Famly Data Processing Agreement

This document applies to UK, DK, US and other countries which are not subject to other country specific terms.

Version 2.1

Effective from

15/6/2024

The Customer

(hereinafter “Customer”)

and

Famly ApS, Købmagergade 19, 2tv., 1150 Copenhagen, Denmark

(hereinafter “Famly”)

(each a “Party” and collectively the “Parties”)

have concluded this Data Processing Agreement (this “DPA”) regarding the Processor’s processing of personal data on behalf of the Customer.

This DPA is effective as of the date of the Agreement.

Definitions

Agreement” means the main agreement (terms and conditions and Famly Offer) entered into between the Customer and Famly as amended from time to time in accordance with its terms;

“Application Log” means the log used for storing access to Customer Data;

Applicable Data Protection Laws” means laws and regulations applicable to Famly’s Processing of Personal Data under the Agreement, including but not limited to (a) EEA Data Protection Laws, (b) UK Data Protection Laws, (c) CCPA and (d) Virginia Consumer Data Protection Act (as applicable);

Authorised Sub-Processors” means the Sub-Processors set out in Clause 6.2 as may be amended from time to time;

CCPA” means collectively the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any regulations promulgated thereunder; 

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

Customer Data” means the Personal Data regarding individuals made available to Famly by or on behalf of the Customer, pursuant to the Agreement for Processing to provide the Services;

Customer Point of Contact” has the meaning given in Clause 16.3;

Data Breach” has the meaning given in Clause 11.1;

Data Centres” means the data centres used for hosting and storing of Customer Data on the Famly Platform;

Data Subject Request” has the meaning given in Clause 10.1; 

DPA” means this Data Processing Agreement, including any schedules attached or referred to and including any future written amendments and additions (as applicable);

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EU;

"EEA” means the European Economic Area, and the countries which are party to the European Economic Area Treaty;

EEA Data Protection Laws” means all applicable laws and regulations relating to privacy and/or processing of Personal Data, including but not limited to the GDPR (as amended from time to time);

Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar term defined in Applicable Data Protection Laws;

Process” and inflections thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;

Services” means the Famly Platform services described and provided under the Agreement and in accordance with this Data Processing Agreement; 

Sub-Processor” has the meaning given in Clause 6.1;

UK Data Protection Laws” means all applicable privacy and data protection laws relating to the processing of Personal Data and the privacy of electronic communications including the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

UK GDPR” means the GDPR as amended and incorporated into UK law under the European Union (Withdrawal) Act 2018;

UK” means the United Kingdom;

Transfer Mechanism” means the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (processor to processor) as amended from time to time, the International Data Transfer Agreement (“IDTA”) issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 (effective from 21 March 2022), and/or the International Data Transfer Addendum (“Addendum”) issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 (effective from 21 March 2022).

The terms “Personal Data Breach” and “Supervisory Authority” shall have the same meaning as in the Applicable Data Protection Laws. 

All capitalized terms not otherwise defined herein shall have the meaning set out in the Agreement. 

Any reference to writing or written includes email. 


1. Background

1.1. The Parties have entered into the Agreement, where the Customer has engaged Famly to provide the Services. This DPA is incorporated by reference into the Agreement.

1.2. For the purposes of providing the Services under the Agreement, Famly will Process Customer Data throughout the Term of this DPA. This DPA applies to any and all activities associated with the Agreement, in whose scope Famly’s employees or agents Process the Customer Data on behalf of the Customer as set out in Clause 3.


2. Roles and Responsibilities 

2.1. The parties agree that the Customer is the Controller of the Customer Data and Famly is the Processor of the Customer Data, except where Famly acts as a Controller Processing Customer Data in accordance with Clause 2.3.

2.2. The Customer as Controller instructs Famly to perform the Processing activities detailed in this DPA. The Customer will, subsequently, be entitled to, in writing or in a machine-readable format (in text form), modify, amend or replace any individual instructions by issuing such instructions to the point of contact designated by Famly. Instructions not foreseen in or covered by this DPA must be treated as requests for changes to the DPA. The Customer must, without undue delay, confirm in writing or in text form any instruction issued orally.

