Data Processing Agreement (for Clients subject to European Data Protection Laws, including Switzerland and United Kingdom, and/or Data Protection Laws in Australia and South Africa)
This Data Processing Agreement (“DPA“) forms part of the Master Agreement (as defined in the Product Terms) between the client, agency or reseller (the “Client” or “you”) and the Yext company named therein (“Yext”), to reflect the parties’ agreement with regard to the Processing of Personal Data (as defined herein). Capitalized terms used in this DPA and not otherwise defined have the meanings given to such terms in the Master Agreement or the Product Terms located here. To the extent that there is any conflict between this DPA, the Master Agreement, or the Product Terms, the provisions of the following documents (in order of precedence) shall prevail unless expressly agreed to otherwise: (a) this DPA, (b) the Master Agreement, and (c) the Product Terms.
In this DPA, the following terms shall have the following meanings:
“Affiliate” means that an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with Yext. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise.
“Data Privacy Law” means Directive 2002/58/EC, GDPR and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, supplements, re-enacts or consolidates them, the Data Protection Act 2018 of the United Kingdom, the Protection of Personal Information Act 4 of 2013 (“POPIA”) of South Africa and all other applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction.
“GDPR” means in each case to the extent applicable to the Processing activities: (i) Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union;
“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Privacy Law.
“Special Categories of Personal Data” shall have the meaning assigned to the terms “special categories of personal data”, “sensitive data” or “sensitive information” under applicable Data Privacy Law.
“Supervisory Authority” means the competent data protection authority in the territory in which the Client is established.
“Third Country” means all countries other than those (i) within the European Economic Area (EEA) and Switzerland and (ii) countries, territories or specified sectors in respect of which an adequacy finding under applicable Data Privacy Law has been given.
The terms “Controller“, “Data Subjects“, “Processing,” (and “Process” shall be construed accordingly), “Personal Data Breach” and “Processor” shall have the meaning given to them by applicable Data Privacy Law.
- You agree that you are a Controller in relation to the Personal Data of your end customers, employees and website visitors (or in the case of an agency or reseller, your clients will be regarded as the Controller of the Personal Data of their end customers and employees and website visitors) which is provided to or generated by Yext (or the agency or reseller) in the course of providing the Products (“Client Personal Data“). You agree that any Client Personal Data provided to Yext in connection with the Products will be Processed by you in accordance with applicable Data Privacy Law. Yext shall have no responsibility for the accuracy, quality, and legality of any Client Personal Data provided to Yext and the means by which such Client Personal Data was acquired before it was provided to Yext.
- You acknowledge that Yext (or in the case of an agency or reseller, the agency or reseller, as applicable) requires certain Personal Data to set up and manage the Client account and relationship. Yext (or the agency or reseller, as applicable) will Process such Personal Data as Controller.
- When Processing Client Personal Data in the context of providing Listings, Reviews or other Products such as Events, Answers, Knowledge Tags and Pages (including in respect of any cookies or tracking technologies which form part of the Product functionality for analytics purposes such as Conversion Tracking), Yext will act as the Processor (or in the case of an agency or reseller, the agency or reseller will be the Processor and Yext will be the sub-processor).
- Where Yext is a Processor (or sub-processor), the provisions set out in Clauses 5-15 below shall apply in respect of the Processing of Client Personal Data. You and Yext agree that, in addition to Clauses 5-15, you and Yext shall comply with any additional country specific provision to the extent that the Data Privacy Law of a country specified in Schedule 3 applies to the Processing of Client Personal Data.
- Yext will only Process the Client Personal Data in accordance with the documented instructions as established in this DPA and the Master Agreement (including the Product Terms) and including with respect to transfers of Client Personal Data to Third Countries and will not Process any Client Personal Data for any other purpose unless required to by law in which case, where legally permitted, Yext shall inform you of such legal requirement before Processing. Where you are an agency or a reseller, you will ensure that your agreement with your clients contains the appropriate provisions to permit you to Process their Client Personal Data and to ensure that they have provided the appropriate consent to allow you to subcontract the Processing of Client Personal Data to Yext and other sub-processors on terms substantially similar to those in this DPA.
- The subject-matter of the data Processing is the provision of the Products and the Processing will be carried out until the date that Yext ceases to provide the Products to you. Your obligations and rights are as set out in the Master Schedule 1 of this DPA sets out the nature and purpose of the Processing, the types of Personal Data Yext Processes and the categories of Data Subjects whose Personal Data is Processed.
- Yext will implement appropriate technical and organizational security measures (including ensuring that Yext personnel who are authorized to Process the Client Personal Data have committed themselves to appropriate confidentiality obligations) to ensure a level of security appropriate to the risks that are presented by the Processing of Client Personal Data including those measures contained in applicable Data Privacy Law. Details of these measures are set out in Schedule 2.
