Explore Products
Explore Products

Utility Menu

Back to Legal

DATA PROCESSING ADDENDUM

Revised: January 1, 2025

This Data Processing Addendum includes Schedules 1 (Processing Description) and 2 (Regional Transfer Terms) (“DPA”).This DPA supplements and forms part of the Terms of Service or other written agreement (the “Agreement”) between GoTo and “Customer” and applies to GoTo’s Processing of Customer’s Personal Data in connection with the Services purchased under the Agreement. This DPA is effective when Customer (a) enters into an Agreement or signs an Order that has incorporated this DPA into its terms, or (b) uses the Services after its publication to GoTo’s website (the “Effective Date”). The terms of this DPA control to the extent they conflict with the terms of the Agreement.

Customer enters into this DPA on behalf of itself, and to the extent required under Data Protection Laws, on behalf of its Authorized Affiliates. References to “Customer” in this DPA mean the Customer contracting entity and its Authorized Affiliates; provided, however, that the Customer contracting entity shall, on behalf of itself and its Authorized Affiliates: (a) remain responsible for coordinating, making, and receiving all communication with GoTo under this DPA; and (b) exercise any of its own or its Authorized Affiliates’ rights herein in a combined manner. Unless otherwise specified in this DPA, “GoTo” means the GoTo contracting entity and its Affiliates.

Signature or acceptance by the Parties of the Agreement or any Order Form constitutes signature and acceptance of the following documentation, to the extent applicable: (a) the Brazilian Standard Contractual Clauses; (b) the EU Standard Contractual Clauses; and (c) the UK Addendum to the EU Standard Contractual Clauses.


1. DEFINITIONS
As used in this DPA, the following terms have the meanings set forth below. Unless otherwise stated in this DPA, capitalized terms not defined below have the meaning given to them in the Agreement.

Affiliate” means, (a) with respect to Customer, any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, and (b) with respect to GoTo, any entity that directly or indirectly controlled by GoTo Group Parent, Inc. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the share capital or voting rights of the subject entity.

Authorized Affiliate” means any Customer Affiliate that is: (i) subject to Data Protection Laws; and (ii) authorized by Customer to use the Services pursuant to the Agreement between Customer and GoTo but has not signed its own Order Form with GoTo and is not otherwise a "Customer" under the Agreement.

Brazilian Standard Contractual Clauses” or “Brazilian SCCs” means the Standard Contractual Clauses, attached to Resolution CD/ANPD No. 19/2024 promulgated by the Brazilian National Data Protection Authority (the “Autoridade Nacional de Proteção de Dados” or “ANPD”), as they may be amended from time to time.

CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 or “CPRA” (Cal. Civ. Code § 1798.100-1798.199.100 et seq.) and its implementing regulations; as may be amended, superseded, or replaced.

Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

Cross Border Data Transfer” means the act of sending or sharing of Personal Data originating in one country to another country (or in the case of the European Economic Area, to a country located outside of the European Economic Area). Cross Border Data Transfers include Restricted Transfers.

Customer Content” means any files, documents, recordings, chat logs, transcripts, and similar data that GoTo maintains on Customer’s and/or its end-users’ behalf, as well as any other information Customer or its users may upload to Customer’s Service account in connection with the Services.

Data Protection Laws” means all applicable data protection and privacy laws and regulations, including the laws and regulations of Brazil, the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states (including but not limited to California), in each case, to the extent applicable to the Processing of Personal Data under the Agreement.

Data Subject” means, as applicable: (i) the identified or identifiable person to whom Personal Data relates as defined by Data Protection Laws; and/or (ii) a “Consumer” as the term is defined in the CCPA.

Data Subject Request” means a request from a Data Subject to exercise the rights in their Personal Data granted to them under Data Protection Laws, including as applicable, the rights (i) of access; (ii) of rectification; (iii) of restriction of processing; (iv) of erasure (e.g., a “right to be forgotten”); (v) of data portability; (vi) to know any first- or third-party sharing activities; (vii) to know GoTo’s relevant processing activities; (viii) to review the consequences of any objections or consent withdrawals; (ix) to not be subject to automated individual decision making; and/or (x) to object to Processing.

EU Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses attached to the European Commission’s Implementing Decision (EU) 2021/914, as they may be amended from time to time.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended, superseded, or replaced.

GoTo” means GoTo and its Affiliates engaged in the Processing of Personal Data in connection with providing the Services to Customer.

LGPD” means Brazil Law No. 13.709, the General Law on Protection of Personal Data, as may be amended, superseded, or replaced.

"Party” or “Parties” means either Customer or GoTo individually, or both entities together, respectively, and as applicable.

Personal Data” means any Customer information received by GoTo from or on behalf of Customer under the Agreement that relates to: (i) an identified or identifiable natural person (e.g., a Data Subject or Consumer); (ii) a household under CCPA; and/or (iii) any elements that constitute personal information or a similar construct under applicable law, in each case, where such information is maintained on behalf of the Controller by the Processor within its Services environment and is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws. Notwithstanding the foregoing, to the extent that Customer information otherwise meets this definition but is excluded from the definition of personal data under Data Protection Laws, such information shall not constitute Personal Data under this DPA.

Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor” means the entity that Processes Personal Data on behalf of the Controller, including, as applicable, a “Service Provider” as the term is defined by the CCPA.

Restricted Transfer” means a transfer of Personal Data by GoTo from the country or, in the case of the European Union, from the EEA, from which the data originate to any other jurisdiction whose laws have not been deemed adequate by the applicable regulator, where the Data Protection Law requires such a determination. A transfer of Personal Data to the United States pursuant to the EU-US Data Privacy Framework and the UK extension thereto or the Swiss-US Data Privacy Framework is not a Restricted Transfer.

Security Incident” means any breach of GoTo’s security of which GoTo becomes aware leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data that GoTo Processes in its capacity as a Processor or sub-processor to Customer or that is Processed by GoTo’s sub-Processors.