2.3. Famly may Process some Customer Data for its own legitimate business purposes, as an independent Controller, solely when the Processing is strictly necessary and proportionate, for one of the following purposes:

   a. Providing access to the Platform (usernames and passwords of Authorised Users Processed);

   b. Invoicing, managing the Customer relationship and corresponding with the Customer (name, email address, phone number, title of Admin User and Staff User Processed);

   c. Monitoring, preventing and detecting misuse or fraudulent activity on the Platform; 

   d. Analysing, developing and improving the Platform and services for the benefit of both the Customer and Famly, and collecting benchmarking data to provide insight into the usage of the Platform (data will be aggregated and pseudonymised, or anonymised where possible).

When acting as an independent Controller, Famly will not Process Customer Data for any purpose other than the above list of legitimate business purposes. Any such Processing activity will be further stipulated in the Famly Privacy Policy.


3. Scope and Specification of Processing

3.1. The subject matter and nature of Processing of Customer Data by Famly is the performance of the Services pursuant to the Agreement and the purposes set forth in this DPA. The Customer and/or its Authorised Users upload the Customer Data to the Platform, and the types of Customer Data Processed depend on the Customer use of the Services. The purpose of Processing, the types of Customer Data and categories of Data Subjects that may be Processed under this DPA is further specified in the table below:

Type of Customer Data
Purpose (subject matter) of processing
Categories of Data Subjects Affected
Basic data (such as name, date of birth, birthplace, social security number, gender, languages, dietary considerations etc.)
Ensure that the Customer has all relevant information about the child to run the business and to comply with regulatory requirements.
Children
Sensitive data (such as religion, ethnicity, allergies, vaccines, medicines, injuries/accident reports)
Ensure that the Customer has all relevant information about the child to run the business and to comply with regulatory requirements.
Children
Attendance data (such as sick days, holidays, sign in/out data etc.)
To store attendance data and create attendance reports.
Children
Activity data (such as details of learning or development activity etc.)
To be able to digitally track the child's activities, e. g. sleeping, trips, eating, learning.
Children
Photos and files
To share photos of children and other necessary files, that may contain Customer Data, with the parents/guardians. Employees may possibly be in photos.
Children, Employees
Contact Details (such as name, address, email address, phone number)
Ensure that the parents can be contacted.
Parents/guardians/other family member
Financial Information (such as bank account details, invoices etc.)
For the Customer to be able to store relevant financial information in one place, to then be able to issue invoices etc.
Parents/guardians/other family member
Employee Details (such as name, address, email address, phone number, date of birth, qualifications and certificates, next of kin information etc.)
To keep records of employees, to contact them and store emergency details
Customer Employees
Attendance data (sick days and holidays)
To store attendance data and create attendance reports.
Customer Employees
Any Customer Data or other personal data included in notes or shared in private or team messages via the Platform.
Necessary for the Customers to utilize the Platform features.
Customer Employees, Parents/guardians/other family members, children
Any Customer Data or other personal data shared with Famly Customer Advisory team
Necessary to provide support services.
Customer Employees, Parents/guardians/other family members, children
Certain payer information (name, email, address, payment method, last 4 digits of card number, expiration date, one-time payment or future payment set up) and any documentation containing personal data in relation to payment disputes.
Necessary to provide the in-app payment services, and to allow the payer to see and manage their payment methods, and assist with payment disputes.
Parents/guardians who make payments via the in-app payments feature.

3.2. Annex 2 (California Consumer Privacy Act) to this DPA applies only if and to the extent Famly’s Processing of Customer Data under the Agreement is subject to the CCPA with respect to which Customer is a “business” as defined in the CCPA.

3.3. The duration of Processing is for the period determined in accordance with the Agreement and DPA, including Clauses 8-9.


4. Famly’s Obligations 

4.1. Compliance with documented instructions. Except where expressly permitted by the Applicable Data Protection Laws or as otherwise required by law, Famly will Process Customer Data as Processor only insofar as it is absolutely necessary for the purpose of the performance of the Agreement, and solely in accordance with the Customer’s instructions in this DPA and the Applicable Data Protection Laws. 