- In case of a Personal Data Breach which may affect Client Personal Data, Yext will notify the relevant Controller (in accordance with the email address we have on file) (or in the case of a reseller or agency, notify the reseller or agency) without undue delay after becoming aware of such Personal Data breach.
- Yext will provide such information and assistance as may reasonably be required (and within timescales reasonably specified) to allow the Controller to comply with its obligations under applicable Data Privacy Law, including assistance to: (i) comply with the Controller’s security obligations (ii) discharge obligations to respond to requests for exercising Data Subjects’ rights; and, (iii) to perform any data protection impact assessment and review any Processing operations to ensure that they are performed in accordance with the data protection impact assessment and to consult with the relevant Supervisory Authority (where applicable). Yext’s assistance pursuant to this provision shall be provided at the Controller’s own cost and expense. Controller can request such assistance by emailing email@example.com. Yext shall notify the Controller about any request received directly from Data Subjects.
- Yext shall audit the security of the computers and computing environment that it uses in Processing ClientPersonal Data. This audit: (a) will be performed at least annually; (b) may be performed by independent third party security professionals at Yext’s selection and expense; (c) will be performed according to the SOC2 standard; and (d) will result in the generation of an audit report (“Report“), which will be Yext’s Confidential Information. At yourwritten request, Yext shall provide you with a confidential copy of the Report so that you can reasonably verify Yext’s compliance with the security obligations under this DPA.
- If you desire to change this instruction regarding exercising the audit right or the provision of information in order to demonstrate compliance with Article 28 of the GDPR then you have (at your cost and expense) the right to change this instruction, which shall be requested in writing, provided that Yext shall have no obligation to provide Confidential Information.
- Yext will notify the Controller immediately (or in the case of a reseller or agency, notify the reseller or agency) if, in Yext’s opinion, it considers that an instruction from you under Clause 11 is in breach of any applicable Data Privacy Law and Yext shall be entitled but not obliged to suspend execution of the instructions concerned, until such instructions are confirmed in writing.
- After termination of the Master Agreement, Yext will, at your written request, delete or return all Client Personal Data, unless otherwise provided by law.
- You acknowledge and agree that Yext may retain appropriate Affiliates and other suitable third parties as sub-processors (all together “Sub-Processors“) in connection with the Processing of Client Personal Data, having imposed on such Sub-Processors in a written agreement, data protection obligations which are no less protective that those which are imposed on Yext under this DPA. Yext will be liable to you for performance of such obligations by the Sub-Processors. A list of Sub-Processors is available at https://www.yext.com/terms/subprocessors/ as well as a mechanism that you agree to subscribe to in order to receive advance notifications of new Sub-Processors. You may object to Yext’s use of a new Sub-Processor by notifying Yext in writing within ten (10) days after receipt of a notification in accordance with the mechanism set out in the preceding sentence. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Privacy Law.If, in Yext’s reasonable opinion, such objections are legitimate, Yext shall refrain from using such Sub-Processor in the context of the Processing of Client Personal Data. In such cases, Yext shall use reasonable efforts to (i) make available to you a change in Yext’s Products or (ii) recommend a change to your configuration or use of the Products to avoid the Processing of Client Personal Data by the objected-to Sub-Processor. If Yext is unable to make available such change within a reasonable period of time, you may, by providing written notice to Yext, terminate the Products which cannot be provided by Yext without the use of the objected-to Sub-Processor. Yext will refund you any prepaid fees covering the remainder of the term of such Products following the effective date of termination with respect to such terminated Product.
- You acknowledge that as part of the Products, the Client Personal Data will be stored in or accessed from the UK, and any Third Country in which Yext’s Sub-Processors maintain facilities. Whereas transfers to the UK are covered by the EU Commission’s adequacy decision of 28 June 2021 in favour of the UK, Yext will ensure adequate protection for any onward transfers to Sub-Processors in any Third Country (for example, Yext, Inc.) in accordance with applicable Data Privacy Law.
DATA PROCESSING INFORMATION
Yext’s Products assist companies in managing their public digital information.
The Client Personal Data transferred concern the following categories of Data Subjects:
If Client uses Listings (part of the Listings Product or of the Starter, Professional and Ultimate packages)and/or Events and decides to provide such information in Listings and/or Events, Client’s employees.
If Client uses Review Monitoring (part of the Reviews Product or of the Professional and Ultimate packages),individuals who submitted reviews online on applicable Publisher Sites.
If Client uses Review Generation (part of the Reviews Product or of the Ultimate package), individuals who submit reviews to Client.
If Client subscribes to Pages, the visitors of Client’s webpages which are based on Pages.