Service Data” means (a) any data, including Personal Data, Processed by GoTo for the purposes of storing, transmitting or exchanging Customer Content, sending goods, and providing the Services, such as shipping address, data used to trace and identify the source and destination of a communication, including telephone numbers, data about the location of the device generated in the context of providing the Services, data about the routing, date, time, duration, type and other circumstances of communication or data provided by the channels used by the Customer to communicate with their customers or end users; (b) data about Customer communications with GoTo (such as inquiries and support requests), and other similar information; and (c) Personal Data that relates to Customer’s relationship with GoTo, including the names, phone numbers and/or contact information of individuals authorized by Customer to access Customer’s account or use the Services and billing information.

Sub-processor” means any Processor engaged by GoTo to assist with the fulfillment of its obligations with respect to providing the Services pursuant to the Agreement.

Supervisory Authority” means an independent public authority established under applicable law to oversee compliance with Data Protection Laws.

Swiss FADP” means the Swiss Federal Act on Data Protection of 25 September 2023, as may be amended, superseded, or replaced.

Technical and Organizational Measures” or “TOMs” means the technical and organizational measures documentation for GoTo’s Services located on GoTo’s Trust Center.

UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner under S119A Data Protection Act 2018, as amended from time to time.

UK Data Protection Law” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018, all as may be amended, superseded, or replaced.
2. PROCESSING OF PERSONAL DATA
2.1 Relationship of the Parties.
2.1.1 With regard to the Processing of Personal Data by GoTo on behalf of Customer, Customer is either the Controller, or a Processor that is Processing Personal Data for a third-party Controller, and GoTo is the Processor or a Sub-processor to Customer.
2.1.2 Notwithstanding Section 2.1.1, GoTo is an independent Controller of Personal Data contained in Customer Content and Service and Account Data, where GoTo Processes it for the following purposes: (i) billing, account, Customer relationship management (marketing and account-related communications to procurement, sales, and other Customer personnel), and related Customer correspondence (communications about account related items, for example necessary updates); (ii) complying with its legal obligations; (iii) addressing support requests, complaints and inquiries; (iv) addressing and pursuing disputes and legal claims; (v) detecting and managing violations of GoTo’s Acceptable Use Policy and its Terms of Service; and (vi) investigating security incidents and protecting the Service environment. GoTo will pseudonymize or aggregate Personal Data as much as possible for the following purposes: (a) maintaining, monitoring the performance of, and improving the Service (b) internal and financial reporting, revenue and planning forecasting and modeling (including product strategy), and capacity planning; and (c) receiving feedback on our Services.
2.2 Processing Details. The categories of Data Subjects, categories of Personal Data transferred, sensitive data transferred (if applicable), frequency of the transfer, nature and purpose of Personal Data transferred and Processed, retention of Personal Data, and subject matter of the Processing are specified in Schedule 1 (Processing Description) of this DPA.
3. CUSTOMER’S RESPONSIBILITIES
3.1 Compliance with Data Protection Law. When using the Services, Customer shall Process Personal Data in accordance with the provisions of Data Protection Law that apply to it and shall ensure that it has complied with any applicable notice disclosures or has otherwise obtained appropriate authorizations to permit GoTo to Process Personal Data as contemplated under the Agreement. If Customer is a Processor to a third-party Controller, Customer warrants that its instructions and actions with respect to the Personal Data GoTo Processes under the Agreement are authorized by the relevant third-party Controller. As between the parties, Customer is solely responsible for the accuracy, quality and legality of Personal Data, and how it acquires Personal Data.
3.2 Cooperation. Customer shall provide GoTo with all information and access necessary to enable GoTo to follow Customer’s instructions.
4. GOTO’S RESPONSIBILITIES
4.1 Compliance with Data Protection Laws. In Processing Personal Data under the Agreement, GoTo shall comply with the provisions of Data Protection Laws that apply to it and, where applicable, provide the same level of privacy protection to such Personal Data as required of Customer by such laws.
4.2 Processing Limitations and Customer Instructions.
4.2.1 Where GoTo is a Processor or Sub-Processor, GoTo shall only Process Customer’s Personal Data on its behalf and in accordance with Customer’s documented instructions, which are deemed given, for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Where GoTo acts as a Controller, GoTo will Process Customer’s Personal Data for the purposes stated in Section 2.1.2.
4.2.2 GoTo will inform Customer if it expects to incur additional charges or fees not covered by the fees for Services to follow Customer’s instructions, and Customer will pay for such additional Services at GoTo’s then-current rates.
4.2.3 GoTo shall immediately inform Customer if, in its opinion, it believes that any instructions of Customer conflict with or violate the requirements of Data Protection Law.
4.3 Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, GoTo shall implement and maintain appropriate technical and organizational measures for protection of the security (including protection against a Security Incident), confidentiality, and integrity of Customer Content, as set forth in the applicable Technical and Organizational Measures document, available on GoTo’s Trust Center. Customer acknowledges that the TOMs are subject to progress and development, and that GoTo may update or modify the TOMs from time to time. In doing so, GoTo will not decrease or degrade the overall security of the Services.
4.4 Personnel Confidentiality and Training. GoTo personnel who are engaged in the Processing of Customer’s Personal Data (i) have been informed of the confidential nature of Customer’s Personal Data; (ii) are subject to written confidentiality agreements or statutory confidentiality obligations; (iii) have received appropriate training on their responsibilities, specifically pertaining to security and privacy measures; and (iv) only have access to Personal Data to the extent reasonably determined to be necessary in order to perform their obligations, responsibilities, or duties.
4.5 Data Protection Impact Assessments; Prior Consultations. GoTo shall cooperate with and provide reasonable assistance to Customer if, in connection with its use of the Services, Customer is required by Data Protection Laws to perform a privacy impact assessment, data protection impact assessment, or similar privacy review of its Processing activities or otherwise engage in a prior consultation with a Supervisory Authority.
4.6 Data Subject Requests. If Customer receives a Data Subject Request from a Data Subject, Customer may (i) securely access Customer’s account to address the request, or (ii) where Customer requires assistance from GoTo to fulfill the request, submit a support ticket to the GoTo Customer Care team with detailed instructions on the assistance needed from GoTo to fulfill the request. If GoTo receives a Data Subject Request directly from a Data Subject, GoTo will either promptly pass along the request to Customer or advise the Data Subject to contact the relevant Controller. In all cases, Customer is responsible for verifying the identity of the Data Subject and assessing the validity of the Data Subject Request. GoTo bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