4.2. Objection to instructions. If Famly believes that an instruction violates the Applicable Data Protection Laws, Famly will notify the Customer of such belief without undue delay. Famly is entitled to suspend performance on such instruction until the Customer confirms or modifies such instruction.

4.3. Technical and organisational measures. Famly is responsible for implementing technical and organisational measures to ensure the adequate protection of the Customer Data, which measures must fulfil the requirements of the Applicable Data Protection Laws and ensure ongoing security, confidentiality, integrity, availability and resilience of processing systems and Services. Such measures are described in Annex 1 of this DPA. Famly reserves the right to modify the measures and safeguards implemented, provided that the level of security is not less protective than initially agreed upon. In the event of considerable changes to the measures, Famly shall notify the Customer of the changes. 

Famly warrants that the company fulfils its obligations under Applicable Data Protection Laws to implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

4.4. Confidentiality. Famly will keep the Customer Data confidential. This obligation persists without time limitation and will survive the termination or expiration of the Agreement and this DPA. Famly warrants that the Customer Data is only disclosed to persons authorised to Process the Customer Data on a need-to-know basis (including employees). Famly warrants that all employees involved in Processing of the Customer Data and other such persons as may be involved in Processing within Famly’s scope of responsibility are prohibited from Processing Customer Data outside the scope of the Customer instructions. Furthermore, Famly warrants that any person entitled to Process the Customer Data has undertaken a commitment to confidentiality or is subject to an appropriate statutory obligation to confidentiality.

4.5. Deletion, correction or return of Customer Data. Famly must correct or erase Customer Data if so instructed by the Customer and permitted under Applicable Data Protection Laws. Where an erasure request relating to Customer Data, consistent with Applicable Data Protection Laws or a corresponding restriction of Processing is impossible, Famly will, based on the Customer’s instructions, and unless agreed upon differently in the Agreement, destroy or otherwise put out of use if so instructed, in compliance with Applicable Data Protection Laws, all Customer Data or return the same to the Customer.

4.6. Defence support. Where a Data Subject asserts any claims against the Customer as permitted by Applicable Data Protection Laws, Famly will provide all reasonable assistance to the Customer in defending against such claims. 


5. The Customer’s Obligations

5.1. Compliance with Applicable Data Protection Laws. The Customer is solely responsible for compliance with the Applicable Data Protection Laws, including but not limited, to the lawfulness of disclosing Customer Data to Famly and the lawfulness of having the Customer Data Processed by Famly on behalf of the Customer. The Customer warrants that it is lawfully authorised to Process and disclose the Customer Data to Famly. The Customer is responsible for maintaining and updating its respective privacy policy, notices and statements, including to mention Famly in it as its’ Processor.

5.2. Technical and organisational measures. The Customer is familiar with the technical and organisational measures set out in Annex 1, and it shall be the Customer’s responsibility that such measures ensure a level of security appropriate to the risk.

5.3. Defence support. Clause 4.6 above will apply, mutatis mutandis, to claims asserted by Data Subjects against Famly in accordance with Applicable Data Protection Laws.


6. Sub-Processing

6.1. Customer generally authorises Famly to appoint Sub-Processors in accordance with this Clause 6. The Customer acknowledges that Famly uses subcontractors that act as Sub-Processors on behalf of the Customer (“Sub-Processor”).

6.2. The Customer agrees that the following Sub-Processors are authorised for the purpose of the Processing of the Customer Data under this DPA, giving affirmative consent thereto:

Authorised Sub-processors
Sub-Processor
Location of Processing
Description of subcontracted service
Customer Data Processed
Amazon Web Services Inc.
Germany and very limited processing in Ireland
Data Centre for hosting of the Platform
All types and categories of Customer Data set out in Clause 3.1.
Rsync.net Inc.
Zürich, Switzerland
For back up. All data is encrypted by Famly with a private key before being transferred to the provider for backup storage. The provider does not hold a key to decrypt the data.
All types and categories of Customer Data set out in Clause 3.1.
Intercom Inc.
Northern Virginia, USA
Used for handling Famly’s written customer support interactions. Intercom’s AI tool, Fin, is enabled. Processing is subject to a data processing agreement that includes the appropriate Transfer Mechanism.
Very limited Processing activities. Only contact details (name, email) of the person requesting for assistance, and any Customer Data (such as documentation) shared by such person in the support chat function.
Planhat AB
Sweden and Ireland
For customer success and support services
Name and email addresses of Authorised Users.
Google Cloud EMEA Limited (This Sub-Processor is an Authorised Sub-Processor if the Customer has the Translation Feature enabled)
EU region
Translation services as per the Additional Product Terms
Customer Data that may be included in Newsfeeds, including Observation posts, on the Platform which Family User translates
Stripe Payments Europe Ltd., or Stripe Inc., only if the Customer is located in the US, (this Sub-processor is an Authorised Sub-Processor if the Customer makes use of the in-app payments feature)
The United States
Payment processing as per the Additional Product Terms.
Data transmitted from Famly to Stripe includes payer details (name, email, address, other data as necessary for payment processing), documentation (which may contain personal data) provided by the Customer to Famly in relation to payment disputes, and potential documents relating to KYC and AML regulations. Famly does NOT process the full credit card number, such information is transmitted directly to Stripe and is subject to the terms between the Customer and Stripe.
Zoom Video Communications Inc.
The United States but recordings are stored in Germany.
Used to communicate with customers via video call. Video calls may be recorded, such as if the Customer wishes to share it internally for training purposes.
Name of Staff Users, and potentially other Customer Data shared by such person via video call.
Dialpad Inc.
The United States, but recordings are stored in the EU region.
Used to provide customer support via phone. Famly may request to record and/or transcribe phone calls for quality and training purposes upon explicit consent. In such cases Famly is acting as the controller. Processing is subject to a data processing agreement that includes the appropriate Transfer Mechanism. Furthermore, Dialpad is a certified organisation under the EU-US Data Privacy Framework.
Name of Staff Users, and potentially other Customer Data shared by such person via phone call.
Joincube, Inc. ("Beamer")
The United States
Used to communicate with users when updates are made to the platform, and to gather feedback on those updates. Very limited information is processed by Beamer. Processing is subject to a data processing agreement that includes the appropriate Transfer Mechanism
Full name, email and UID of users submitting feedback
Twilio Ireland Ltd.
The United States
Used to notify Parents of newsfeed posts and messages marked for notification by SMS by Customer representatives, as per the Additional Product Terms. Processing is subject to a data processing agreement that includes the appropriate Transfer Mechanism
Full name, phone number of Parents. Any Personal Data included in a relevant newsfeed post or message.
CircleCo, Inc. (this Sub-processor is an Authorised Sub-Processor only if the Customer elects to participate in Village)
The United States
Used to provide Village, as per the Additional Product Terms. Processing is subject to a data processing agreement that includes the appropriate Transfer Mechanism.
Full name, email and any data entered by users into Village.
OpenAI OpCo, LLC (this Sub-processor is an Authorised Sub-Processor only if the Customer has AI features made available on the Platform enabled)
The United States
Used to offer AI features on the Platform via OpenAI API, as per the Additional Product Terms. Processing is subject to a data processing agreement that includes the appropriate Transfer Mechanism.
Any Customer Data which is used by an AI feature to provide generative outputs, such as rephrasing of text, summaries of information in the Platform, recommendations, etc.
Famly Inc.
Washington DC, USA
Subsidiary of Famly ApS. Customer Data may be accessible to a limited number of employees in order for them to provide EU/UK customers with support services. The Customer Data is only accessible to them and it is NOT being transferred to a server in the USA.
All types and categories of Customer Data set out in Clause 3.1.
Famly Ltd.
United Kingdom
Subsidiary of Famly ApS. Customer Data may be accessible to a limited number of employees in order for them to provide EU/UK customer with support services. The Customer Data is only accessible to them and it is NOT being transferred to a server in the United Kingdom.
All types and categories of Customer Data set out in Clause 3.1.

