Data Processing Agreement (for Customers subject to GDPR)
This Data Processing Agreement (“DPA”) forms part of the Master Agreement (as defined in the Product Terms) between the customer (the “Customer” or “you”) and the Yext company named therein (“Yext”), to reflect the parties’ agreement with regard to the processing of Personal Data (as defined herein). Capitalized terms used in this DPA and not otherwise defined have the meanings given to such terms in the Master Agreement or the Product Terms located here. To the extent that there is any conflict between this DPA, the Master Agreement, the Product Terms, or the Model Clauses, the provisions of the following documents (in order of precedence) shall prevail unless expressly agreed to otherwise: (a) the Model Clauses, (b) this DPA, (c) the Master Agreement, and (d) the Product Terms.
In this DPA, the following terms shall have the following meanings:
“Affiliate” means that an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with Yext. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise.
“Data Privacy Law” means applicable data protection legislation, including EU and Swiss Data Protection Law.
“EU and Swiss Data Protection Law” means Directives 95/46/EC and 2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, supplements, re-enacts or consolidates any of them (including upon its coming into effect, the General Data Protection Regulation 2016/679 (“GDPR”) and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant Member State and Switzerland.
“Model Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries as set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (as amended or updated from time to time).
“Relevant Country” means all countries other than those within the European Economic Area (EEA), Switzerland and other countries, territories or specified sectors in respect of which an adequacy finding under EU and Swiss Data Protection Law has been given.
The terms “Controller“, “Data Subjects“, “Personal Data“, “Processing,” (and “Process” shall be construed accordingly), “Personal Data Breach“, “Processor” and “Supervisory Authority” shall have the meaning given to them by EU and Swiss Data Protection Law.
- You agree that you are the Controller in relation to the Personal Data of your customers (or in the case of an agency or reseller, your clients will be regarded as the data controller of the Personal Data of their customers) which may be provided to Yext in the course of providing the Products (“Customer Personal Data”). When providing the Products, Yext will act as the Processor.
- Yext will only Process the Customer Personal Data in accordance with your documented instructions as established in this DPA and the Master Agreement (including the Product Terms) and will not Process any Customer Personal Data for any other purpose unless required to by law in which case, where legally permitted, Yext shall inform you of such legal requirement before Processing. Where you are an agency or a reseller, you will ensure that your agreement with your clients contains the appropriate provisions to permit you to process their Customer Personal Data and to ensure that they have provided the appropriate consent to allow you to subcontract the Processing of Customer Personal Data to Yext and other sub-processors.
- The subject-matter of the data Processing is the provision of the Products and the Processing will be carried out until the date that Yext ceases to provide the Products to you. Your obligations and rights are as set out in the Master Agreement. Schedule 1 of this DPA sets out the nature and purpose of the Processing, the types of Personal Data Yext Processes and the categories of Data Subjects whose Personal Data is Processed.
- Yext will implement appropriate technical and organisational security measures (including ensuring that Yext personnel who are authorized to process the Customer Personal Data have committed themselves to appropriate confidentiality obligations) to ensure a level of security appropriate to the risks that are presented by the Processing of Customer Personal Data including those measures contained in applicable Data Privacy Laws.
- In case of a Personal Data Breach which may affect Customer Personal Data, Yext will notify you (in accordance with the email address we have on file) without undue delay after becoming aware of such Personal Data breach.
- Yext will provide such information and assistance to you as you may reasonably require (and within timescales reasonably specified) to allow you to comply with your obligations under applicable Data Privacy Law, including assisting you to: (i) comply with your own security obligations (ii) discharge your obligations to respond to requests for exercising Data Subjects’ rights; and, (iii) perform any data protection impact assessment and review any Processing operations to ensure that they are performed in accordance with the data protection impact assessment and to consult with the relevant supervisory authority (where applicable). Yext’s assistance pursuant to this provision shall be provided to you at your own cost and expense.