4.7 Security Incident Notification. GoTo shall notify Customer without undue delay of a Security Incident. GoTo shall make reasonable efforts to identify the cause of such Security Incident and take reasonable steps to remediate the cause of such a Security Incident to the extent the remediation is within GoTo’s reasonable control. Additionally, GoTo shall provide Customer with relevant information about the Security Incident, as reasonably required to assist Customer’s compliance with its own obligations under Data Protection Laws, such as notifying Supervisory Authorities or Data Subjects. Notification or information provided under this Section shall not be interpreted or construed as an admission of fault or liability by GoTo.
4.8 Sub-Processors.
4.8.1 Customer provides GoTo with a general authorization to engage GoTo’s Affiliates and other third-party Sub-processors in connection with the provision and operation of the Services. Prior to engaging any Sub-processors, GoTo shall enter into a written agreement with each Sub-processor imposing terms that are no less protective than those imposed on GoTo in this DPA.
4.8.2 GoTo maintains a list of Sub-processors for the Service on its Trust Center. If Customer would like to receive notifications from GoTo regarding the proposed appointment of new Sub-processors, Customer may subscribe to receive them here. Customer may provide its written (email acceptable), good faith, reasonable objection to proposed Sub-processor appointments within 15 days of receiving GoTo’s notification. If GoTo is reasonably able to provide the Services without using the proposed Sub-processor and elects to do so in its sole discretion, Customer shall have no further rights with respect to the matter. If GoTo is otherwise unable or unwilling to make available such change within a reasonable period of time, Customer may, by providing written notice to GoTo, terminate the applicable Order Form(s) solely with respect to those Services which cannot be provided by GoTo without the use of the Sub-processor. If Customer does not timely object to a proposed Sub-processor, Customer will be deemed to have consented to the proposed Sub-processor and waived its right to object.
4.8.3 GoTo shall remain liable to Customer for the actions and omissions of its Sub-processors if they fail to fulfill their respective data protection obligations with regard to the relevant Processing activities under the Agreement.
5. GOTO OBLIGATIONS UNDER THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
Within this Section 5, capitalized terms not defined in the DPA have the meaning given to them in the CCPA. The following provisions apply to GoTo’s Processing of Personal Data as a Service Provider to the extent that the Personal Data is subject to the CCPA:
5.1 Obligations. GoTo shall: (a) Process Personal Data in accordance with the requirements of the CCPA that apply to GoTo as a Service Provider to Customer, providing an appropriate level of privacy protection as required by the CCPA; (b) notify Customer if it reasonably believes that it can no longer meet its obligations under the CCPA; (c) grant Customer the right, subject to Section 6 of the DPA (Third-Party Certifications and Audits), to take reasonable and appropriate steps to ensure that GoTo’s use of Personal Data collected pursuant to the Agreement is consistent with GoTo’s privacy and security obligations under the Agreement and CCPA; and (d) upon Customer’s request, which shall be provided to GoTo with reasonable advanced notice, cooperate with Customer to determine reasonable and appropriate steps to stop and remediate unauthorized use (i.e., use that is inconsistent with the terms of the Agreement and/or Data Protection Laws) of Customer Personal Data.
5.2 Prohibitions. GoTo shall not: (a) sell or Share Customer Personal Data it collects pursuant to the Agreement with Customer; or (b) retain, use, or disclose the personal Data it collects pursuant to the Agreement (i) for any other purpose than the business or commercial purposes stated in the Agreement or as otherwise permitted by the CCPA; or (ii) outside the direct business relationship between the Parties, unless expressly permitted by the CCPA.
6. THIRD-PARTY CERTIFICATIONS AND AUDITS.
6.1 Information and Requests. GoTo has made available to Customer information reasonably necessary to demonstrate compliance with its obligations under this DPA, including in the form of applicable third-party certifications and/or audits, including those specified in the applicable Technical and Organizational Measures available on GoTo’s Trust Center or its product support pages. If Customer cannot reasonably verify GoTo’s compliance with this DPA based on the information provided by GoTo, Customer may request, no more than once every 12 months, that GoTo provide, on a confidential basis, reasonable written information related to its Processing of Customer Personal Data under the Agreement that GoTo generally makes available to its customer base. Customer may make this request to GoTo by contacting its account representative directly or by contacting GoTo sales.
6.2 Regulatory Reviews. Should Customer require information to address an inquiry from a privacy regulator under Data Protection Laws that is not available from the information identified in Section 6.1, Customer may request to perform an audit, on a confidential basis, of GoTo’s procedures relevant to the protection of Personal Data under this DPA. Customer and GoTo shall mutually agree upon the scope, procedures, timing, duration, and/or reimbursable expenses (if any) of the audit before commencing the review. Customer shall: (a) promptly provide GoTo with information regarding any non-compliance discovered during an audit; and (b) use best efforts to minimize interference with GoTo’s business operations when conducting any such audit.
7. DELETION AND RETURN OF CUSTOMER CONTENT
For many Services, GoTo makes features available to Customer administrators that enable them to delete or export Content. Customers may avail themselves of these features at any time. Where such features are not available, or where Customer requires additional assistance from GoTo, the following provisions apply. Following the termination or expiration of Customer’s Agreement, Customer’s discontinuation of the use of its GoTo account, or earlier upon Customer’s written request, GoTo shall delete and make irretrievable Customer Content, including any Personal Data therein, to the extent allowed by applicable law. Automatic data retention periods shall be in accordance with the procedures and timeframes specified in the applicable Technical and Organizational Measures. Upon Customer’s written request GoTo will (a) certify the deletion of Customer Content, (b) provide proof of such deletion, and (c) where permissible by applicable law (i) return to Customer or Customer’s representative any Customer Content, including any Personal Data therein, retained by GoTo; or (ii) direct Customer on how to conduct a self-service data export (where available). Customer may make such requests by submitting a support ticket to the GoTo Customer Care team with detailed instructions on the assistance needed from GoTo. In all cases, GoTo’s default retention periods for Content, where it acts as a Processor to Customer, are stated in the applicable Service TOMs, which are available on GoTo’s Trust Center.

