Data Processing Addendum (DPA)
The Chime Story
We saw a need, so we filled the need. Real estate technology was woefully behind the times, requiring agents to lose productivity and juggle multiple disconnected systems. We stepped in to fill the void and built the ultimate fully-integrated platform from the ground up. How did we know what to build? We worked closely with the best real estate professionals to understand exactly what agents need for generating and tracking leads, targeting automated communications, nurturing buyers and sellers through the funnel…and then we delivered. And we keep delivering. Every month Chime engineers provide new features and integrations that are in high demand, for an ever-evolving next-gen mobile-first real estate operating system that’s easy to use and second to none.
Contents of this Policy
This Data Protection Addendum (“ Addendum”) forms part of the agreement between Customer and Chime covering Customer’s use of the Services (as defined below) (“ Agreement”).
-
Definition
- “ Agreement” means this Data Processing Agreement and all Schedules;
- “ Applicable Data Protection Law” refers to all laws and regulations applicable to Chime’s processing of personal data under the Agreement.
- “California Personal Information” means Personal Data that is subject to the protection of the CCPA.
- “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
- “Consumer”, “Business”, “Sell” and “Service Provider” will have the meanings given to them in the CCPA.
- “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
- “Contracted Processor” means a Subprocessor;
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “ Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
- “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
- “ Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
- “ Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.
- “ Services ” means the products and services provided by Chime or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an Order Form. Services include products and services that provide both (x) platform services, including access to any application programming interface (“ Chime API”) and (y) where applicable, communications services used in connection with the Chime APIs.
- “ sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Chime
- “ Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
-
Processing of Personal Data
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data solely on behalf of Customer, (i) Customer is the Controller of Personal Data, (ii) Chime is the Processor of such Personal Data. The terms “Controller” and “Processor” below hereby signify Customer and Chime, respectively.
2.2 Customer’s Processing of Personal Data. Customer, in its use of the Services, and Customer’s instructions to the Processor, shall comply with Data Protection Laws. Customer shall establish and have any and all required legal bases in order to collect, Process and transfer to Processor the Personal Data, and to authorize the Processing by Processor, and for Processor’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.
2.3 Processor’s Processing of Personal Data. When Processing on Customer’s behalf under the Agreement, Processor shall Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing for Customer as part of its provision of the Services; (iii) Processing to comply with Customer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement, regarding the manner in which the Processing shall be performed; (iv) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder; (v) Processing as required under the laws applicable to Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform Customer of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.
Processor shall inform Customer without undue delay if, in Processor’s opinion, an instruction for the Processing of Personal Data given by Customer infringes applicable Data Protection Laws. To the extent that Processor cannot comply with an instruction from Customer, Processor (a) shall inform Customer, providing relevant details of the issue, (b) Processor may, without liability to Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend Customer’s access to the Services, and (c) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Customer may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Services, and Customer shall pay to Processor all the amounts owed to Processor or outstanding prior to the date of termination. Customer will have no further claims against Processor (including, without limitation, requesting refunds for Services) pursuant to the termination of the Agreement and the DPA as described in this paragraph.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (appendix)(Details of Processing) to this DPA.
2.5 Sensitive Data. The Parties agree that the Services are not intended for the Processing of Sensitive Data, and that if Customer wishes to use the Services to Process Sensitive Data, it must first obtain the Processor’s explicit prior written consent and enter into any additional agreements as may be required by Chime.
2.6 CCPA Standard of Care; No Sale of Personal Information. Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to Customer under the Agreement. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. Processor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed hereunder without Customer’s prior written consent, nor take any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.
-
Data Subject Requests
Processor shall, to the extent legally permitted, notify Customer or refer Data Subject or Consumer to Customer, if Processor receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under applicable Data Protection Laws) of access, right to rectification, restriction of Processing, erasure, data portability, objection to the Processing, their right not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against (“ Data Subject Request”). Taking into account the nature of the Processing, Processor shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Processor may advise Data Subjects on available features for self-exercising their Data Subject Requests through the Platform (where appropriate), and/or refer Data Subject Requests received, and the Data Subjects making them, directly to the Customer for its treatment of such requests.