Twilio has Binding Corporate Rules (BCRs) approved by a Supervisory Authority within the EU, meaning that it is bound by GDPR across all of its operations, globally. Its approved processor BCRs require it to handle the data of third-party Controllers located in the EU compliantly with the GDPR.

6.3. Famly will, prior to the use of new Sub-Processor or a replacement of Sub-Processor, inform the Customer Point of Contact thereof with at least thirty (30) days’ prior written notice. The Customer is entitled to object in writing within ten (10) days after receipt of the notice from Famly, provided that such objection is based on reasonable grounds relating to data protection. Famly will evaluate the concerns and discuss possible solutions with the Customer. If these solutions are not reasonably possible in Famly’s discretion and the Customer continues to not approve the change (such approval may not be unreasonably withheld), the Customer may terminate the Agreement by giving fourteen (14) days’ written notice after having received Famly’s aforementioned decision. If the Customer does not terminate the Agreement within this timeframe, the Customer is deemed to have accepted the respective Sub-Processor. The Customer will receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated services. No other claims of the Customer against Famly or of Famly against the Customer may be based on such termination.

6.4. The Customer accepts that an exchange of a Sub-Processor may be required in cases where the reason for the change is outside of Famly’s reasonable control (so-called emergency replacement). Famly will notify the Customer of such change. If the Customer reasonably objects to the use of this Sub-Processor, the Customer may exercise its right to terminate the Agreement as described in the Clause above.

6.5. Where Famly commissions Sub-Processors, Famly is responsible for ensuring that Famly’s obligations on data protection resulting from the Agreement and this DPA are, to the extent applicable to the nature of the services provided by such Sub-Processor, valid and binding upon subcontracting. Famly will enter into written agreement and will restrict the Sub-Processor (and any new Sub-Processors) access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Agreement and this DPA. 


7. Location of Customer Data and Transfer to Third Countries

7.1. The location(s) of the Customer Data is set out in Clause 6.2 above.

7.2. Subject to Authorised Sub-processors in Clause 6.2, Famly will not transfer the Customer Data outside the EEA or the UK without following the notification and objection process set out in Clause 6.3.

7.3. Famly may not transfer Customer Data outside the EEA or the UK unless adequate protection of the Customer Data in the receiving country is secured. In the absence of an adequacy decision pursuant to Applicable Data Protection Laws, adequate protection in the receiving country (“third country”) shall be secured following the undertaking by Famly of a transfer risk assessment/transfer impact assessment (under UK / EU law as applicable to the Customer), through the implementation, and negotiation if applicable, of an agreement incorporating the appropriate Transfer Mechanism. If the Transfer Mechanism is insufficient to safeguard the transferred Customer Data, supplementary measures will be implemented to ensure the Customer Data is protected to the same standard as required under Applicable Data Protection Laws.


8. Customer Data Retention

8.1. Customer Data on the Famly Platform is retained until 60 days following the termination of the Agreement or until deletion is specifically requested by the Customer, or unless otherwise mentioned in Clause 8.2. 

8.2. Customer Data processed by the following Authorised Sub-Processor, is generally retained as set out below:

   a. Intercom Inc.: Contact details of Customer employee is retained for 360 days as of the last interaction with Famly support team or if the Customer employee is not an active Customer employee for 30 days. Support ticket/message are retained for 360 days as of the date it was received by Famly.

   b. Rsync.net Inc.: Customer Data backups is retained for 30 days from the date of each backup. 

   c. Google Cloud EMEA Limited: texts, which may contain Customer Data, sent to translation are held briefly in-memory in order to perform the translation and deliver the results. The translation is then retained for maximum 30 days on Famly server at AWS.

   d. Zoom Video Communications Inc.: Customer Data shared during a video call is Processed for the duration of the video call. Such calls may be recorded if the Customer wishes and agrees, and are retained for 90 days.

  e. Dialpad Inc.: Customer Data communicated by the Customer during a phone call is Processed for the duration of the phone call, unless otherwise mentioned in the Famly Privacy Policy (in the event Famly acts as an independent controller).

   f. OpenAI OpCo LLC: Customer Data is retained by OpenAI for 30 days.

   g. Beamer: Customer Data is retained for 60 days.

   h. Twilio Ireland Limited: Customer Data chosen to be sent is retained by Twilio for 365 days.

   i. CircleCo, Inc.: Customer Data is deleted within 30 days of expiry of Famly’s agreement with Circle, or upon request.


