exhibit 3 to this Addendum. If applicable laws and regulations require Gloo to process the personal information in a manner different from your documented instructions, Gloo will inform you of that legal requirement before proceeding with the processing, to the extent permitted by applicable law.
    1. Subcontractors and Locations of Processing. As long as Gloo performs the following actions in compliance with Applicable Data Privacy Law and this Addendum, you authorize Gloo to: (i) subcontract its obligations to process the personal information to any subcontractor of Gloo’s choosing; and (ii) process the personal information or arrange to have the personal information processed in any jurisdiction. Gloo will impose data protection terms on any such subcontractor to the standard required by Applicable Data Privacy Law. Gloo will provide you with information about the identity and location of its subcontractors and any intended changes to such subcontractor arrangements on your request at reasonable intervals. Gloo shall remain liable to you for any failure by a subcontractor to fulfill its data protection obligations hereunder.
    1. Confidentiality. Gloo will ensure that persons authorized to process the personal information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such personal information.
    1. Data Subject Rights Assistance. If an individual makes a written request to Gloo purporting to exercise their rights under Applicable Data Privacy Law in relation to the personal information, Gloo shall forward the request to you without undue delay and you agree to address the request in accordance with Applicable Data Privacy Law. On your written request, Gloo will provide you with reasonable assistance (at your expense if doing so would require Gloo to assign significant resources to such effort) to assist you in complying with your obligations with respect to the request under Applicable Data Privacy Law.
    1. Impact Assessments and Consultations. Gloo will provide you with reasonable assistance (at your expense if doing so would require Gloo to assign significant resources to such effort) in connection with any data privacy or protection impact assessment or consultations with regulatory authorities that you may be required to undertake in accordance with Applicable Data Privacy Law.
    1. Security Incident Notification. If Gloo discovers or reasonably believes that the personal information has been subject to accidental or unlawful destruction, loss or alteration, or unauthorized access, use or disclosure resulting from a breach of security measures (collectively, a “Security Incident”), Gloo will, to the extent permitted by applicable law, notify you without undue delay, and in any case no later than required under Applicable Data Privacy Law. Gloo will make reasonable efforts to mitigate the cause of the Security Incident and provide reasonable assistance to you in the event that you are required under Applicable Data Privacy Law to notify a regulatory authority or any relevant data subjects of the Security Incident.
    1. Return or Deletion of Personal Information. Gloo will delete or return to you the personal information after the end of the provision of the relevant Offerings, and delete existing copies of the personal information unless applicable laws and regulations require further storage of the personal information.
    1. Demonstrating Compliance. At least once a year, Gloo engages third-party security professionals at its own expense to assess Gloo’s security measures with respect to its processing of the personal information. Such assessments result in the generation of a confidential audit report (“Audit Report”). On your written request at reasonable intervals, Gloo will make available to you a copy of Gloo’s most recent Audit Report subject to reasonable confidentiality controls. You agree that receiving a copy of the Audit Report will satisfy any audit or inspection rights you may have under Applicable Data Privacy Law (including, where applicable, Article 28(3) of the GDPR or Clauses 5(f) and 12(2) of the Standard Contractual Clauses for controller-to-processor transfers approved by the European Commission in decision 2010/593/EU). Gloo shall promptly inform you if, in its opinion, an instruction infringes Applicable Data Privacy Law.
    1. Application of Standard Contractual Clauses. With regard to transfers of personal information under this Addendum from the United Kingdom, Switzerland or European Economic Area to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Privacy Law, you and Gloo agree that the Standard Contractual Clauses for controller-to-processor transfers approved by the European Commission in decision 2010/593/EU, shall apply and are hereby incorporated by reference. Details required under the Standard Contractual Clauses’ Appendices 1 and 2 are set forth in Exhibit 2 to this Addendum.
  1. General Obligations. Regardless of whether Gloo acts as a controller or processor with respect to Received Personal Information, you and Gloo agree to the following provisions.
    1. Your Processing of Received Personal Information. You represent, warrant and agree that: (i) all Received Personal Information has been collected, processed and transferred to Gloo in accordance with Applicable Data Privacy Law; and (ii) your instructions relating to Gloo’s processing of Received Personal Information will not cause Gloo to violate any applicable law or regulation, including Applicable Data Privacy Law. Without limiting the generality of the foregoing, you agree that you have provided all necessary notices and obtained all necessary consents from data subjects as required under Applicable Data Privacy Law before providing their personal information to Gloo in connection with the receipt of Offerings from Gloo. You shall defend, indemnify and hold harmless Gloo and its affiliates, and all of their officers, directors, employees, shareholders, legal representatives, agents, successors and assigns, from and against any and all claims, liabilities, suits, demands, damages, losses, judgments, fines, penalties, interest, costs and expenses (including reasonable attorneys’ fees and professional and court costs) arising from or relating to any breach of this section by you, or any act or omission of yours, or your employees or contractors, in activities arising from or relating to Received Personal Information. Gloo reserves the right to terminate all Offerings where it reasonably believes that you have contravened or will contravene this section 5.
    1. No Consideration. You and Gloo agree that Gloo does not receive any Received Personal Information as consideration for any services or other items that it provides to you.
    1. Security. You and Gloo shall implement reasonable and appropriate technical, physical and organizational security measures in relation to the processing of Received Personal Information, including but not limited to those required under Applicable Data Privacy Law.
    1. Updates. Gloo may update the terms of this Addendum, including where necessary to: (i) comply with updates to Applicable Data Privacy Law; (ii) reflect changes resulting from a merger, acquisition, or other similar transaction; or (iii) address Gloo’s release of new products or services or material changes to any existing Offerings. Gloo will provide you with prior notice of such updates as required by applicable laws and regulations.