-
Sub-Processors
4.1 Appointment of Sub-processors.
Customer acknowledges and agrees that (a) Processor’s Affiliates may be engaged as Sub-processors; and (b) Processor and Processor’s Affiliates on behalf of Processor may each engage third-party Sub-processors in connection with the provision of the Services.
4.2 List of Current Sub-processors and Notification of New Sub-processors.
4.2.1Processor makes available to Customer the current list of Sub-Processors used by Processor to process Personal Data via www.monday.com/terms/subprocessors . Such Sub-processor list includes the identities of those Sub-processors and the entity’s country (“ Sub-Processor List”). The Sub-Processor List as of the date of first use of the Services by Customer is hereby deemed authorized upon first use of the Services. Customer may reasonably object to Processor’s use of an existing Sub-processor for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by providing a written objection to legal@monday.com within three (3) business days following the first use of the Services. In the event Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentence, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those elements of the Services which cannot be provided by Processor without the use of the objected-to Sub-processor, by providing written notice to Processor; provided that all amounts outstanding under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Processor. Customer will have no further claims against Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.
4.2.2 Processor’s webpage accessible via www.monday.com/terms/subprocessors offers a mechanism to subscribe to notifications of new Sub-processors used to Process Personal Data, to which Customer shall subscribe, and when Customer subscribes, Processor shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
4.3 Objection Right for new Sub-processors
Customer may reasonably object to Processor’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Processor promptly in writing within seven (7) days after receipt of a Processor notification in accordance with the mechanism set out in Section 4.2.2. Such written objection shall include the reasons for objecting to Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within seven (7) days following Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Processor is unable to make available such change within sixty (60) days, Customer may, as a sole remedy, terminate the Agreement and this DPA with respect only to those elements of the Services which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor. All amounts outstanding under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Processor. Until a decision is made regarding the new Sub-processor, Processor may temporarily suspend the Processing of the affected Personal Data and/or suspend access to the Services. Customer will have no further claims against Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
-
Data Transfer-cross border
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by Chime, Inc. in the United States and to other jurisdictions where Chime Affiliates and Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
-
Delete or Return Of personal Data
Following termination of the Agreement and cessation of the Services, at the choice of Customer (indicated through the Platform or in written notification to Processor), Processor shall delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described in the Agreement, and Processor shall delete existing copies of such Personal Data unless Data Protection Laws require otherwise. To the extent authorized or required by applicable law, Processor may also retain one copy of the Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
-
DATA INCIDENT MANAGEMENT AND NOTIFICATION
Processor maintains security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Processor on behalf of the Customer (a “ Data Incident”). Processor shall make reasonable efforts to identify and take those steps as Processor deems necessary and reasonable in order to remediate and/or mitigate the cause of such Data Incident to the extent the remediation and/or mitigation is within Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer, its Users or anyone who uses the Services on Customer’s behalf. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident which directly or indirectly identifies Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Processor’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Customer shall provide Processor with reasonable prior written notice to provide Processor with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required.
-
Security and Audits
8.1 Controls for the Protection of Personal Data.
Processor shall maintain industry-standard technical and organizational measures for protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Documentation), as may be amended from time to time. Upon the Customer’s reasonable request, Processor will reasonably assist Customer, at Customer’s cost and subject to the provisions of Section 9.1(Data Protection) below.
8.2 Audits and Inspections.
Upon Customer’s 14 days prior written request at reasonable intervals (no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, Processor shall make available to Customer that is not a competitor of Processor (or Customer’s independent, reputable, third-party auditor that is not a competitor of Processor and not in conflict with Processor, subject to their confidentiality and non-compete undertakings) information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Processor’s prior written approval. Upon Processor’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by Processor in the context of the audit and/or the inspection). If and to the extent that the Standard Contractual Clauses apply, nothing in this Section 6.2 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses.