9. Term, Termination and Return or Deletion of Customer Data

9.1. This DPA and Processing will continue in force until 60 days after the termination of the Agreement, except where this DPA stipulates obligations beyond the term of the Agreement.

9.2. Within 60 days following the termination of the Agreement, Famly shall, upon the Customer’s instructions, return all Customer Data to the Customer or delete the same, unless required otherwise by the Applicable Data Protection Laws. The Customer Data shall be irreversibly deleted and cannot be retrieved and provided to the Customer after such 60 days. In specific cases designated by the Customer, Customer Data will be stored. The associated remuneration and protective measures will be agreed upon separately, unless already agreed upon in the Agreement.


10. Data Subject Request

10.1. Where a Data Subject asserts claims for rectification, erasure, objection or access (“Data Subject Request”) against Famly, and where Famly is able to correlate the Data Subject to the Customer, based on the information provided by the Data Subject, Famly will refer such Data Subject to contact the Customer directly. 

10.2. Famly will, based upon the Customer’s instructions, support the Customer to the extent reasonably possible in fulfilling a Data Subject Request, where the Customer cannot do so without Famly’s assistance. Famly will not be liable in cases where the Customer fails to respond to the Data Subject’s request in total, correctly, or in a timely manner.


11. Data Breaches 

11.1. Famly will notify the Customer without undue delay, and in any event within 48 hours of becoming aware of any unauthorised or unlawful Processing, alteration, loss, destruction or disclosure of, or damage or access to the Customer Data within Famly’s scope of responsibility, on any Sub-Processor that may be Processing Customer Data on its behalf (“Data Breach”). Famly will implement the measures necessary for securing Customer Data and for mitigating potential negative consequences for the Data Subject. Famly will coordinate such efforts with the Customer without undue delay.

11.2. Famly will support the Customer, to the extent reasonably possible and only where the Customer cannot do so without Famly’s assistance, in communicating Data Breaches to the affected Data Subjects and notifying Data Breaches to the applicable authorities as required by Applicable Data Protection Laws (provided that this support does not result in any breach of Famly’s confidentiality obligations towards third parties).


12. Data Protection Impact Assessment and Consultation with Supervisory Authorities

To the extent that the required information is available to Famly, and the Customer does not otherwise have access to the required information, Famly will, upon written request, provide reasonable assistance to the Customer with any data protection impact assessment, and prior consultations with applicable Supervisory Authorities or the extent required under Applicable Data Protection Laws.


13. Audits

13.1. Famly will on an annual basis undergo an independent external audit of information security and measures pursuant to this DPA. Famly will document Famly’s compliance with the technical and organisational measures agreed upon in this DPA by appropriate measures.

13.2. To the extent required under the Applicable Data Protection Laws and upon the Customer written request, Famly will provide the Customer with a summary of independent external audit report with sufficient information to enable the Customer to reasonably verify that Famly’s compliance with its obligations under this DPA, including that Famly has implemented the technical and organisational security measures described in Annex 1. The documentation is Famly’s confidential information and must be treated as such.

13.3. The Customer agrees to exercise its audit right by instructing Famly to share the audit report summary as described in clause 13.2 of this DPA. If the Customer reasonably concludes that  an onsite audit is necessary to monitor the compliance with the technical and organisational measures in an individual case or compliance with this DPA, the Customer has the right to carry out respective onsite inspections in individual cases or to have them carried out by an auditor (that is no competitor of Famly) provided that the Customer informs Famly of this with at least 30 days notice and that such audits and inspections will be conducted (i) during regular business hours, and (ii) without disproportionately interfering with Famly’ business operations, (iii) upon prior reasonable notice and further consultation with Famly, (iv) all subject to (if not covered already by the Agreement) the execution of a confidentiality undertaking, in particular to protect the confidentiality of the technical and organisational measures and safeguards implemented. 