[remainder of this page left blank intentionally]

Exhibit 1 - Annex B to the 2004 Controller-to-Controller Standard Contractual Clauses

The terms used herein shall have the same meaning as the defined terms in the Gloo Data Protection Addendum.

Data Subjects

The personal data transferred concern the following categories of data subjects:

The personal data transferred concern data subjects located in the United Kingdom, Switzerland and/or the European Economic Area of Received Personal Information that Gloo processes as a controller in connection with providing certain Offerings requested on your Order.

Purposes of the Transfer(s)

The transfer is made for the following purposes:

You transfer the relevant Received Personal Information to enable Gloo to provide certain Offerings requested on your Order.

Categories of data

The personal data transferred concern the following categories of data:

The personal data transferred concern categories of data that you would transfer to Gloo for the purposes of Gloo providing the Offerings requested on your Order. Some or all such categories of personal data may be listed in the relevant privacy notice or other documentation that Gloo provides to data subjects in connection with providing the corresponding Offering.

Recipients

The personal data transferred may be disclosed only to the following recipients or categories of recipients:

Gloo may disclose personal data to the following categories of recipients in the following situations, as permitted or required by applicable law:

Sensitive Data

The personal data transferred concern the following categories of sensitive data:

The personal data transferred concern categories of sensitive data that you would transfer to Gloo for the purposes of Gloo providing the Offerings requested on your Order. Some or all such categories of personal data may be listed in the relevant privacy notice or other documentation that Gloo provides to data subjects in connection with providing the corresponding Offering.

Data protection registration information of data exporter (where applicable)

Not applicable

Additional useful information (storage limits and other relevant information)

Please refer to the Gloo Services Terms of Service, your Order, and the Gloo Data Protection Addendum.

Contact points for data protection enquiries

Data importer (Gloo, LLC): Please refer to Gloo’s Entity Representative Privacy Statement.

Data exporter (you): Please refer to your Order.

Exhibit 2 - Appendices to the 2010 Controller-to-Processor Standard Contractual Clauses

Appendix 1 to the 2010 Controller-to-Processor Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties. The terms used herein shall have the same meaning as the defined terms in the Gloo Data Protection Addendum.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. The terms used herein shall have the same meaning as the defined terms in the Gloo Data Protection Addendum.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): You. Please refer to your Order.

Data importer

The data importer is (please specify briefly activities relevant to the transfer): Gloo, LLC. Please refer to Gloo’s Entity Representative Privacy Statement and your Order.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The personal data transferred concern data subjects located in the United Kingdom, Switzerland and/or the European Economic Area of Received Personal Information that Gloo processes as a processor in connection with providing certain Offerings requested on your Order.

Categories of data

The personal data transferred concern the following categories of data (please specify):

The personal data transferred concern categories of data that you would transfer to Gloo for the purposes of Gloo providing the Offerings requested on your Order.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

The personal data transferred concern categories of sensitive data that you would transfer to Gloo for the purposes of Gloo providing the Offerings requested on your Order.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Gloo will process the personal data transferred to provide the Offerings requested on your Order with respect to which Gloo acts as a processor.

Appendix 2 to the 2010 Standard Contractual Clauses Controller-to-Processor

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please view Gloo’s Statement of Technical and Organizational Data Security Measures here.

Exhibit 3 – Details of Processing

Subject MatterGloo’s provision of the Offerings to you.
Duration of the ProcessingThe period identified in the relevant Order for the provision of the requested Offerings.
Nature and Purpose of the ProcessingGloo will process Received Personal Information for the purposes of providing the Offerings requested by you pursuant to the relevant Order.
Categories of DataPersonal Information relating to individuals provided to Gloo by (or at the direction of) you in connection with the Offerings.
Data SubjectsData subjects may include your representatives, members, or attendees in connection with the Offerings.


Version 1.1.0 | Last modified on February 19, 2020 | © Gloo, 2020