Data Processing Agreement (for Customers subject to European Data Protection Laws including Switzerland and United Kingdom)

This Data Processing Agreement (“DPA”) forms part of the Master Agreement (as defined in the Product Terms) between the customer, agency or reseller (the “Customer” or “you”) and the Yext company named therein (“Yext”), to reflect the parties’ agreement with regard to the processing of Personal Data (as defined herein). Capitalized terms used in this DPA and not otherwise defined have the meanings given to such terms in the Master Agreement or the Product Terms located here. To the extent that there is any conflict between this DPA, the Master Agreement, the Product Terms, or the Model Clauses, the provisions of the following documents (in order of precedence) shall prevail unless expressly agreed to otherwise: (a) the Model Clauses, (b) this DPA, (c) the Master Agreement, and (d) the Product Terms.

In this DPA, the following terms shall have the following meanings:

“Affiliate” means that an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with Yext. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise.

“Data Privacy Law” means Directive 2002/58/EC, the General Data Protection Regulation 2016/679 (“GDPR”) and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, supplements, re-enacts or consolidates them and all other applicable laws relating to the Processing of Personal Data and privacy that may exist in an relevant jurisdiction

“Model Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries as set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (as amended or updated from time to time).

“Relevant Country” means all countries other than those within the European Economic Area (EEA), Switzerland and other countries, territories or specified sectors in respect of which an adequacy finding under applicable Data Privacy Law has been given.

The terms “Controller“, “Data Subjects“, “Personal Data“, “Processing,” (and “Process” shall be construed accordingly), “Personal Data Breach“, “Processor” and “Supervisory Authority” shall have the meaning given to them by applicable Data Privacy Law.

1. You agree that you are a Controller in relation to the Personal Data of your end customers and employees (or in the case of an agency or reseller, your clients will be regarded as the Controller of the Personal Data of their end customers and employees) which is provided to or generated by Yext (or the agency or reseller) in the course of providing the Products (“Customer Personal Data”).
2. You acknowledge that Yext (or in the case of an agency or reseller, the agency or reseller, as applicable) requires certain Customer Personal Data to set up and manage the Customer account and relationship. Yext (or the agency or reseller, as applicable) will Process such Customer Personal Data as Controller.
3. When Processing Customer Personal Data in the context of providing Listings, Reviews or other Products such as Events, Answers, Knowledge Tags and Pages (including in respect of any cookies or tracking technologies which form part of the Product functionality for analytics purposes), Yext will act as the Processor (or in the case of an agency or reseller, the agency or reseller will be the Processor and Yext will be the sub-processor).
4. Where Yext is a Processor (or sub-processor), the provisions set out in Clauses 5-15 below shall apply in respect of the Processing of Customer Personal Data.
5. Yext will only Process the Customer Personal Data in accordance with the documented instructions as established in this DPA and the Master Agreement (including the Product Terms) and will not Process any Customer Personal Data for any other purpose unless required to by law in which case, where legally permitted, Yext shall inform you of such legal requirement before Processing. Where you are an agency or a reseller, you will ensure that your agreement with your clients contains the appropriate provisions to permit you to process their Customer Personal Data and to ensure that they have provided the appropriate consent to allow you to subcontract the Processing of Customer Personal Data to Yext and other sub-processors on terms substantially similar to those in this DPA.
6. The subject-matter of the data Processing is the provision of the Products and the Processing will be carried out until the date that Yext ceases to provide the Products to you. Your obligations and rights are as set out in the Master Schedule 1 of this DPA sets out the nature and purpose of the Processing, the types of Personal Data Yext Processes and the categories of Data Subjects whose Personal Data is Processed.
7. Yext will implement appropriate technical and organizational security measures (including ensuring that Yext personnel who are authorized to process the Customer Personal Data have committed themselves to appropriate confidentiality obligations) to ensure a level of security appropriate to the risks that are presented by the Processing of Customer Personal Data including those measures contained in applicable Data Privacy Laws.
8. In case of a Personal Data Breach which may affect Customer Personal Data, Yext will notify the relevant Controller (in accordance with the email address we have on file) (or in the case of a reseller or agency, notify the reseller or agency) without undue delay after becoming aware of such Personal Data breach.
9. Yext will provide such information and assistance as may reasonably be required (and within timescales reasonably specified) to allow the Controller to comply with its obligations under applicable Data Privacy Law, including assistance to: (i) comply with the Controller’s security obligations (ii) discharge obligations to respond to requests for exercising Data Subjects’ rights; and, (iii) to perform any data protection impact assessment and review any Processing operations to ensure that they are performed in accordance with the data protection impact assessment and to consult with the relevant supervisory authority (where applicable). Yext’s assistance pursuant to this provision shall be provided at the Controller’s own cost and expense.
10. Yext shall audit the security of the computers and computing environment that it uses in processing Customer Personal Data. This audit: (a) will be performed at least annually; (b) may be performed by independent third party security professionals at Yext’s selection and expense; (c) will be performed according to the SOC2, Type II standard; and (d) will result in the generation of an audit report (“Report“), which will be Yext’s Confidential Information. At your written request, Yext shall provide you with a confidential copy of the Report so that you can reasonably verify Yext’s compliance with the security obligations under this DPA.
11. If you desire to change this instruction regarding exercising the audit right or the provision of information in order to demonstrate compliance with Article 28 of the GDPR then you have (at your cost and expense) the right to change this instruction, which shall be requested in writing, provided that Yext shall have no obligation to provide Confidential Information.
12. Yext will notify the Controller immediately (or in the case of a reseller or agency, notify the reseller or agency) if, in Yext’s opinion, it considers that an instruction from you under Clause 11 is in breach of any applicable Data Privacy Law and Yext shall be entitled but not obliged to suspend execution of the instructions concerned, until such instructions are confirmed in writing.
13. After termination of the Master Agreement, Yext will, at your request, delete or return all Customer Personal Data, unless otherwise provided by law.
14. You acknowledge and agree that Yext may retain appropriate Affiliates and other suitable third parties as sub-processors (all together “Sub-Processors“) in connection with the processing of Customer Personal Data, having imposed on such Sub-Processors in a written agreement, data protection obligations which are no less protective that those which are imposed on Yext under this Agreement. Yext will be liable to you for performance of such obligations by the Sub-Processors. A list of Sub-Processors is available at https://www.yext.com/terms/subprocessors/ as well as a mechanism that you agree to subscribe to in order to receive notifications of new Sub-Processors. You may object to Yext’s use of a new Sub-Processor by notifying Yext in writing within ten (10) days after receipt of a notification in accordance with the mechanism set out in the preceding sentence. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Privacy Law. If, in Yext’s reasonable opinion, such objections are legitimate, Yext shall refrain from using such Sub-Processor in the context of the Processing of Customer Personal Data. In such cases, Yext shall use reasonable efforts to (i) make available to you a change in Yext’s Products or (ii) recommend a change to your configuration or use of the Products to avoid the processing of Customer Personal Data by the objected-to Sub-Processor. If Yext is unable to make available such change within a reasonable period of time, you may, by providing written notice to Yext, terminate the Products which cannot be provided by Yext without the use of the objected-to Sub-Processor by providing written notice to Yext. Yext will refund you any prepaid fees covering the remainder of the term of such Products following the effective date of termination with respect to such terminated Product.
15. You acknowledge that as part of the Products, the Customer Personal Data will be stored in or accessed from the US or any other Relevant Country in which Yext’s Sub-Processors maintain facilities. In order to ensure that there is adequate protection for such data transfers as required under applicable Data Privacy Law, Yext, Inc. is self-certified under the EU/Swiss-US Privacy Shield Framework to the US Department of Commerce and the scope of the certification includes Customer Personal Data (as well as transfers from the UK post Brexit). Where Yext uses a Sub-Processor (other than Yext Inc) in a Relevant Country, it shall take steps to ensure that there is adequate protection in place for any such transfers as defined in the GDPR (which may include the use of Model Clauses).