13.4. In case of an onsite audit the Customer will bear its own expenses and compensate Famly the cost for its internal resources required to conduct the onsite audit (based on time and material according to the then current price list). If the audit reveals that Famly has breached its obligations under the Agreement or this DPA, Famly will promptly remedy the breach at its own cost and refund any payments made by the Customer towards the cost of Famly’s internal resources related to the Customer onsite audit.


14. Limitations of Liability

14.1. Famly is only liable for data protection losses, costs and expenses incurred as a result of i) Famly not complying with its obligations under this DPA; ii) Famly not complying with its Processor obligations under the Applicable Data Protection Laws; or iii) Famly’s Authorised Sub-Processor not complying with its data protection obligations (whether imposed under contract to Famly or by Applicable Data Protection Laws). 

14.2. Each Party’s total aggregate liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in section 13 of the Agreement, unless otherwise agreed. 

14.3. Subject to clause 14.1 and 14.2, each party (the “Indemnifying Party”) will indemnify the other Party (the “Indemnified Party”) against all claims and proceedings and all liability, loss, costs and expenses incurred by the Indemnified Party as a result of any claim made or brought by a Data Subject or other legal person in respect of any loss, damage or distress caused to them, or any fine imposed by a regulatory authority, as a result of any breach of the Applicable Data Protection Laws by the Indemnifying Party, its employees or agents, provided that the Indemnified Party gives to the Indemnifying Party prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend or settle it.


15. Obligations to Inform, Amendments & Data Protection Officer

15.1. Where the Customer Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Famly’s control, Famly will notify the Customer of such action without undue delay and follow the Customer’s reasonable instructions to preserve the confidentiality of the Customer Data. Famly will, without undue delay, notify to all pertinent parties in such action, that any Customer Data affected thereby is in the Customer’s sole property and area of responsibility, that Customer Data is at the Customer’s sole disposition, and that the Customer is the responsible body pursuant to the Applicable Data Protection Laws.

15.2. Clause 19 of the Agreement regarding Famly‘s right to amend the terms of the Agreement applies to changes to this DPA as this DPA forms part of the Agreement. For the avoidance of doubt, this does not apply to notifications of new Sub-Processors under Clause 6.3.

15.3. Famly has appointed a Data Protection Officer, who is responsible for matters relating to privacy and data protection. This Data Protection Officer can be reached at the following address:

Attn. Data Protection Officer
Købmagergade 19, 2. tv.
1150 Copenhagen K
Denmark
privacy@famly.co


16. Point of Contact 

16.1. The Parties must notify each other of a point of contact for any issues related to data protection arising out of or in connection with the Agreement and this DPA.

16.2. For any such matters, the Customer can reach out to the Famly Security & Privacy Team at privacy@famly.co.

16.3. The Customer will inform Famly of its point of contact (“Customer Point of Contact”). Such contact shall be the main point of contact when Famly is assisting with Data Subject Requests, informing of Data Breaches, and informing the Customer of new Sub-Processors or amendments to this DPA.  


17. Entire Agreement

17.1. Except as amended by this DPA, the Agreement will remain in full force and effect. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.

17.2. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (i) any Transfer Mechanism, (ii) Annex 2 (California Consumer Privacy Act), (iii) Annex 3 (Texas Data Privacy and Security Act), (iv) Annex 4 (Supplemental Clauses), (v) this DPA, and (vi) the Agreement.


18. Precedence, Governing Law & Dispute Resolution

Section 24 of the Agreement (Precedence, Governing Law and Dispute Resolution) shall apply to this DPA.


Annex 1 - Technical and Organisational Security Measures

Famly has in place certain technical and organisational security measures to ensure compliance with the Applicable Data Protection Laws. Those measures are set in place to prevent improper destruction, alteration, disclosure, access, and other improper form of processing of Customer Data. The measures form part of this Annex 1 and are available here.