8.3 In the event of an audit or inspections as set forth above, Customer shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury or disruption to Processor’s premises, equipment, personnel and business, as applicable, while conducting such audit or inspection.
8.4 The audit rights set forth in 8.2 above, shall only apply to the extent that the Agreement does not otherwise provide Customer with audit rights that meet the relevant requirements of Data Protection Laws
-
General Provisions
9.1 Data Protection Impact Assessment and Prior Consultation.
Upon Customer’s reasonable request, Processor shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Processor. Processor shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 9.1, to the extent required under the Data Protection Laws, as applicable.
9.2 Modifications.
Each Party may by at least forty-five (45) calendar days’ prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in any Data Protection Laws to allow Processing of Customer Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. Pursuant to such notice: (a) the Parties shall use commercially reasonable efforts to accommodate such required modification; and (b) Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein at Customer’s request. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s or Processor’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then Customer or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement or DPA to the extent that it relates to the elements of the Services which are affected by the proposed variations (or lack thereof). Customer will have no further claims against Processor (including, without limitation, requesting refunds for the Services) pursuant to the termination of the Agreement and the DPA as described in this Section.
-
Parties to this DPA
a. Permitted Affiliates. By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates.
b. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
c. Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.
d. Other rights. The parties agree that you will, when reviewing our compliance with this DPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.
Appendix
Annex 1 – Details of Processing
Nature and Purpose of Processing
1. Providing the Services to Customer;
2. Performing the Agreement, this DPA and/or other contracts executed by the Parties;
3. Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;
4. Sharing Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);
5. Complying with applicable laws and regulations;
6. All tasks related with any of the above.
Duration of Processing
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion.
Categories of Data Subjects
Customer may submit Personal Data to the Services which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
● Employees, agents, advisors, freelancers of Customer (who are natural persons)
● Prospects, customers, business partners and vendors of Customer (who are natural persons)
● Employees or contact persons of Customer’s prospects, customers, business partners and vendors
● Any other third party individual with whom Customer decides to communicate through the Services.
Processing Activities.
1. Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:
(a) the provision of programmable communication products and services, primarily offered in the form of application programming interfaces (APIs), to Customer, including transmittal to or from Customer’s software applications, services and designated third parties as directed by customer, from or to the publicly-switched telephone network (PSTN) or by way of other communications networks. Storage of personal data on Twilio’s network.
(b) the provision of products and services which allow the transmission and delivery of email communications on behalf of Customer to its recipients. Twilio will also provide Customer with analytic reports regarding the email communications it sends on Customer’s behalf. Storage of personal data on Twilio’s network.
(c) the provision of products and services which allow Customers to integrate, manage and control their data relating to end users. Storage of personal data on Twilio’s network.
2. Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.
3. Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.
Annex 2 – List of Sub-Processors
| Third Party Sub-Processor | Purpose | Applicable Service | Data Center Sub-Processor Location: |
| Amazon Web Services, Inc | Hosting & Infrastructure | Used as a on-demand cloud computing platforms and APIs | United States |
| Google, Inc. | Regional Data Processing | Data hosting provider | United States |
| Google reCAPTCHA | Form submission spam prevention | Used for HubSpot form submission spam prevention | United States |
| Google Dialogflow ES | Natrual Language Understanding | Used for Chime AI Assistant system | United States |
| Vonage, Inc | Calling functionality | Used as a service which allows Chime calling | United States |
| Bandwith, Inc | Messaging Functionality | Used as a service which allows Chime sending messages | United States |
| Beijing Qianxiang Wangjing Technology Development Co. Ltd | Research & Development | Research and Development of Chime software | People’s Republic of China |
| CommsEase | Online Chat Server | Used foe Chime Online Chat | People’s Republic of China |