 

 

 

 

SCHEDULE 1

DATA PROCESSING INFORMATION

Data subjects

The Personal Data transferred concern the following categories of Data Subjects:

If Customer subscribes to Listings (part of Starter, Professional and Ultimate packages) and/or Events and decides to provide such information in Listings, Customer’s employees.

If Customer decides to use Conversion Tracking, which Customer does so voluntarily, website visitors to the Listing content and/or Events content on applicable Publisher Sites.

If Customer subscribes to Review Monitoring (part of Professional and Ultimate packages), individuals who submitted reviews online on applicable Publisher Sites.

If Customer subscribes to Review Generation (part of Ultimate package), individuals who submit reviews to Customer.

If Customer subscribes to Pages, the visitors of Customer’s webpages which are based on Pages.

If Customer subscribes to Knowledge Tags, the visitors of Customer’s webpages which use Knowledge Tags.

If Customer subscribes to Answers, the visitors of Customer’s webpages which use Answers.

If Customer decides to use Conversion Tracking, which Customer does so voluntarily, website visitors to Pages, Knowledge Tags and/or Answers.

 

Types of Personal Data

The Personal Data transferred concern the following types of Personal Data:

If Customer provides such information as part of Listings or Events, contact details, Yext will process the name, email, bio and title of Customer employees.

When the Customer voluntarily decides to use the tracking technologies, which are part of Conversion Tracking, within the Listings or Events content on Publisher Sites, Yext may also capture technical information about the  visitor’s device including the device’s internet protocol (IP) address, browser type and version, time zone setting, and operating system and platform (“Technical Information“); and (ii) information about the  visit, including the URL clickstream to, through and from our Yext powered Products, Products viewed or searched for, the content (and any ads) that are viewed or interacted with, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page (“Usage Information“).

If Customer has access to Review Monitoring (part of Professional and Ultimate packages), the name or alias of individuals who submitted reviews online on applicable Publisher Sites.

If Customer subscribes to Review Generation, the name and email or mobile phone number of the individual submitting a review to Customer and the content of such review.

If Customer subscribes to Pages, Technical Information and Usage Information of website visitors will be collected using tracking technologies.

If Customer subscribes to Knowledge Tags, Technical Information and Usage Information will be collected using tracking technologies.

If Customer subscribes to Answers, depending on the Product options chosen by the Customer, Technical Information and Usage Information will be collected using tracking technologies as well as the name and email address of webpage visitors if visitors submit these.  Specifically, the Customer can choose whether or not these technologies are used to capture Technical Information and Usage Information, and, whether or not the name and email address of Customer’s webpage visitors are collected.

When the Customer voluntarily decides to use the tracking technologies, which are part of Conversion Tracking, within the Pages, Knowledge Tags or Answers, Technical Information and Usage Information will be collected using these tracking technologies.

 

Special categories of data (if appropriate) 

The Personal Data transferred concern the following special categories of data:

None;

Yext does not intentionally collect or process any special categories of data in the provision of its Products and services. Customer agrees not to provide special categories of data to Yext at any time.

 

Processing operations 

The Personal Data transferred will be subject to the following basic processing activities:

Collecting, disclosing through transmission and dissemination, hosting, maintenance, organizing, storing and support.