Annex 2 - California Consumer Privacy Act

1. Definitions. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.

     1.1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.

     1.2. The definition of “Data Subject” includes “consumer” and “household” as defined in the CCPA.

     1.3. The definition of “Controller” includes “business” as defined in the CCPA.

     1. 4. The definition of “Processor” includes “service provider” as defined in the CCPA.

2. Obligations.

     2.1. Customer is providing the Customer Data to Famly under this Agreement for the limited and specific business purposes described in Clause 3 (Scope and Specification of Processing) and otherwise defined in the Agreement.

     2.2. Famly will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Data as is required by the CCPA.

     2.3. Famly acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Clause 13 (Audits) of this DPA to help to ensure that Famly’s use of Customer Data is consistent with Customer’s obligations under the CCPA, (ii) receive from Famly notice and assistance under Clause 10 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA and (iii) upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

     2. 4. Famly will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.

     2. 5. Famly will not retain, use, or disclose Customer Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Clause 2.1 of this Annex 2 (California Annex) or (ii) outside of the direct business relationship between Famly with Customer, except, in either case, where and to the extent permitted by the CCPA.

     2. 6. Famly will not sell or share Customer Data.

     2. 7. Famly will not combine Customer Data with other personal information except to the extent the CCPA expressly permits a service provider to do so.


Annex 3 – Texas Data Privacy and Security Act

This Annex 3 forms a part of the Data Processing Agreement (DPA) between Famly and Customer, for Customers located in Texas.

1. Definitions For the purposes of this Annex, the terms used herein shall have the same meanings as defined in the Texas Data Privacy and Security Act (TDPSA), unless otherwise specified.

2. Scope and Application The obligations set out in this Annex shall apply to the processing of personal data as defined under the TDPSA. The data subjects are residents of the State of Texas, and the processing activities are subject to the TDPSA.

3. Data Processor Obligations some text

  1. Data Security: The Data Processor shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal data from unauthorized access, destruction, use, modification, or disclosure. 
  2. Data Breach Notification: In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, the Data Processor shall promptly notify the Data Controller without undue delay and, where feasible, not later than 72 hours after becoming aware of it. 
  3. Data Rights Compliance: The Data Processor shall assist the Data Controller in fulfilling data subject rights under the TDPSA including access, correction, deletion, and data portability requests. 
  4. Audits and Inspections: The Data Processor agrees to submit to audits and inspections by the Data Controller and provide the Data Controller with whatever information it needs to ensure that both parties are meeting their Article 28 obligations.

4. Subprocessors The Data Processor may not engage another processor (Subprocessor) without prior specific or general written authorization of the Data Controller. In the case of general written authorization, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes per Section 6 of the DPA.

5. Data Transfer The transfer of personal data outside the geographic boundaries of the State of Texas shall be conducted in compliance with the TDPSA and applicable laws regarding data privacy and security.

6. Termination Upon termination of the data processing services, the Data Processor shall, at the choice of the Data Controller, delete or return all the personal data to the Data Controller, and delete existing copies unless legislation requires storage of the personal data.

7. Modification This Annex may be modified or updated periodically to remain in compliance with the Texas Data Privacy and Security Act and other relevant laws. Any such modifications will be communicated to the Data Controller in a timely manner.


Annex 4 – Supplemental Clauses to the SCCs & UK Addendum

1. Personal Data will be encrypted both in transit and at rest using industry standard encryption technology.

2. Famly will resist, to the extent permitted by Law, any request under Section 702 of Foreign Intelligence Surveillance Act (“FISA”).

3. Famly will use reasonably available legal mechanisms to challenge any demands for data access through the national security process that it may receive in relation to Customer’s data.

4. No later than the date on which your acceptance of the DPA becomes effective, Famly will notify you of any binding legal demand for the Personal Data it has received, including national security orders and directives, which will encompass any process issued under Section 702 of FISA, unless prohibited under Law.

5. Famly will ensure that its data protection officer has oversight of Famly's and its Affiliates’ approach to international data transfers.