- Yext shall audit the security of the computers and computing environment that it uses in processing Customer Personal Data. This audit: (a) will be performed at least annually; (b) may be performed by independent third party security professionals at Yext’s selection and expense; (c) will be performed according to the SOC2, Type II standard; and (d) will result in the generation of an audit report (“Report”), which will be Yext’s Confidential Information. At your written request, Yext shall provide you with a confidential copy of the Report so that you can reasonably verify Yext’s compliance with the security obligations under this DPA.
- If you desire to change this instruction regarding exercising the audit right or the provision of information in order to demonstrate compliance with Article 28 of the GDPR then you have (at your cost and expense) the right to change this instruction, which shall be requested in writing, provided that Yext shall have no obligation to provide Confidential Information.
- Yext will notify you immediately if, in Yext’s opinion, it considers that an instruction from you under Clause 8 is in breach of any EU and Swiss Data Protection Law and Yext shall be entitled but not obliged to suspend execution of the instructions concerned, until you confirm such instructions in writing.
- After termination of the Master Agreement, Yext will, at your request, delete or return all Customer Personal Data, unless otherwise provided by law.
- You acknowledge and agree that Yext may retain appropriate Affiliates and other suitable third parties as sub-processors (all together “Sub-Processors”) in connection with the processing of Customer Personal Data, having imposed on such Sub-Processors in a written agreement, data protection obligations which are no less protective that those which are imposed on Yext under this Agreement. Yext will be liable to you for performance of such obligations by the Sub-Processors. A list of Sub-Processors is available at https://www.yext.com/terms/subprocessors/ as well as a mechanism that you agree to subscribe to in order to receive notifications of new Sub-Processors. You may object to Yext’s use of a new Sub-Processor by notifying Yext in writing within ten (10) days after receipt of a notification in accordance with the mechanism set out in the preceding sentence. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable EU and Swiss Data Protection Law. If, in Yext’s reasonable opinion, such objections are legitimate, Yext shall refrain from using such Sub-Processor in the context of the Processing of Customer Personal Data. In such cases, Yext shall use reasonable efforts to (i) make available to you a change in Yext’s Products or (ii) recommend a change to your configuration or use of the Products to avoid the processing of Customer Personal Data by the objected-to Sub-Processor. If Yext is unable to make available such change within a reasonable period of time, you may, by providing written notice to Yext, terminate the Products which cannot be provided by Yext without the use of the objected-to Sub-Processor by providing written notice to Yext. Yext will refund you any prepaid fees covering the remainder of the term of such Products following the effective date of termination with respect to such terminated Product.
- You acknowledge that as part of the Products, the Customer Personal Data will be stored in or accessed from the US or any other Relevant Country in which Yext’s Sub-Processors maintain facilities. In order to ensure that there is adequate protection for such data transfers as required under applicable EU and Swiss Data Protection Law, Yext, Inc. is self-certified under the EU/Swiss-US Privacy Shield Framework to the US Department of Commerce and the scope of the certification includes Customer Personal Data. Where Yext uses a Sub-Processor (other than Yext Inc) in a Relevant Country, it shall take steps to ensure that there is adequate protection in place for any such transfers as defined in the GDPR (which may include the use of Model Clauses).
DATA PROCESSING INFORMATION
The Personal Data transferred concern the following categories of Data Subjects:
If Customer subscribes to the Reviews product, individuals who submit reviews to Customer.
Categories of data
The Personal Data transferred concern the following categories of data:
Contact details, name, email, bio and title of Customer employees;
If Customer subscribes to the Reviews product, the name and email or mobile phone number of the individual submitting a review to Customer and the content of such review.
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data:
Yext does not intentionally collect or process any special categories of data in the provision of its Products and services. Customer agrees not to provide special categories of data to Yext at any time.
The Personal Data transferred will be subject to the following basic processing activities:
Provision of hosting, maintenance and support.