 
8. GOVERNMENT REQUESTS FOR CUSTOMER PERSONAL DATA
If GoTo receives a civil or criminal subpoena, search warrant, or other official and written request that is legally binding (“Request”) by a public authority (“Requesting Party”) seeking disclosure of Customer’s Personal Data, GoTo will handle such requests in accordance with its then-current Government Requests Policy. Specifically, where permitted by law, GoTo will redirect the Requesting Party to Customer. Unless otherwise stated in our Government Requests Policy, GoTo will (a) promptly notify Customer about the Request to allow Customer to seek a protective order or other appropriate remedy if not precluded from doing so by the Request; review the Request to determine whether the Request is valid and if GoTo has a legal requirement to disclose Personal Data; (c) reject or contest any request that is not valid, legally binding and lawful; and (d) challenge any overbroad or inappropriate Requests. Where Customer Personal Data must be provided, GoTo will disclose the minimum Personal Data required to satisfy the Request and seek assurances that Customer’s Personal Data is afforded confidential treatment by the Requestor.
9. CROSS BORDER DATA TRANSFERS
GoTo operates on a global basis and may engage in Cross Border Data Transfers to its Sub-processors and/or Affiliates to provide its Services. Some jurisdictions require that parties to a contract adopt safeguards that apply to such transfers. This Section describes the safeguards that the Parties have agreed govern such transfers under the Agreement.
9.1 APEC Privacy Recognition for Processors. GoTo has obtained the Asia-Pacific Economic Cooperation (“APEC”) Privacy Recognition for Processors (“PRP”) certification and shall Process Personal Data, where applicable, in accordance with the obligations and responsibilities of a Processor under the APEC Privacy Framework.
9.2 Regional Terms. Additional terms related to Cross Border Data Transfers of Personal Data subject to the LGPD, the GDPR, UK Data Protection Law, and the Swiss FADP, are set forth in Schedule 2 (Regional Transfer Terms), which is incorporated into this DPA by reference.
10. LIMITATION OF LIABILITY
Each Party’s liability, including the liability of all of its Affiliates, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and GoTo, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference to the liability of a Party means the total liability of that Party and all of its Affiliates under the Agreement.
11. HIPAA
If Customer is subject to the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191 (1996)), as amended by the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5 (2009)) and its applicable implementing regulations (collectively, “HIPAA”), Customer may not use the Services to create, receive, maintain, transmit, or otherwise process any information that includes or constitutes “Protected Health Information”, as defined under the HIPAA Privacy Rule (45 C.F.R. Section 160.103), unless Customer has signed a Business Associate Addendum (“BAA”) with GoTo prior to creating, receiving, maintaining, transmitting, or otherwise Processing this information using the Service. GoTo’s BAA is available here, and upon execution will be incorporated into this DPA.
12. LEGAL EFFECT AND CONFLICT
To the extent permitted by law, this DPA supersedes all prior DPAs and similar agreements in their entirety. In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of (a) the DPA and (b) the Brazilian Standard Contractual Clauses, the EU Standard Contractual Clauses, or the UK Addendum, as applicable, the latter shall control to the extent of the conflict.

List of Schedules:

Schedule 1: Processing Description

Schedule 2: Regional Transfer Terms

 

SCHEDULE 1 – PROCESSING DESCRIPTION
Categories of Data Subjects

Customer Content

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s users (who are natural persons) authorized by Customer to use the Services, including webinar or meeting invitees and attendees, individuals who place or receive calls, and individuals to whom you provide support

Service Data

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s users (who are natural persons) authorized by Customer to use the Services, including webinar or meeting invitees and attendees, individuals who place or receive calls, and individuals to whom you provide support

 

Categories of Personal Data Processed

Customer Content

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Contact information such as first and last name, email, phone, fax, and physical business address
  • Technical Information such as Device identification data and traffic data (e.g., MAC addresses, web logs, IP address, etc.), username and password data
  • Professional or employment-related information such as Job Title, Current/former employer, location, usage metrics, school affiliation, and similar information
  • Audio and video content and photographs, such as still and video recordings and voice recordings and transcripts
  • Personal life data
  • Preferences, such as contact mode and time preferences and calendar availability, language preferences

Service Data

GoTo may collect and further Process Personal Data contained in Service Data, which may include, but is not limited to the following categories of Personal Data:

  • Contact information such as first and last name, email, phone, fax, and physical business address, such as shipping address
  • Commercial and Financial Information such as services purchased or considered, purchasing or consuming histories or tendances, including information needed to facilitate transactions with GoTo, including payment transactions, information related to feedback on GoTo products and services, such as survey of focus group data, information about GoTo events attended or information received
  • Technical Information such as device identification data and traffic data (e.g., MAC addresses, web logs, IP address, etc.), user name and password data, data used to trace and identify the source and destination of a communication, such as individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, the routing, date, time, duration, type and other circumstances of communication, data provided by the channels used by the Customer to communicate with their customers, data about Customer communications with GoTo (such as inquiries and support requests), and other similar information.
  • Professional or employment-related information such as job title, current/former employer, location, usage metrics, school affiliation, and similar information
  • Audio and video content and photographs, such as still and video recordings and voice recordings and transcripts, such as the content of support calls or customer project meetings
  • Preferences, such as contact mode and time preferences and calendar availability, language preferences
  • Support data such as inquiries, requests, troubleshooting logs, and similar information

Sensitive Personal Data Processed (If Applicable)

The Parties do not anticipate that any sensitive data will be Processed. However, it is possible for the Customer to choose to submit sensitive data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and for which relevant safeguards are specified in Schedule 2 herein.