If Client subscribes to Knowledge Tags, the visitors of Client’s webpages which use Knowledge Tags.
If Client subscribes to Answers, the visitors of Client’s webpages who use Answers.
If Client decides to use Conversion Tracking, which Client does so voluntarily, website visitors to the Listing content and/or Events content on applicable Publisher Sites.
If Client decides to use Conversion Tracking, which Client does so voluntarily, website visitors to Pages, Knowledge Tags and/or Answers.
Types of Personal Data
The Client Personal Data transferred concern the following types of Personal Data:
|Types of Personal Data Processed by Yext on behalf of Client|
|Name, contact details, bio and/or title of Client’s employees||Name or alias of person who submitted a review online on applicable Publisher Site and content of such review||Name and email or mobile number of person submitting a review to Client and content of such review||Technical information concerning the website visitor such as IP address*||Usage information about the website visit (the referral URL, the content viewed and the content interacted with)|
|Listings/Events||Yes, but only if provided by Client|
*IP address is not made available to Client’s users.
**Pages and Knowledge Tags can be deployed with a pixel the purpose of which is to provide aggregated analytics to the Client.
***Answers can be deployed with a session cookie the purpose of which is to provide aggregated analytics to the Client. Answers can also be deployed with an optional Q&A functionality so that a visitor can submit his/her name and email to be contacted by the Client.
****Conversion Tracking is optional functionality within Listings or Events content on Publisher Sites or within Pages, Knowledge Tags or Answers which provides aggregated insight into whether visitors to Yext properties go on to visit other websites specified by the Client. It includes a persistent cookie the purpose of which is to provide aggregated analytics to the Client.
Special Categories of Personal Data
The Client Personal Data transferred concern the following Special Categories of Personal Data:
Yext does not intentionally collect or Process any Special Categories of Personal Data in the provision of its Products and services. Client agrees not to provide Special Categories of Personal Data to Yext at any time.
The Client Personal Data transferred will be subject to the following basic Processing activities:
Collecting, disclosing through transmission and dissemination, hosting, maintenance, organizing, storing and support.
TECHNICAL AND ORGANISATIONAL MEASURES
- Access control of Processing areas
Yext implements suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment used to Process the Client Personal Data. This is accomplished notably by:
- Access control system
- Card access
- Issue of keys
- Door locking
- Surveillance facilities – CCTV monitor
- Alarm system
- Security guard presence, during business hours, and extra hours for certain facilities
- Access control to data Processing systems
Yext implements suitable measures to prevent its data Processing systems from being used by unauthorized persons. This is accomplished notably by:
- Password procedures (incl. minimum length, change of password)
- Access to IT systems subject to approval from HR management and IT system administrators
- Review of access controls to ensure permissions are altered for movers & leavers
- Access control to use specific areas of data Processing systems
Yext ensures that the persons entitled to use its data Processing systems are only able to access the Client Personal Data within scope and to the extent covered by their respective access permission (authorization) and that the Client Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished notably by:
- Differentiated access rights
- Access rights defined according to duties
- Automated log of user access for certain IT systems
- Transmission control
Yext implements suitable measures to prevent the Client Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Client Personal Data by means of data transmission facilities is envisaged. This is accomplished notably by:
- Use of a wholly-owned private network for all data transfers within Yext
- Encryption using a VPN for remote access, transport and communication of data
- Prohibition of unencrypted USBs and CD Rom
- Instructional control
Yext ensures that Client Personal Data may only be Processed in accordance with the documented instructions as established in this DPA and the Master Agreement (including the Product Terms). This is accomplished by:
- Unambiguous wording of contractual instructions
- Availability control
Yext implements suitable measures to ensure that Client Personal Data are protected from accidental destruction or loss. This is accomplished notably by:
- Backup procedures
- Uninterruptible power supply (UPS)
- Remote storage
- Anti-virus/firewall systems
- Separation of Processing for different purposes
Yext implements suitable measures to ensure that Client Personal Data that are intended for different purposes can be Processed separately. This is accomplished notably by:
- Segregation of business IT systems
- Segregation of IT testing and production environments
Yext will, in respect of any Client Personal Data it Processes, comply with the Australian Privacy Principles (APPs) (except for APP 1) set out in Schedule 1 to the Privacy Act 1988 (Cth) (“Privacy Act”).
If Yext notifies the relevant Controller (or reseller or agency) pursuant to Clause 8, Yext will thereafter provide such assistance and information to the relevant Controller, reseller or agency as may be reasonably required by that Controller, reseller or agency to comply with their obligations under Part IIIC of the Privacy Act.
Where applicable, you will ensure that you have appropriate consents to permit you to request Yext to Process Client Personal Data pursuant to the Spam Act 2003.