Version effective as of 27 January 2022.
By executing a Main Agreement referring to this Data Processing Agreement, you as Customer agree to the terms set forth herein, which are incorporated into the Main Agreement by reference.
This XConnect Customer Data Processing Agreement (“DPA”) covers the XConnect-branded products and services (“XConnect Products and Services”) provided by or on behalf of XConnect Services Limited, a company incorporated under the laws of England and Wales (registered no 06011610) with registered address at Cooper House, 316 Regents Park Road, London, N3 2JX and any of its affiliates, as applicable (collectively, “XConnect”) under a respective services agreement or other contract (“Main Agreement”) between XConnect and the contracting party receiving XConnect Products and Services (as defined in the Main Agreement, hereinafter “Customer”), as sold by XConnect or an authorised reseller or distributor, and is entered into by and between XConnect and Customer effective as of the date of the Main Agreement.
1. Definitions
The following terms used in this DPA shall have the meaning indicated below.
1.1 “Customer Data” shall mean the data provided to XConnect by or on behalf of Customer and processed by XConnect in connection with the Main Agreement.
1.2 “Data Protection Requirements” shall mean any laws or regulations applicable to the processing of personal data or personal information (or similar term under the applicable law or regulation), where “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In addition to any other applicable laws or regulations, Data Protection Requirements shall include, to the extent applicable, the European General Data Protection Regulation (“GDPR”) and related national and local laws and regulations, the United Kingdom Data Protection Act (as subsequently amended, including by the UK General Data Protection Regulation), and the California Consumer Privacy Act (as subsequently amended, including by the California Privacy Rights Act (collectively, “CCPA”)).
1.3 “Licensed Purposes” shall mean the following telecommunications-related activities, solely to the extent they are lawful under applicable laws and regulations: sourcing communications, routing communications, rating communications (calculating charges, fees and payments), administration of communications and infrastructure (including billing and tracking for regulatory compliance purposes), and communications fraud detection and prevention. For the avoidance of doubt, Licensed Purposes shall not include marketing, advertising or promotions to any individual data subjects or any profiling (automated or otherwise) of individual data subjects.
1.4 “Personal Data/personal data”, “Personal Information/personal information”, “Data Subject/data subject”, “Process/process”, “Processor” and “Controller” (or similar term under the applicable Data Protection Requirements), shall each have the meaning given to them in applicable Data Protection Requirements.
1.5 “Standard Contractual Clauses” or “SCCs” shall mean the Standard Contractual Clauses approved in (a) the European Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council; and (b) the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en (or such updated version(s) as may be approved by the European Commission), together with the required information set forth in the Annex A hereto.
1.6 “XConnect Data” shall mean all data of XConnect, including data from the XConnect Products and Services accessed by or on behalf of Customer through queries, use of application programming interfaces (APIs), secure file transfer (FTTPS), a customer portal or any other methods whatsoever.
Any other terms that are capitalised, but not defined below, shall have the meaning as defined in the applicable Data Protection Requirements and/or the Main Agreement. In the event of a conflict between the Main Agreement and applicable Data Protection Requirements, the applicable Data Protection Requirements shall govern solely to the extent they are applicable and solely to the extent necessary to resolve such conflict.
2. General Provisions
2.1 Customer Data: Pursuant to the Main Agreement, all Customer Data shall be the Confidential Information of Customer. XConnect will only process Customer Data on behalf of Customer in providing the XConnect Products and Services to Customer pursuant to the Main Agreement and in improving such XConnect Products and Services through aggregated, de-identified analytics.
2.2 XConnect Data: As between XConnect and Customer, XConnect acts as the Controller of XConnect Data and Customer has rights to process XConnect Data only as permitted under the Main Agreement and this DPA. Specifically, Customer’s license to process XConnect Data is limited to the Licensed Purposes and any other purposes expressly set forth in the Main Agreement, and solely to the extent lawful and permitted under applicable Data Protection Requirements. Customer shall ensure that Customer’s agreements with any customers or partners do not authorise any processing outside of the Licensed Purposes.
2.3 Data Retention: Each party may retain data received from the other party for twelve (12) months following termination or expiration of the Main Agreement solely for billing, audit and business records purposes, or for any longer period set forth in the XConnect Data Retention Policy, which shall be provided to Customer upon request, or any longer period required by applicable laws or regulations (such as for tax or regulatory compliance).
2.4 Global Processing: Due to the global nature of telecommunications, the parties acknowledge and agree that data received by a party may be processed by the receiving party anywhere in the world in connection with the XConnect Products and Services, including for IT security purposes, maintenance, infrastructure, operations, administration, technical support, updates, upgrades and other enhancements. The parties shall comply with any applicable embargo or sanction restrictions, and shall cooperate to comply with any applicable data localisation requirements or data export restrictions.
2.4.1 European Personal Data: To the extent that the personal data of European data subjects is processed by or on behalf of Customer or XConnect, including any transfer of such personal data from the European Economic Area (“EEA”) to a country or territory outside the EEA (other than to a country or territory that has received a binding adequacy decision as determined by the European Commission), such processing of personal data shall be subject to the protections and provisions of the Standard Contractual Clauses or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with applicable Data Protection Requirements. For any personal data included in XConnect Data, Module One (controller to controller or C2C) shall apply with XConnect as the data exporter and Customer as the data importer. To the extent that the SCCs apply, Annex A shall also apply (as required by the SCCs).