Nature and Purpose of Personal Data Processing

GoTo collects, records, organizes, structures, stores, adapts or alter, retrieves, consults, uses, discloses by transmission or disseminations, or otherwise makes available, aligns, or combines, restricts, erases and destroys Personal Data while providing Services as a Processor or when Processing Personal Data as a Controller. The purposes for which GoTo Processes Personal Data are as follows:

  • GoTo as Independent Controller. As noted in Section 2.1.2 of the DPA, GoTo is an independent Controller of Personal Data contained in Customer Content and Service Data where GoTo Processes it for the following purposes: (i) billing, account, Customer relationship management (marketing and account-related communications to procurement, sales, and other Customer personnel), and related Customer correspondence (communications about account related items, for example necessary updates); (ii) complying with its legal obligations; (iii) addressing support requests, complaints and inquiries; (iv) addressing and pursuing disputes and legal claims; (v) detecting and managing violations of GoTo’s Acceptable Use Policy and the Agreement; and (vi) investigating security incidents and protecting the Service environment. GoTo will pseudonymize or aggregate Personal Data as much as possible for the following purposes: (a) maintaining, monitoring the performance of, and improving the Service (b) internal and financial reporting, revenue and planning forecasting and modeling (including product strategy), and capacity planning; and (c) receiving feedback on our Services. The GoTo Contracting Entity is the relevant independent Controller. Where GoTo is an independent Controller, it Processes Personal Data in accordance with its Privacy Policy.
  • GoTo as Processor. GoTo will Process Personal Data, in its capacity as a Processor or Sub-Processor, and engage Sub-processors, as necessary to perform and operate the Services pursuant to the Agreement, as further specified in the applicable Technical and Organizational Measures documentation and list of Approved Sub-Processors, both available here, and to the extent further instructed by Customer through its use of the Services.

 

Retention of Personal Data
  • GoTo as Independent Controller. As noted in our Privacy Policy, we retain Personal Data for no longer than needed for the business purpose for which it was collected or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
  • GoTo as Processor. GoTo will Process and retain Personal Data, in its capacity as a Processor, for the duration of the Agreement (unless otherwise and/or as further specified in the Technical and Organizational Measures), unless otherwise agreed upon in writing or required or permitted by applicable law.

 

Subject Matter, Nature, and Duration of the Processing Performed by Sub-Processors
  • GoTo as Independent Controller. As noted in Section 2.1.2 of the DPA, GoTo is an independent Controller of Personal Data contained in Customer Content and Service Data where GoTo Processes it for the following purposes: (i) billing, account, Customer relationship management (marketing and account-related communications to procurement, sales, and other Customer personnel), and related Customer correspondence (communications about account related items, for example necessary updates); (ii) complying with its legal obligations; (iii) addressing support requests, complaints and inquiries; (iv) addressing and pursuing disputes and legal claims; (v) detecting and managing violations of GoTo’s Acceptable Use Policy and its terms of service; and (vi) investigating security incidents and protecting the Service environment. GoTo will pseudonymize or aggregate Personal Data as much as possible for the following purposes: (a) maintaining, monitoring the performance of, and improving the Service (b) internal and financial reporting, revenue and planning forecasting and modeling (including product strategy), and capacity planning; and (c) receiving feedback on our Services. The GoTo Contracting Entity is the relevant independent Controller. Where GoTo is an independent Controller, it Processes Personal Data in accordance with its Privacy Policy. GoTo may engage Processors to assist it in performing the foregoing tasks.
  • GoTo as Processor. GoTo provides, directly and through its Sub-processors, a portfolio of cloud-based communication and collaboration, customer engagement, and support solutions. The objective and subject of the Processing of Personal Data by GoTo, as a Processor, is servicing Customer and providing, supporting, and operating the provision of the Services.

 

SCHEDULE 2 – REGIONAL TRANSFER TERMS

The following provisions shall apply to the extent that GoTo Processes Personal Data that is subject to the following Data Protection Laws.

A. LGPD CROSS BORDER DATA TRANSFERS
1. The terms and conditions contained in this Schedule 2, Part A apply solely to the extent that the Personal Data Processed under this Agreement by GoTo is subject to LGPD.
2. GoTo shall (a) provide its Services under the express obligations imposed by the LGPD on a Data Processor for the benefit of a Data Controller; and (b) as required under Articles 33 through 36 of the LGPD, undertake Restricted Transfers of Personal Data on the basis of the Brazilian Standard Contractual Clauses.
3. Where the Brazilian SCCs apply, they shall be constructed as follows:
Clauses 4.1 - 4.8, Option B is included. Clause 4.1 is completed as follows:
a. Where Customer is the Controller and GoTo is a Processor
i. Clause 1.1 is completed as follows:
Exporter (Controller)
Name: See Agreement or Order Form
Qualification: See Agreement or Order Form
Main Address: See Agreement or Order Form
Email Address: See Agreement or Order Form
Contact for Data Subject: See Agreement or Order Form
Other Information: NA
AND
Importer (Processor)
Name: GoTo Technologies USA LLC, on behalf of itself and its applicable Affiliates
Qualification: 5984112 (DE)
Main Address: 333 Summer Street, 5th Floor, Boston, MA 02210
Email Address: privacy@goto.com
Contact for Data Subject: NA
Other Information: NA
ii. Clause 2.1 is completed as follows:
Purpose of the Data Transfer: To enable GoTo to provide Services to Customer under the Agreement.
Categories of Personal Data Transferred: See Schedule 1 (Processing Description)
Data Storage Period: See relevant TOMs in the Trust Center.
Other Information: NA
iii. Clause 3.1, Option B is included and is completed as follows:
Main purposes of the international data transfer: See DPA Section 2.1.2.
Categories of Personal Data Transferred: See Schedule 1 (Processing Details)
Data Retention Period: Data retention period may vary depending on the specific purpose but for no longer than needed for the business purposes for which it was collected. Personal data processed in the context of a contract may be retained by for the term of the contract and for a reasonable time afterwards as might be required to determine and settle any related claims or as otherwise required by law.
Other Information: See Schedule 3 for a current list of Sub-processors. The parties agree to follow the process for identification of new Sub-processors specified in Section 4.8 of the DPA. This process is designed to support and implement the requirements of Clauses 3.1 and 18 of the Brazilian Standard Contractual Clauses.
iv. Clauses 4.1 – 4.2 Option A, applies. Clause 4.1 is completed as follows:

4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below shall be primarily responsible for complying with the following obligations set forth in these Clauses:

a) Responsible for publishing the document provided in Clause 14:

b) Responsible for responding to requests from Data Subjects dealt with in Clause 15:

c) Responsible for notifying the security incident provided in Clause 16:
v. Section III is completed as follows: See relevant TOMs in the Trust Center.
vi. Section IV is completed as follows: The parties agree that the limitation of liability provisions stated in the Agreement shall control the parties’ respective liability to each other under Clause 17 of these Brazilian Standard Contractual Clauses.
b. Where Customer is a Processor and GoTo is a Sub-processor
i. Clause 1.1 is completed as follows:
Exporter (Processor)
Name: See Agreement or Order Form
Qualification: See Agreement or Order Form
Main Address: See Agreement or Order Form
Email Address: See Agreement or Order Form
Contact for Data Subject: See Agreement or Order Form
Other Information: NA
AND
Importer (Processor)
Name: GoTo Technologies USA LLC, on behalf of itself and its applicable Affiliates
Qualification: 5984112 (DE)
Main Address: 333 Summer Street, 5th Floor, Boston, MA 02210
Email Address: privacy@goto.com
Contact for Data Subject: NA
Other Information: NA
Name – See Agreement or Order Form
ii. Clause 2.1 is completed as follows:
Purpose of the Data Transfer: To enable GoTo to provide Services to Customer under the Agreement.
Categories of Personal Data Transferred: See Schedule 1 (Processing Description)
Data Storage Period: See relevant TOMs in the Trust Center
Other Information: NA
iii. Clause 3.1, Option B is included and is completed as follows:
Main purposes of the international data transfer: See DPA Section 2.1.2.
Categories of Personal Data Transferred: See Schedule 1 (Processing Details)
Data Retention Period: Data retention period may vary depending on the specific purpose but for no longer than needed for the business purposes for which it was collected. Personal data processed in the context of a contract may be retained by for the term of the contract and for a reasonable time afterwards as might be required to determine and settle any related claims or as otherwise required by law.
Other Information: See Schedule 3 for a current list of Sub-processors. The parties agree to follow the process for identification of new Sub-processors specified in Section 4.8 of the DPA. This process is designed to support and implement the requirements of Clauses 3.1 and 18 of the Brazilian Standard Contractual Clauses.
iv. Clauses 4.1 - 4.8, Option B is included. Clause 4.1 is completed as follows:
4.1 Considering that both Parties act exclusively as Processors within the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out with the authorization and in accordance with the written instructions provided by the Third-Party Controller
Identification of the Third-party Controller: See contact information contained in Customer’s engagements with its customers.

Name:
Address:
E mail address:
Legal representative:
Contact for the Data Subject:
Purpose of the data transfer:
Conditions for the transfer:
Other information:
Information on the related contract:
v. Section III is completed as follows: See relevant TOMs in the Trust Center.
vi. Section IV is completed as follows:
a The parties agree that the limitation of liability provisions stated in the Agreement shall control the parties’ respective liability to each other under Clause 17 of these Brazilian Standard Contractual Clauses.
b. By signing the Agreement, the Exporter warrants that it has been provided the authority to execute these Brazilian Standard Contractual Clauses for and on behalf of the Third-Party Controller. The Exporter shall execute all documents and take all actions reasonably requested by GoTo to demonstrate compliance with this provision.
c. Where Customer and GoTo are Independent Controllers
i. Clause 1.1 shall be completed as follows:
Exporter (Controller)
Name: See Agreement or Order Form
Qualification: See Agreement or Order Form
Main Address: See Agreement or Order Form
Email Address: See Agreement or Order Form
Contact for Data Subject: See Agreement or Order Form
Other Information: NA
AND
Importer (Controller)
Name: GoTo Technologies USA LLC, on behalf of itself and its applicable Affiliates
Qualification: 5984112 (DE)
Main Address: 333 Summer Street, 5th Floor, Boston, MA 02210
Email Address: privacy@goto.com
Contact for Data Subject: privacy@goto.com
Other Information: GoTo Processes Personal Data for which it is a Controller in accordance with its privacy policy, available at https://www.goto.com/company/legal/privacy
ii. Clause 2.1 is completed as follows:
Purpose of the Data Transfer: See DPA Section 2.1.2.
Categories of Personal Data Transferred: See Schedule 1 (Processing Details)
Data Storage Period: See relevant TOMs in the Trust Center
Other Information: NA
iii. Clause 3.1, Option B is included and is completed as follows:
Main purposes of the international data transfer: See DPA Section 2.1.2.
Categories of Personal Data Transferred: See Schedule 1 (Processing Details)
Data Retention Period: Data retention period may vary depending on the specific purpose but for no longer than needed for the business purposes for which it was collected or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Personal data processed in the context of a contract may be retained by for the term of the contract and for a reasonable time afterwards as might be required to determine and settle any related claims or as otherwise required by law. Where Processing of Personal Data is based on legitimate interests or compliance with legal obligations, it will be deleted as soon as the applicable underlying purpose has expired.
Other Information: NA
iv. Clauses 4.1 – 4.2 Option A, applies. Clause 4.1 is completed as follows:

4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below shall be primarily responsible for complying with the following obligations set forth in these Clauses

a) Responsible for publishing the document provided in Clause 14:

b) Responsible for responding to requests from Data Subjects dealt with in Clause 15:

c) Responsible for notifying the security incident provided in Clause 16:
v. The parties shall complete Section III follows: Refer to relevant TOMs in the Trust Center.
vi. The parties shall complete Section IV as follows: The parties agree that the limitation of liability provisions stated in the Agreement shall control the parties’ respective liability to each other under Clause 17 of these Brazilian Standard Contractual Clauses.
d. EU SCCs. Following the Effective Date, if the ANPD approves the use of the EU SCCs as a transfer mechanism for Restricted Transfers that are subject to the LGPD, then the Brazilian SCCs shall be deleted in their entirety, and the EU SCCs shall apply, structured as specified in Schedule 4(B) below with the following modifications: (a) all references to “Regulation (EU) 2016/679” in the EU Standard Contractual Clauses shall be interpreted to refer to the LGPD; (b) all references to “EU,” “Union,” and “Member State” shall be interpreted to refer to Brazil; and (c) All references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the ANPD and the “competent Brazilian courts”, respectively.
B. GDPR CROSS BORDER DATA TRANSFERS
1. Scope of Section. The terms and conditions contained in this Schedule 2, Part B apply solely to the extent that the Personal Data Processed under this Agreement by GoTo is subject to the GDPR
2. Compliance with GDPR. Each party shall undertake its Processing activities in accordance with the requirements of the GDPR that apply to them.
3. EU-US Data Privacy Framework. Certain GoTo entities have certified their compliance with the EU-US Data Privacy Framework. Cross Border Data Transfers from the EU to the United States of America that are covered by the scope of GoTo’s certification are made pursuant to such Framework.
4. EU Standard Contractual Clauses. To the extent that (a) Cross Border Data Transfers to or from the EU are not subject to the EU-US Data Privacy Framework and otherwise constitute a Restricted Transfer, or (b) Cross Border Data Transfers to United States covered by the EU-US Data privacy Framework become Restricted Transfers because (i) the EU-US Data Privacy Framework is subsequently invalidated, or (ii) GoTo’s participation in the EU-US Data Privacy Framework ceases for any reason, the EU SCCs shall apply to the applicable Cross Border Data Transfer. The EU SCCs are incorporated by reference into this DPA and shall be structured as follows:
a. Where Customer is the Controller of Personal Data, and GoTo is a Processor:
i. Module Two (Controller to Processor) applies and Modules One, Three, and Four are deleted in their entirety;
ii. Clause 7 is included; provided, however, that with respect to Customer, the entity acceding to the SCCs must be an Authorized Affiliate;
iii. Clause 9, Option 2 applies (and the Parties shall utilize the process detailed in Section 4.8 of the DPA to fulfill GoTo’s obligation to provide Customer with the information necessary to enable it to exercise its right to object);
iv. Clause 11, the optional independent dispute resolution is included. The body that GoTo makes available to Data Subjects at no cost is TrustArc, a third-party privacy firm, at https://feedback-form.truste.com/watchdog/request;
v. Clause 17, Option 1 applies. The EU SCCs are governed by Irish law;
vi. In Clause 18(b), disputes shall be resolved before the courts of Ireland; and
vii. the Annexes of the EU SCCs shall be populated with the information set out in Schedule 2-1, which is incorporated by reference herein.
b. Where Customer is a Processor of Personal Data, and GoTo is a Sub-processor:
i. Module Three (Processor to Sub-Processor) applies, and Modules One, Two, and Four are deleted in their entirety;
ii. Clause 7 is included; provided, however, that with respect to Customer, the entity acceding to the EU SCCs must be an Authorized Affiliate;
iii. Clause 9, Option 2 applies (as detailed in Section 5 of this DPA);
iv. Clause 11, the optional independent dispute resolution body is included. The body that GoTo makes available to Data Subjects at no cost is TrustArc, a third-party privacy firm, at https://feedback-form.truste.com/watchdog/request;
v. Clause 17, Option 1 applies, and the Standard Contractual Clauses shall be governed by Irish law;
vi. (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; and
vii. (vii) the Annexes of the EU SCCs shall be populated with the information set out in Schedule 4-1, which is incorporated by reference herein.
c. Where Customer and GoTo are Independent Controllers of Personal Data:
i. Module One (Controller to Controller) applies, and Modules Two, Three, and Four are deleted in their entirety;
ii. Clause 7 is included; provided, however, that with respect to Customer, the entity acceding to the EU SCCs must be an Affiliate or Authorized Affiliate approved by GoTo;
iii. Clause 11 is included. The optional independent dispute resolution body that GoTo makes available to Data Subjects at no cost is provided through TrustArc, a third-party privacy firm, at https://feedback-form.truste.com/watchdog/request;
iv. Clause 17, Option 1 applies. The EU SCCs shall be governed by Irish law;
v. In Clause 18(b), disputes shall be resolved before the courts of Ireland; and
vi. The Annexes of the EU SCCs shall be populated with the information set out in Schedule 4-1, which is incorporated by reference herein.
C. UK CROSS BORDER DATA TRANSFERS
1. Scope of Section. The terms and conditions contained in this Schedule 2, Part C apply solely to the extent that the Personal Data Processed under this Agreement by GoTo is subject to the UK Data Protection Law.
2. Compliance with UK Data Protection Law. Each party shall undertake its Processing activities in accordance with the requirements of UK Data Protection Law that apply to them.
3. UK Extension to the EU-US Data Privacy Framework. Certain GoTo entities have certified their compliance with the UK Extension to the EU-US Data Privacy Framework. Cross Border Data Transfers from the EU to the United States of America that are covered by the scope of GoTo’s certification are made pursuant to such Framework.
4. UK Addendum. To the extent that (a) Cross Border Data Transfers to or from the UK are not subject to the UK Extension to the EU-US Data Privacy Framework and otherwise constitute a Restricted Transfer, or (b) Cross Border Data Transfers to the United States covered by the UK Extension to the EU Data privacy Framework become Restricted Transfers because (i) the UK Extension to the EU-US Data Privacy Framework is subsequently invalidated, or (ii) GoTo’s participation in the UK Extension to the EU-US Data Privacy Framework ceases for any reason, the UK Addendum shall apply to the applicable Cross Border Data Transfer. The UK Addendum is incorporated by reference into this DPA, and the tables are completed as set forth in Schedule 2-2.
D. SWISS CROSS BORDER DATA TRANSFERS
1. Scope of Section. The terms and conditions contained in this Schedule 2, Part D apply solely to the extent that the Personal Data Processed under this Agreement by GoTo is subject to the Swiss FADP.
2. Compliance with the Swiss FADP. Each party shall undertake its Processing activities in accordance with the requirements of the Swiss FADP that apply to them.
3. Swiss-US Data Privacy Framework. Certain GoTo entities have certified their compliance with the Swiss-US Data Privacy Framework. Cross Border Data Transfers from the Switzerland to the United States of America that are covered by the scope of GoTo’s certification are made pursuant to such framework.
4. EU SCCs. To the extent that (a) Cross Border Data Transfers to or from Switzerland are not subject to the Swiss-US Data Privacy Framework and constitute a Restricted Transfer, or (b) should transfers to United States covered by the Swiss-US Data privacy Framework become Restricted Transfers because (i) the Swiss-US Data Privacy Framework is subsequently invalidated, or (ii) GoTo’s participation in the Swiss-US Data Privacy Framework ceases for any reason, the EU Standard Contractual Clauses completed as part of this DPA shall apply to the applicable Cross Border Data Transfer. The EU Standard Contractual Clauses shall be structured as specified in Schedule 4(B) above, with the following modifications: (a) all references to “Regulation (EU) 2016/679” in the EU Standard Contractual Clauses shall be interpreted to refer to the Swiss FADP; (b) all references to “EU,” “Union,” and “Member State” shall be interpreted to refer to Switzerland; and (c) All references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”, respectively.