2.4.2 UK: To the extent that personal data of a United Kingdom data subject is processed by Customer or XConnect outside of the United Kingdom, in a territory that has not been designated by the United Kingdom as ensuring an adequate level of protection pursuant to applicable Data Protection Requirements, and to the extent such processing and transfer would be subject to the Data Protection Requirements of the United Kingdom, the parties agree that the UK Addendum and UK International Data Transfer Agreement provided at https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/ (or such updated version of either as may be approved by the Information Commissioner’s Office) shall apply to the processing of such personal data of United Kingdom data subjects.
2.4.3 Additional Data Export Requirements: To the extent that additional data export compliance measures are required under applicable Data Protection Requirements, either under derogations within Europe or for countries or regions outside of Europe, such requirements may be incorporated automatically into this DPA upon written notice from XConnect to Customer, including notice via an email or an announcement on the customer portal, and may be posted on XConnect’s website: https://www.xconnect.net/privacy/.
3. Data Protection Compliance
3.1 Each party undertakes to comply with the Data Protection Requirements applicable to such party’s processing of personal data in connection with the Main Agreement and this DPA. With respect to personal data included in Customer Data, the Customer as Controller hereby represents and warrants that it has provided all required notices and obtained all permissions or, if applicable and sufficient under Data Protection Requirements, has another valid legal basis for sharing such personal data with XConnect for processing, as required under Data Protection Requirements, to provide XConnect with any personal data in connection with the XConnect Products and Services. Customer acknowledges that XConnect is reliant on Customer for direction as to the extent to which XConnect is entitled to process Customer Data. Consequently, XConnect will not be liable for any claim brought against XConnect by a data subject arising from any act or omission by Customer or by XConnect to the extent that such act or omission resulted from Customer’s instructions or Customer’s use of the Products and
3.2 If so requested by a party solely in order to support such party’s compliance with Data Protection Requirements, the other party shall provide, at the requesting party’s reasonable expense, reasonably required assistance relating to security of processing, data breach notifications, data protection impact assessments, data transfer risk assessments, and prior consultation with data protection supervisory authorities or other regulatory authorities, taking into account the nature of the processing and the information available to the receiving party. All such information provided shall be Confidential Information.
3.3 Each party undertakes to comply with any applicable additional Data Protection Requirements for particular countries, states or regions, or for specific product features or functionalities, including as may be provided from time to time by XConnect on https://www.xconnect.net/privacy/ or such other location as XConnect may notify Customer (such as by email or by an announcement on the customer portal). Such notified or posted provisions are automatically incorporated herein solely to the extent they are required under Data Protection Requirements
3.4 To the extent that additional country-specific (or state-specific, or regional, provincial, or other geographic area specific) provisions are required under Data Protection Requirements, the parties agree to incorporate such provisions solely to the extent they are required and solely to the extent they are applicable to particular Customer Data processed by XConnect. XConnect may, from time to time, post updated provisions related to local or other specific Data Protection Requirements on the XConnect Privacy Policy available at https://www.xconnect.net/privacy/. Such posted provisions are automatically incorporated herein solely to the extent they are required under Data Protection Requirements.
4. Data Confidentiality
Each party shall treat the data provided by the other party as confidential and shall in particular not disclose such data to any third parties unless authorised by the disclosing party and in accordance with this DPA or the terms and conditions of the Main Agreement. Each party shall put procedures in place designed to ensure that all persons acting under its authority entrusted with the processing of data provided by the other party have agreed to: (a) keep such data confidential and not to use such data for any unauthorised purposes; and (b) comply with applicable Data Protection Requirements. A party may share and disclose the other party’s data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of such party’s business by or to another company, including the transfer of contact information and data of customers, partners and end users.
5. Data Security
Each party shall implement appropriate technical and organisational measures to ensure the protection of the personal data it processes under the Main Agreement and / or this DPA.
6. Subcontracting Authorisation
Customer generally authorises XConnect’s engagement of subcontractors and XConnect’s appointment of additional subcontractors or replacement of any subcontractors. A list of XConnect subcontractors will be provided upon request. XConnect shall ensure that it enters into a contract with each subcontractor on terms equivalent to this DPA and XConnect shall be liable for the acts and omissions of its subcontractors.
7. Data Subject Requests
A party that receives a request or complaint related to the XConnect Products and Services from a data subject whose personal data was included in the other party’s data, shall notify the other party promptly of the request or complaint and shall cooperate with the other party that provided such personal data in responding to such request or complaint, to the extent that the data subject identifies such other party (or such other party is reasonably identifiable) in such request or complaint at the other party’s reasonable expense. Neither party shall make any announcement in relation to such a request or complaint except as required by law.
8. Regulator Requests
A party that receives a request or complaint related to the XConnect Products and Services from a supervisory authority or regulator shall, where it is relevant to the other party, promptly notify the other party of the request or complaint and the parties shall work together in good faith to handle the request or complaint. Neither party shall make any announcement in relation to such a request or complaint except as required by law.
9. Mutual Co-operation
9.1 Security Incidents: Each party will provide the other party immediately with a data breach notification (with contents detailed below) if the notifying party becomes aware of and confirms any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data of the other party, or any other security incident that compromises the security, confidentiality or integrity of any personal data that requires a data breach notification to the other party according to Data Protection Requirements (“Personal Data Breach”). The parties shall work together in good faith within the applicable timeframes for the appropriate party to provide notifications in accordance with Data Protection Requirements and to finalise the content of any such notifications to data subjects or supervisory authorities, as required by applicable Data Protection Requirements. Except where required by law, the prior written approval of the non-notifying party shall be required for any statements regarding, or references to, the Personal Data Breach made by the notifying party in any such notifications (such approval not to be unreasonably withheld or delayed).
9.2 Compliance Reviews. To the extent required under applicable Data Protection Requirements and subject to the confidentiality obligations set forth in this DPA and in the Main Agreement, each party shall, upon the written request of the other party, provide such information as may be reasonably required to confirm such receiving party’s compliance with this DPA.
9.3 Data Audits. To the extent required under applicable Data Protection Requirements and subject to the confidentiality obligations set forth in this DPA and in the Main Agreement, each party shall make available to the other party all information necessary to demonstrate compliance with this DPA and the Data Protection Requirements and shall allow for and contribute to audits conducted by the other party provided such audits are carried out on at least ten (10) business days’ notice and not more than once every twelve (12) months. Each party agrees audits shall, wherever practicable, be carried out remotely and by reviewing the most recent compliance reports of the other party.
10. Privacy Notices
Each party shall provide a publicly-available Privacy Notice (e.g. https://www.xconnect.net/privacy/) and shall include details of a contact point authorised to handle questions and complaints, together with any other information required under applicable Data Protection Requirements.
11. Term
The term of this DPA is identical with the term of the Main Agreement. Save as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the Main Agreement.
12. Invalidity and/or unenforceability
Should any provision of this DPA be found invalid or unenforceable by a competent court of law, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, should this not be possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
13. Additional Provisions
Indemnification, liability, limitations of liability and any applicable exclusions, survival, assignment, termination/renewal and any other general terms not specified in this DPA shall be governed by the Main Agreement to the extent permitted by Data Protection Requirements.
[Annex A follows]
ANNEX A
STANDARD CONTRACTUAL CLAUSES
The personal data transferred and the nature of the processing shall be for the following purpose:
Providing (XConnect) and receiving (Customer) the XConnect Products and Services in accordance with the terms and conditions of the Main Agreement and the DPA.
The parties, contact information and roles shall be as specified in the Main Agreement and the DPA.
MODULE ONE: TRANSFER CONTROLLER (XCONNECT) TO CONTROLLER (CUSTOMER)
Categories of Data Subjects: The personal data transferred concern the following categories of data subjects:
- Personnel of XConnect.
- Personnel of XConnect’s partners (including any vendors, suppliers, agents or additional subprocessors as may be authorised by XConnect).
- End user individuals who have phone numbers.
Categories of personal data transferred: The personal data transferred may, depending on the nature of the services provided at the Customer’s request and for processing only for the Licensed Purposes, concern the following categories of data in addition to any other categories as specified in: (a) the Main Agreement; (b) the XConnect Privacy Policy available at https://www.xconnect.net/privacy/ together with any supplemental privacy information referenced therein; and (c) in any data sheets or related product documentation provided by XConnect for the particular product or service (“Documentation”).
- Business Contact Data: Business contact information
- End User Data:
- Telephone numbers
- Service providers
Certain additional data may be provided upon the Customer’s request, depending on the service selected and the availability of the data in compliance with applicable laws and regulations, including:
- Home Location Register (HLR) Lookup data
- Port History data
- Geolocational data (e.g., city, state, country)
- SIMSwap data
- Reachability data
- Professional Services data: Any personal data that is shared with Customer by or on behalf of XConnect in connection with any professional services provided by XConnect under the Main Agreement.
All processing by Customer (and any customers or partners of Customer) is limited to the Licensed Purposes.
GENERAL
If the Customer is established in an EU Member state, the competent supervisory authority shall be the supervisory authority applicable to the establishment location of the Customer. If the Customer is not established in an EU Member state, the competent supervisory authority shall be the supervisory authority located where the Customer has appointed its EU Representative. If the Customer is not established in an EU Member state and is not required to appoint an EU Representative, the competent supervisory authority shall be the supervisory authority applicable to the location of the data subject whose data is at issue.
With respect to any other provisions required by the SCCs and not specified in this Annex A, the DPA and the Main Agreement shall apply. Each party will provide such party’s technical and organisational measures to ensure the security of the data to the other party upon written request. Additional information regarding data processing related to particular XConnect Products and Services may be provided in the XConnect Privacy Policy available at https://www.xconnect.net/privacy/ and/or via email notifications to Customer or through the customer portal.