 

SCHEDULE 2-1 – APPENDICES TO EU SCCs

ANNEX I (MODULES ONE, TWO AND THREE)


A. LIST OF PARTIES
Data exporter(s):
1. Name: See Customer legal name specified in the Agreement or Order Form.
Address: See Customer address specified in the Agreement or Order Form.
Contact Details: Customer’s primary contact, position, and details as identified on the relevant order documentation or Order Form, as applicable.
Activities relevant to the data transferred under these Clauses: Data Exporter procures Data Importer’s Services in the fields of cloud-based unified communication and collaboration, customer engagement, and support solutions.
Signature and date: The EU SCCs, including the Annexes, are deemed signed by Data Exporter’s signature on the Agreement or Order Form, as applicable. The date of signature is deemed to be the Effective Date
Role: The Data Exporter’s role is as set forth in Section 2 (Relationship of the Parties) of the DPA.

Data importer(s):
1. Name: GoTo Technologies USA LLC, on behalf of itself and the applicable GoTo Affiliate
Address: c/o/ Legal Department, 333 Summer Street, 5th Floor, Boston, MA 02210
Contact details: privacy@goto.com.
Activities relevant to the data transferred under these Clauses: GoTo provides a portfolio of cloud-based unified communication and collaboration, customer engagement, and support solutions. The activities relevant to and/or the objective and subject of the Processing of Personal Data by GoTo, as a Processor, is servicing Customer and providing, supporting, and operating the provision of the Services.
Signature and date: The EU SCCs, including the Annexes, are deemed signed by Data Importer’s signature on the Agreement or Order Form, as applicable. The date of signature is deemed to be the Effective Date.
Role: The Data Importer’s role is as set forth in Section 2 (Relationship of the Parties) of the DPA.

B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Refer to TOMs.
Categories of personal data transferred: Refer to the relevant TOMs in the Trust Center.
Sensitive data: Refer to the relevant TOMs in the Trust Center.
The frequency of the transfer: Continuous over the course of the Agreement through the expiration of the retention period.
Nature of the processing: Refer to the relevant TOMs in the Trust Center.
Purpose(s) of the data transfer and further processing: Refer to the relevant TOMs in the Trust Center.
The period for which the personal data will be retained: Refer to the relevant TOMs in the Trust Center.
For transfers to (sub-) processors, the subject matter, nature and duration of the processing is set forth in the Sub-processors List (refer to Section 4.8 and the relevant Sub-
Processor Disclosures in the Trust Center).

C. COMPETENT SUPERVISORY AUTHORITY (MODULES ONE, TWO AND THREE)
Identify the competent supervisory authority/ies: The Information Commissioner of the Republic of Ireland is the competent Supervisory Authority.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA (MODULES ONE, TWO AND THREE)
See the relevant TOMs in the Trust Center. The data importer may update its security document from time to time provided that there is no degradation to the security and/or privacy of the services.

ANNEX III – LIST OF SUB-PROCESSORS (MODULES TWO AND THREE)
See the relevant Sub-Processor Disclosures in the Trust Center.

 

SCHEDULE 2-2 – UK Addendum

Table 1

Start Date The Effective Date
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)

Parties’ Details

 




Key Contact

Full Legal Name: See Agreement or Order Form
Trading Name if Different
Main address: See Agreement or Order Form
Official Registration No:


Full Name (Optional): NA
Job Title: See Agreement or Order Form
Contact details including email: See Agreement or Order Form 		Full Legal Name: GoTo Technologies USA, LLC on behalf of itself and its applicable Affiliates
Trading Name if Different: NA
Main address: 333 Summer Street, 5th Floor, Boston, MA 02210
Official Registration No: 5984112 (DE)
Full Name (Optional): NA
Job Title: Privacy Team
Contact details including email: privacy@goto.com
Signature (if required for the purposes of Section 2) Signature or acceptance by Customer and GoTo of the Agreement or any Order Form constitutes signature and acceptance of the UK Addendum. Signature or acceptance by Customer and GoTo of the Agreement or any Order Form constitutes signature and acceptance of the UK Addendum.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs
Module Module in Operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation or General Authorisation Clause 9(a) Time Period Is personal data received from the Importer combined with personal data collected by the Exporter?
1 Yes Yes Yes, the optional independent dispute resolution body that GoTo makes available to Data Subjects at no cost is provided through TrustArc, a third-party privacy firm, at https://feedback-form.truste.com/watchdog/request      
2 Yes Yes Yes, the optional independent dispute resolution body that GoTo makes available to Data Subjects at no cost is provided through TrustArc, a third-party privacy firm, at https://feedback-form.truste.com/watchdog/request General See DPA, Section 8.2  
3 Yes Yes Yes, the optional independent dispute resolution body that GoTo makes available to Data Subjects at no cost is provided through TrustArc, a third-party privacy firm, at https://feedback-form.truste.com/watchdog/request General See DPA, Section 8.2  
4 No NA NA     NA

Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See above
Annex 1B: Description of Transfer: See Schedule 1 to the DPA
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See the relevant TOMs in the Trust Center
Annex III: List of Sub processors (Modules 2 and 3 only): See the relevant Sub-Processor Disclosures in the Trust Center

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum Changes Which Parties may end this Addendum as set out in Section 19: